pip install red-specter-vortex
Every AI model runs on cloud infrastructure. SageMaker. Vertex AI. Azure ML. GPU clusters. Model registries. Inference APIs. All deployed on cloud platforms that predate AI-specific threat models by years. VORTEX finds the gap between cloud security controls and the AI-specific attack surface that sits on top of them.
Inference APIs that should be internal are discoverable from the public internet. SageMaker endpoints, Vertex AI deployments, Azure ML online endpoints — each one a potential model extraction or data exfiltration vector. VORTEX maps every exposed surface before any exploitation begins.
Cloud AI deployments accumulate overly permissive IAM roles. The data scientist who needed model registry access gave themselves storage admin. The inference service that needed read access got write access too. VORTEX identifies every over-privileged identity in your AI infrastructure.
Model weights stored in cloud storage. Architecture configs in model registries. Training checkpoints in blob containers. Any of these reachable through a misconfigured IAM policy becomes a model theft vector. VORTEX demonstrates full model extraction through cloud access paths.
Training datasets stored in S3 buckets, GCS buckets, or Azure blob storage with overly permissive ACLs. Inference logs capturing sensitive inputs. Data pipelines with accessible intermediate stages. VORTEX maps every training data exposure path in the cloud environment.
GPU compute nodes running AI workloads have kernel access, hardware interfaces, and privileged container configurations that enable privilege escalation beyond the AI workload. VORTEX tests every escalation path from an AI compute node to cloud control plane access.
Once inside the cloud AI infrastructure, an attacker can inject backdoors into model weights, poison CI/CD pipelines, install scheduled tasks on compute nodes, or poison container images in the registry. VORTEX demonstrates how to maintain access that survives model redeployments.
Seven subsystems. Each one targets a different layer of the cloud AI infrastructure. From service discovery to model theft to mandatory restoration — VORTEX covers the full attack lifecycle. Every engagement requires an ANTIDOTE baseline before any execution begins.
| # | Subsystem | Command | What It Does |
|---|---|---|---|
| 01 | DISCOVER | vortex discover run | Cloud AI service enumeration. Model endpoint discovery across SageMaker, Vertex AI, Azure ML. GPU cluster identification. Model registry scanning. Inference API mapping. Produces a complete attack surface inventory before any exploitation. |
| 02 | CONFIG | vortex config run | Misconfiguration exploitation. Open model endpoints. Exposed training data in cloud storage. Permissive IAM policies. Unprotected model registries. Public inference APIs. Tests every misconfiguration class across all major cloud providers. |
| 03 | THEFT | vortex theft run | Model extraction via cloud access. Weight exfiltration from cloud storage. Architecture reconstruction from accessible configs. API-based model stealing. Side-channel model extraction through inference response analysis. Measures extraction completeness. |
| 04 | EXFIL | vortex exfil run | Training data extraction paths. Inference data capture. Model input/output logging exploitation. Cloud storage enumeration for training artifacts. Data pipeline interception. Maps every data exfiltration vector in the cloud AI environment. |
| 05 | PRIVESC | vortex privesc run | Cloud AI privilege escalation. IAM role chaining from AI service roles to cloud admin. Service account exploitation. Cross-service pivoting through AI infrastructure. GPU node escalation paths. Container breakout from AI workload containers. |
| 06 | PERSIST | vortex persist run | Cloud AI infrastructure persistence. Model backdoor injection into production weights. ML pipeline persistence via CI/CD poisoning. Scheduled task installation on compute nodes. Container image poisoning in the model registry. Tests survival across redeployments. |
| 07 | ANTIDOTE | vortex antidote run | Mandatory restoration subsystem. Captures full cloud configuration baseline before any engagement begins. IAM policy audit. Model registry snapshot. Signed restoration certificate. UNLEASHED gate — required before THEFT, EXFIL, or PERSIST can run. |
VORTEX tests cloud AI attack surfaces across AWS SageMaker, Google Vertex AI, and Azure ML. Provider-specific attack chains for each platform's unique configuration vulnerabilities.
VORTEX documents complete attack chains from initial cloud access through model theft and persistence. Every step logged, every finding mapped to a cloud-specific control failure.
Every VORTEX engagement generates a cryptographically signed report. Ed25519 signatures. SHA-256 evidence chains. Full cloud attack chain documented and tamper-evident.
No exploitation without a signed cloud configuration baseline. ANTIDOTE captures the pre-engagement state and gates UNLEASHED execution. The environment can always be restored.
Standard mode maps and detects. UNLEASHED exploits. Ed25519 cryptographic dual-gate. One operator. Founder's machine only. ANTIDOTE must complete before any live execution is permitted.
Maps cloud AI attack surfaces. Identifies misconfigurations, exposed endpoints, and over-privileged IAM roles. No exploitation. Reports only.
Plans full cloud exploitation campaigns. Shows exactly what would be extracted and where. Ed25519 key required. No execution. Complete attack chain output.
Cryptographic override. Private key controlled. One operator. Founder's machine only. ANTIDOTE cloud baseline required before any live run.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
Red Specter VORTEX is intended for authorised security testing only. Unauthorised use against cloud AI infrastructure, model endpoints, or AI services you do not own or have explicit written permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. Always obtain written authorisation before conducting any security assessments. Apache License 2.0.