pip install red-specter-siren
AI agents browse the web, read documents, process email, and consume external data sources. None of that content is trusted. Any of it can contain instructions directed at the agent. The agent cannot tell the difference between legitimate content and malicious instructions hidden inside it. SIREN tests whether your agent can be made to do something it should not do — triggered entirely by content it retrieved from an external source.
Indirect injection hides in white-on-white text, zero-opacity CSS, HTML comments, metadata fields, image alt text, and zero-width Unicode characters. The user sees a normal webpage. The agent sees the instructions hidden inside it.
Web pages, PDF documents, emails, API responses, database records — every external source is a potential injection vector. Agents that browse, read, and act are permanently exposed to every page they visit.
Data exfiltration. Credential harvesting. Privilege escalation. Lateral movement. Persistent backdoor installation. SIREN tests all five. Each one represents a class of attack that an agent could execute entirely without the user's knowledge.
Direct prompt injection tools exist. Indirect injection weaponisation — the creation and delivery of payloads embedded in external content retrieved by agents — has no dedicated offensive tooling. SIREN is the first.
SIREN operates across five subsystems. CRAFTER builds the malicious content. HIDER embeds payloads using eight concealment techniques. COURIER delivers them to the agent's retrieval path. TRIGGER activates them at the right moment. EVIDENCE documents everything for the signed report.
Builds indirect injection payloads for five target action classes: data exfiltration, credential harvesting, privilege escalation, lateral movement, and persistent backdoor installation. Every payload is crafted for the specific agent architecture under test.
White-on-white text. CSS visibility zero. HTML comments. Metadata embedding. Image alt text injection. Zero-width Unicode characters. Markdown hidden syntax. Base64 in data attributes. Eight ways to hide an instruction in plain sight.
Positions malicious content in the agent's retrieval path. Web pages, documents, email bodies, API response payloads, database records. COURIER ensures the agent encounters the injection through its normal retrieval behaviour — not through a special attack channel.
Times payload activation to maximise impact. Context-aware triggers fire when the agent has sufficient privileges, an active session, or a relevant task in progress. Dormant injections that activate on specific agent state are TRIGGER's speciality.
Captures full evidence of every successful injection. Agent behaviour before and after. Payload delivery confirmation. Action executed. Ed25519 signed report. OWASP LLM01 mapping. SHA-256 evidence chain for every finding.
Connected to the NIGHTFALL ARMORY payload intelligence library. SIREN pulls indirect injection and content poisoning payloads on demand. Successful injections feed back into ARMORY for fleet-wide improvement. Every SIREN finding strengthens every tool in NIGHTFALL.
SIREN runs a complete indirect injection engagement. CRAFTER builds payloads for the target action. HIDER conceals them. COURIER places them in the agent's path. TRIGGER activates. EVIDENCE documents and signs.
Full indirect injection engagement against an agent with web browsing capability:
Every injection attempt is Ed25519 signed, scope-locked to authorised agents, and auto-locks after 30 minutes. Three tiers of operation. Authorised penetration testing only. EVIDENCE is mandatory — SIREN logs every payload and every outcome.
Scans agent architecture for indirect injection susceptibility. Maps retrieval paths. No payload delivery. Full surface report in a signed document.
Crafts and hides payloads. Shows exact delivery path and trigger conditions. Ed25519 required. No injection executed. Full projected impact shown.
Full indirect injection engagement. COURIER delivers. TRIGGER activates. EVIDENCE logs. RESTRICTED signed report with all successful injections documented.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
Red Specter SIREN is intended for authorised security testing only. Deploying indirect prompt injection payloads against AI agents or systems you do not own or have explicit written permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. Always obtain written authorisation before conducting any security assessments. Apache License 2.0.