AI SHIELD

Real-time interception of direct and indirect prompt injection across all agent input channels. Covers goal hijacking, instruction override, role manipulation, token smuggling, and context overflow patterns. OWASP LLM01 mapped. Sub-50ms detection on every inference call.

Detects adversarial ML attacks against vision and text models — FGSM, PGD, CW, patch attacks, and semantic adversarial examples. Validates inputs before they reach model inference. Integrates with NIGHTFALL FORGE test findings to generate blocking rules automatically.

Continuous behavioural monitoring of live AI agents. Detects anomalous tool call sequences, memory write patterns, inter-agent messaging abuse, and goal-state drift. Works across LangChain, AutoGen, CrewAI, and custom agent frameworks via the AI Shield instrumentation layer.

Purpose-built for Non-Terrestrial Network AI systems. Covers satellite-ground link injection, feed manipulation, orbital command spoofing, and firmware integrity verification. SPARTA framework mapped. Supports LEO, MEO, GEO, and HAPS deployments with latency-tolerant detection pipelines.

Runtime enforcement at the agent memory layer. 28 detectors across 7 attack categories covering injection, retrieval hijack, dormant triggers, cross-session persistence, context window attacks, exfiltration, and provenance forgery. Works across 12 backends: Mem0, MemGPT, Zep, LangChain, LlamaIndex, ChromaDB, Pinecone, Weaviate, Qdrant, pgvector, Claude memory, and GPT memory. Ed25519-signed evidence receipts on every detection. SIEM export to Splunk, Sentinel, and QRadar.

Client-side MCP runtime guardian. 28 detectors across 7 attack categories: tool description injection, sampling hijack (Unit42 createMessage vector), STDIO command injection (CVE-2026-22252), SSE stream manipulation (CVE-2026-22688), JSON-RPC message forgery, protocol downgrade (CVE-2025-54136), schema drift, tenant isolation bleed, prompt injection via tool returns, and capability escalation. Session quarantine with TTL enforcement. SHA-256 hash-chained evidence receipts on every detection. Defensive pair to NIGHTFALL ROGUE (Tool 61).

Real-time token economics monitoring across OpenAI, Anthropic, Azure, Bedrock, and Vertex AI deployments. 8 detectors: token burn rate anomaly, context flood detection, parallel session surge, tool chain amplification, rate limit storm, billing threshold proximity, recursive loop identification, and cost anomaly baselining. Automatically throttles and quarantines runaway agent sessions before they trigger auto-reload billing cycles. Defensive pair to NIGHTFALL SPECTER BURN (Tool 76).

Detects and blocks attacks against extended thinking and chain-of-thought reasoning pipelines. 8 detectors: premise injection interception, conclusion drift monitoring, scratchpad exposure prevention, budget exhaustion detection, chain corruption fingerprinting, authority injection blocking, epistemic manipulation, and reasoning loop termination. Supports Claude Extended Thinking, o1/o3, Gemini Flash Thinking, DeepSeek R1, and QwQ-32B. Defensive pair to NIGHTFALL SPECTER REASONER (Tool 75).

Continuous model behavioural monitoring for sleeper-agent backdoor detection and integrity assurance. 8 components: trigger activation detection, covert exfil pattern analysis, behavioural baseline deviation scoring, output entropy anomaly, dormant trigger scanner, response volatility tracking, token distribution anomaly detection, and baseline profiler. Detects ROME rank-one weight edits, LoRA-poisoned adapters, and neuron-patch backdoors in production. Defensive pair to NIGHTFALL SPECTER NEURON (Tool 74).

Real-time security enforcement layer for AI inference gateways and model routers. 8 detectors: SQL injection through LLM API parameters (CVE-2026-42208), SSRF via model endpoint routing (CVE-2026-33626), remote code execution via tool call injection (CVE-2026-41264), system prompt leakage, API route hijack, unauthorised model access, token overrun attacks, and credential harvest via malformed inference requests. Blocks malicious requests before they reach the model layer.

Runtime protection for computer-use and browser-automation agents. 8 detectors: DOM divergence detection, visual prompt injection via screenshot content, clipboard poisoning intercept, URL fragment injection blocking, sensitive action gate (payments, auth changes, file deletion), fake dialog recognition, session token exposure prevention, and homoglyph/IDN domain spoofing. Human-in-the-loop gating for high-risk actions. Defensive pair to NIGHTFALL GHOST OPERATOR (Tool 73).

Detects AI-assisted ransomware operations against agent-connected file systems and infrastructure. 8 detectors: file entropy analysis (Shannon entropy spike detection across 37 ransomware families), shadow copy destruction, mass file modification, ransom note placement (50+ known filenames), C2 beacon via LLM API (base64/JSON/zero-width steganography), lateral movement patterns, data staging before exfiltration, and cryptographic key operation monitoring. Defensive pair to NIGHTFALL SPECTER CRYPT (Tool 82).

Security monitoring for non-human identities — service accounts, API keys, OAuth clients, JWTs, and machine credentials operating within AI agent fleets. 8 detectors: API key exposure (14 providers including OpenAI, Anthropic, AWS, Azure, GCP, GitHub), token lifetime violations, privilege escalation, cross-tenant identity bleed, OAuth flow abuse, JWT algorithm confusion and header manipulation, credential stuffing, and machine identity exfiltration. SHA-256 hash-chained evidence on every detection.

Detects autonomous AI adversary campaign execution in progress. 8 detectors: OODA loop pattern recognition (Observe-Orient-Decide-Act cycling at machine speed), multi-phase kill chain correlation across recon/intrusion/privilege/persistence/exfil/destroy, autonomous orchestration signal detection (fleet spawning depth, agent count), tool chain amplification, campaign persistence establishment, WARLORD-class campaign pattern matching, SPECTER EXTINCTION precursor signals (annihilation keywords, deadman triggers), and coordinated machine-precision timing anomaly. Closes the complete G11 blind spot. Defensive pair to NIGHTFALL NEMESIS · WARLORD · FIREBALL · OMEGA · SPECTER EXTINCTION.

First-phase attack detection — catches reconnaissance before exploitation begins. 8 detectors: AI-native surface enumeration (AI endpoint probing, OpenAPI discovery, MCP registry scanning), authenticated discovery probing (OIDC/OAuth well-known endpoints, multi-scheme credential testing), dark web enumeration signatures (onion address queries, Tor circuit rotation, WormGPT/FraudGPT/DarkGPT service targeting), systematic endpoint scanning (sequential/fuzzing patterns, IDOR enumeration), agent fingerprint probing (NIGHTFALL tool signature detection, version/stack disclosure), credential harvest recon (cloud IMDS access, .env/.aws/credentials targeting), infrastructure mapping (RFC 1918 subnet scanning, port sweeps), and passive recon baseline deviation. Closes the complete G01 blind spot. Defensive pair to NIGHTFALL ORION · SHADOWMAP · IDRIS · RAVEN · SHROUD · PHANTASM · SPECTER DAEMON.

Detects template-interpolation RCE attacks across AI framework deployments. 8 detectors: Jinja2 SSTI (class traversal, MRO enumeration, lipsum/cycler/joiner gadgets), YAML unsafe-load (!!python/object/apply, !!python/object/new, __reduce__), LangChain template RCE (PromptTemplate injection, f-string bypass, chain output recycling), multi-framework RCE pattern (Flowise eval/Function, Haystack YAML class-loading, AutoGen code_execution_config, CrewAI tool injection, DSPy settings poison), generic SSTI across Mako/Tornado/Chameleon, code execution via template (eval/exec/os.system/subprocess/base64 decode chains), template filter bypass (|attr() chains, unicode encoding, request|attr gadgets), and cross-framework poison propagation. Defensive pair to NIGHTFALL T79 SPECTER SHELL.

Detects self-replicating adversarial prompt worm propagation across AI agent networks. 8 detectors: multi-hop propagation (hop count and agent spread thresholds), RAG corpus infection (poisoned document store/retrieve cycles, indirect prompt injection), MCP tool poison propagation (description override, zero-width/BiDi steganography, base64 hidden payloads), A2A message infection (broadcast amplification, recursive spawn, Morris II relay patterns), worm signature detection (Morris II verbatim-repeat, Nakash/Greshake, AutoGen code-gen worm, email/document worm), replication attempt pattern (11 critical patterns including CLAUDE.md/.mcp.json/.cursorrules modification), cross-agent payload correlation (hash-matching across agent sessions), and infection chain tracking (generation numbering, exponential branching detection). CVE-2026-52001. Defensive pair to NIGHTFALL T80 SPECTER WORM.

Runtime detection of memory-layer attacks against AI agents — operationalises defence against the Memory-as-Control-Flow Attack (MCFA, arXiv:2603.15125). 8 detectors: memory injection (adversarial instructions in retrieved memory chunks), control flow hijack (MCFA pattern — memory redirecting agent execution), cross-session persistence (payloads persisting across sessions), memory override (replacement/resequencing triggers), RAG poisoning via memory (adversarial corpus injection), dormant trigger (sleeper payloads with conditional activation), memory exfiltration channel (covert data staging in memory fields), and memory provenance forgery (false origin claims, trust-level manipulation). Defensive pair to NIGHTFALL T77 SPECTER MEMETIC.

Detects slopsquatting and hallucinated package attacks targeting AI coding agents. When an AI agent hallucinates a package name, threat actors register that name and wait — SLOPSHIELD catches the attempt before install. 8 detectors: hallucinated package detection (40+ known-hallucinated names, generic-suffix pattern matching), typosquatting check (Levenshtein distance ≤ 2 from top-100 packages), phantom dependency injection (unverified packages in agent-generated code), malicious package substitution (25+ confirmed substitution pairs), package name confusion (Unicode homoglyphs, hyphen/underscore variants), supply chain validation (ecosystem naming conventions, import-name mismatch), AI-generated import anomaly (non-existent API functions), and slopsquatting signature (Lanyado/Imperva research corpus). Defensive pair to NIGHTFALL T59 PHANTOM SKILL.

Runtime detection of deepfake, multimodal, and social engineering attacks against AI agents. Closes G10 of the NIGHTFALL taxonomy. 8 detectors: deepfake media detection (GAN artifacts, synthetic creation tool markers, TTS fingerprints), visual prompt injection (adversarial overlays, embedded instruction text, SPECTER PRISM LENS patterns), audio injection (ultrasonic commands ≥17kHz, WhisperInject-class 19kHz encoding, room acoustic manipulation), synthetic identity detection (AI-generated profiles, zero-EXIF headshots, uniform biography patterns), social engineering patterns (50+ authority/urgency/trust manipulation signatures), multimodal payload correlation (cross-modal fragment assembly, text+image+audio contradiction detection), steganographic content detection (EXIF/ID3/subtitle injection, zero-width Unicode, BiDi override), and adversarial typography (QR code payloads, adversarial signage, homoglyph substitution). Defensive pair: NIGHTFALL G10 — SPECTER SOCIAL · MIRAGE · VANTAGE · MIMIC · SPECTER PRISM.

Runtime detection of supply chain and build pipeline attacks against AI agent deployments. Closes G07 of the NIGHTFALL taxonomy. 8 detectors: dependency confusion attack (namespace hijacking, version-override anti-patterns, unexpected registry sources), CI/CD pipeline poison (GitHub Actions with unverified actions, curl|bash patterns, self-hosted runner escalation), framework RCE pattern (LangChain/AutoGen/CrewAI/Haystack execution-capable components with untrusted input), malicious dependency injection (30+ confirmed malicious package names, version range widening), build artifact tampering (Docker digest mismatch, unexpected binary in pure-Python wheels, lock file hash mismatch), supply chain worm propagation (recursive dependency file modification, postinstall multi-repo spread), platform framework backdoor (trust_remote_code, HuggingFace executable model cards, SDK endpoint hijack), and code signing bypass (--no-verify flags, PYTHONPATH manipulation, unverified local installs). Defensive pair: NIGHTFALL G07 — HYDRA · PIPELINE · SPECTER SHELL · SPECTER WORM · SPECTER PLATFORM.

Real-time detection of attacks against robotic systems and embodied AI platforms. 8 detectors: URScript injection, ROS2 unauthorised access, dual-channel safety bypass (BadRobot arXiv:2407.20242v4 / Blindfold arXiv:2603.01414), ISO 10218-1/TS 15066 safety threshold violations, robotic credential abuse, unsigned artifact injection (CWE-345), robotic lateral movement, phantom control detection. 268 tests.

Real-time detection of attacks against computer-use and browser agents. 8 detectors: visual prompt injection (STATIC/ADINJECT/hidden CSS), URL manipulation (CVE-2025-47241 userinfo bypass, IDNA homograph, dangerous schemes), branch steering (CaMeLs arXiv:2601.09923, indirect injection), chain action anomaly (payment/wipe/IAM/code-exec from web content), escape attempt (file protocol, path traversal, settings file write, shell metacharacters), OAuth consent spoof (scope inflation, fake provider domains, Meta blue clone), exfil channel (base64 URL params, DNS tunnelling, credential-in-body), session anomaly (rapid navigation, off-task domains, cross-origin data send). Defensive pair: T101 SPECTER WEB. 215 tests.

Runtime defence for ML training and inference infrastructure. 8 detectors: Ray job anomaly (CVE-2023-48022 unauthenticated RCE, zero-CPU zombie jobs, detached C2 jobs), Slurm REST abuse (CVE-2023-41915 privesc, mass-node worm submission, self-resubmit persistence), MLflow artifact poisoning (CVE-2024-1483 path traversal, pickle upload, model registry poison), K8s ML workload attack (privileged DaemonSet, kube-system CronJob, cluster-admin RBAC), gradient poisoning (Byzantine norm spikes, sign flip fraction, backdoor trigger, checkpoint integrity), hardware sabotage (nvidia-smi power limit override, IPMI fan override, high-entropy disk write), model exfiltration (bulk checkpoint export, HuggingFace push, ONNX export), cluster worm (SSH key propagation, lateral movement, process spawn flood). Defensive pair: T102 SPECTER THUNDERBOLT. 232 tests.

Runtime defence for AI voice agents and IVR infrastructure. 8 detectors: SIP protocol abuse (INVITE flood, caller ID spoofing, DTMF injection, SIP auth bypass), prompt injection in transcripts (role override, delimiter injection, jailbreak prefixes, zero-width/BIDI Unicode, homoglyph injection), adversarial audio detection (PhantomSound arXiv:2309.06960 burst detection, DolphinAttack ultrasonic carrier, psychoacoustic masking, RTP entropy spike, spectral flatness anomaly), voice clone detection (mel-cepstral distortion, ElevenLabs fricative fingerprint, XTTS v2 smoothing artifacts, speaker embedding drift, GAN periodic artifacts), session harvest attempt (system prompt probe, credential extraction, internal tool enumeration, PII fishing, lateral movement probe), IVR sabotage (noise injection, context exhaustion, webhook flood, silence DoS, DTMF storm), unauthorized barge-in (WebSocket origin validation, RTP SSRC hijack, relay certificate forgery, timestamp injection), voice agent recon (SIP OPTIONS sweep, STIR/SHAKEN harvest, provider enumeration, IVR tree mapping). Defensive pair: T107 SPECTER WIRE. 186 tests.

Runtime detection of AI sandbox and container escape attacks. 8 detectors: indirect_prompt_injection (SILENTBRIDGE CSS hidden text font-size:0px/color:transparent, zero-width Unicode U+200B/200C/200D/FEFF clusters, HTML comment injection, markdown image beacons), mcp_tool_call_abuse (CLAWCHAIN CVE-2026-44115 heredoc $() shell expansion, CVE-2026-44118 X-MCP-Sender-Is-Owner:true bearer spoof, tool description poisoning, SSRF targets), toctou_symlink_race (CVE-2026-44112/113 TOCTOU races, CVE-2025-31133 runc /dev/null symlink → /proc/sys/kernel/core_pattern, privileged symlink targets, namespace escape), js_prototype_chain_escape (CVE-2026-5752 Cohere Terrarium document.__proto__.constructor.constructor, CVE-2026-22686 enclave-vm Error prototype chain, Function() constructor abuse, child_process execSync), python_sandbox_escape (CVE-2026-2275 CrewAI ctypes.CDLL + ctypes.util.find_library('c') + libc.system, importlib abuse, __subclasses__ traversal, pickle __reduce__ RCE), container_escape_attempt (CVE-2025-31133 core_pattern write, CVE-2025-9074 Docker Desktop 192.168.65.7:2375 Engine API, cgroup release_agent, privileged bind mount, Docker socket), sandbox_network_exfil (DNS tunneling base32 subdomain exfil, AWS/private key exfiltration, C2 beacon loops, IMDS SSRF 169.254.169.254, raw socket ICMP), multi_platform_chain_detection (SILENTBRIDGE→CLAWCHAIN chains, JS prototype→OS command, ctypes→network exfil, container escape→persistence, WMD-class destruction). Defensive pair: T108 SPECTER SANDBOX. 215 tests.

Runtime detection of Microsoft 365 Copilot and M365 platform attacks. 8 detectors: device_code_phishing (OAuth device code flow abuse, tenant-wide phishing, GetCredentialType timing), copilot_prompt_injection (Embrace/Ignore/Override techniques arXiv:2406.00137, Copilot-specific injection, CVE-2024-49035 Copilot Studio privesc), graph_api_harvest (Graph $batch endpoint abuse, bulk M365 data exfil, CA policy enumeration), teams_siege_detection (webhook abuse, CSS hidden channel injection, meeting summary hijack, guest pivot), admin_pipeline_abuse (admin email permutation, consent phishing, stealth UA rotation, password spray), ghost_hand_detection (GHOST-HAND zero-attribution via Microsoft.Copilot sole actor, calendar C2 persistence, DOCSTRIKE trigger), tenant_recon (Azure AD enumeration, Conditional Access mapping, service principal discovery), tenant_annihilation (mass deletion, CA policy wipe, backdoor OAuth app, PIM abuse, credential rotation lockout). Defensive pair: T111 SPECTER 360. 212 tests.

Runtime integrity monitoring for knowledge graph and DAG-based reasoning systems. 5 subsystems: EDGE_INTEGRITY (false edge injection detection, confidence weight manipulation, low-trust→high-trust cluster alerts), VECTOR_MONITOR (anomalous evidence vector detection, cosine similarity attacks, batch injection volume anomaly, baseline drift), TRUST_PROPAGATION_GUARD (trust laundering detection, hub node monitoring, rapid trust score rise without evidence), CYCLE_DETECT (continuous cycle detection, amplification cycle identification, VAULT cycle injection signature matching), REPORT (WARLORD-compatible JSON, CVSS scoring, GraphViz attack subgraph, evidence chain, remediation). Defensive pair: T120 SPECTER VAULT (DAG-POISON/DAG-TRAVERSE/DAG-EXTRACT). 150 tests.

AI agent persistence and rootkit detection. 10 subsystems: CONFIG_INTEGRITY (hooks.Stop/PostToolUse/PreToolUse in settings.json, external C2 endpoints, shell exec in config values), HOOK_INTEGRITY (SPECTER ZOMBIE T123 confirmed vector, LangChain/CrewAI/PraisonAI lifecycle hooks, Radware ZombieAgent pattern), RULES_FILE_GUARD (CLAUDE.md/cursorrules injection, system prompt override, HTML comment hiding, zero-width Unicode, tool-call directives), MEMORY_PERSISTENCE_DETECT (vector store poisoning, dormant trigger payloads, cross-session persistence across ChromaDB/Pinecone/Weaviate/Qdrant/Redis/Mem0), MCP_MANIFEST_GUARD (unauthorised tool additions, capability escalation, tool shadowing, rug pull patterns), WORKFLOW_INTEGRITY (n8n/Flowise/Langflow injection, C2 webhook, schedule node injection), SUPPLY_CHAIN_MONITOR (known-malicious PyPI/npm, postinstall exec, HuggingFace model card RCE, Docker base image abuse), NETWORK_BEACON_DETECT (cron+curl beacons, DNS C2 encoded subdomains, LLM API C2 relay, C2 framework signatures), PROPAGATION_DETECT (agent-to-agent infection, fleet propagation, shared memory contamination, Zombie agent persistence), PROCESS_PERSISTENCE_DETECT (crontab, systemd, shell profile, rc.local, launchd, at jobs). RSSA escalation on CRITICAL findings. Defensive pairs: T123 SPECTER ZOMBIE (primary), T116 VENOM, T88 SHADOW, T110 SPAWN, T122 GHOST, T121 FEDERATION. 296 tests.