Red Specter APOCALYPSE

Coordinated Multi-Agent AI Swarm Attack — 5 agents, 14 vectors, 10 campaigns. One agent finds a crack. Five agents tear it open.

v1.0.0

Contents

Overview The 5 Agents Agent Details All 14 Vectors The 10 Campaigns CLI Reference UNLEASHED Gate MITRE ATLAS Mapping Report Output Key Features Requirements SIEM Export REST API WARLORD Integration Adapter Types Packaging Disclaimer

Overview

Red Specter APOCALYPSE is a coordinated multi-agent AI swarm attack tool. Every existing AI security tool tests one vector at a time. Real attackers don't. APOCALYPSE fires five autonomous adversarial agents simultaneously — WRAITH (recon), SPECTER (injection), SHADE (evasion), PHANTOM (swarm coordination), REVENANT (exfiltration) — all via asyncio.gather concurrent execution in 0.69s.

APOCALYPSE provides 5 agents, 14 vectors, and 10 pre-built campaigns under a single CLI (apocalypse). Every finding maps to MITRE ATLAS. Every report is Ed25519-signed. WARLORD integration passes discovered credentials and topology directly into autonomous campaign execution.

APOCALYPSE is Tool #45 of 45 in the NIGHTFALL framework. 52,284 total tests across the framework. Chains with FIREBALL (Tool 41), RAGNAROK (Tool 42), and WARLORD (Tool 40).

The 5 Agents

ID	Agent	Role	Vectors	Description
P-01	WRAITH	Reconnaissance	WRA-001→005	Agent inventory, tool manifest, health probe, auth detection, rate limit mapping
P-02	SPECTER	Injection & Poisoning	SPE-001→003	Direct injection (8 templates), indirect injection (5 templates), memory poisoning
P-03	SHADE	Evasion & Mutation	SHA-001→002	8 encoding variants (Cyrillic homoglyphs, zero-width, base64, ROT13), 40-keyword semantic synonyms
P-04	PHANTOM	Swarm Commander	PHA-001→002	asyncio.gather concurrent execution, campaign phase sequencing
P-05	REVENANT	Exfiltration & Persistence	REV-001→002	Credential harvest (OpenAI/Anthropic/AWS/JWT/Bearer), token replay

Agent Details

P-01 WRAITH — Reconnaissance WRA-001 → WRA-005

WRAITH is the first agent to fire. It builds a complete map of the target AI fleet before any attack phase begins. Five vectors covering every aspect of target topology discovery.

WRA-001 — Agent Inventory — Enumerate deployed agents, enumerate endpoint paths, identify API surface
WRA-002 — Tool Manifest Discovery — Probe for exposed tool registries, MCP manifests, function call schemas
WRA-003 — Health Probe — Map liveness endpoints, uptime patterns, response latency fingerprinting
WRA-004 — Auth Detection — Identify authentication mechanisms, probe for credential reflection in responses
WRA-005 — Rate Limit Mapping — Establish rate limit thresholds to avoid triggering defences during subsequent attack phases

All WRAITH vectors run passively by default. In UNLEASHED mode they escalate to active exploitation of discovered auth weaknesses.

P-02 SPECTER — Injection & Poisoning SPE-001 → SPE-003

SPECTER attacks the trust and instruction layers. Three vectors covering the full injection surface: direct prompt injection, indirect injection via data channels, and memory poisoning for persistence across turns.

SPE-001 — Direct Injection — 8 payload templates: instruction override, system prompt extraction, constraint removal, role confusion, jailbreak escalation, permission hijacking, output redirection, goal substitution
SPE-002 — Indirect Injection — 5 templates: document poisoning, tool response poisoning, retrieved context poisoning, web content injection, structured data (JSON/CSV) injection
SPE-003 — Memory Poisoning — Injects adversarial content into agent memory/context windows that persists across conversation turns and influences future agent behaviour

All SPECTER payloads are pre-processed by SHADE before transmission when running in evasion-enabled campaigns.

P-03 SHADE — Evasion & Mutation SHA-001 → SHA-002

SHADE is the evasion layer. It pre-processes all payloads before SPECTER fires them, generating variants that defeat static keyword filters and rule-based defences without changing semantic meaning for the target LLM.

SHA-001 — Encoding Variants — 8 encoding transformations per payload: Cyrillic homoglyphs (replace Latin chars with visually identical Cyrillic), zero-width space insertion, base64 embedding, ROT13, URL encoding, HTML entity encoding, Unicode normalisation attacks, mixed bidirectional text
SHA-002 — Semantic Mutation — 40-keyword synonym dictionary: replaces trigger words with semantic equivalents that pass keyword filters while preserving attack intent. Context-aware substitution using part-of-speech tagging.

SHADE runs independently when called by SPECTER or can be invoked directly as a preprocessing pipeline. In INJECTION STORM campaign it processes every payload before transmission.

P-04 PHANTOM — Swarm Commander PHA-001 → PHA-002

PHANTOM is the orchestration layer. It coordinates all other agents, manages concurrent execution, and sequences multi-phase campaigns. The 0.69s swarm time is achieved by PHANTOM's asyncio.gather implementation.

PHA-001 — Concurrent Execution — asyncio.gather fires all agents simultaneously. No sequential blocking. All 14 vectors in parallel. Maintains per-agent result collection and error isolation so one agent failure doesn't abort the swarm.
PHA-002 — Campaign Phase Sequencing — For multi-phase campaigns (e.g. SWARM TAKEOVER), PHANTOM sequences phases: recon first, then inject with discovered topology, then exfil with harvested auth. Passes inter-phase context between agents.

PHANTOM also manages rate-limit-aware throttling based on WRAITH's WRA-005 findings, ensuring the swarm stays below detection thresholds when required.

P-05 REVENANT — Exfiltration & Persistence REV-001 → REV-002

REVENANT systematically harvests credentials from every agent response and establishes session persistence via token replay. Compiled regex patterns cover the full landscape of AI service credentials.

REV-001 — Credential Harvest — Compiled regex patterns for: OpenAI keys (sk-[A-Za-z0-9]{48}), Anthropic keys (sk-ant-[A-Za-z0-9-_]{95}), AWS access keys (AKIA[A-Z0-9]{16}), JWT tokens, Bearer tokens, generic API key patterns. Runs against every response body from every agent.
REV-002 — Token Replay — Takes harvested credentials and attempts authenticated access to discovered endpoints. Validates credential viability and maps accessible API surface. In UNLEASHED mode, attempts full session establishment.

All harvested credentials are included in the signed report with finding severity CRITICAL. REV findings automatically trigger WARLORD escalation in integrated deployments.

All 14 Vectors

Complete vector reference. Each vector ID maps to a specific MITRE ATLAS technique (see the ATLAS Mapping section).

Vector	Agent	Name	ATLAS
WRA-001	WRAITH	Agent inventory — enumerate agents, API surface mapping	AML.T0013
WRA-002	WRAITH	Tool manifest discovery — MCP manifests, function schemas	AML.T0013
WRA-003	WRAITH	Health probe — liveness endpoints, latency fingerprinting	AML.T0007
WRA-004	WRAITH	Auth detection — auth mechanism identification, credential reflection	AML.T0007
WRA-005	WRAITH	Rate limit mapping — threshold establishment for stealth attack pacing	AML.T0016
SPE-001	SPECTER	Direct injection — 8 templates (instruction override, constraint removal, etc.)	AML.T0051
SPE-002	SPECTER	Indirect injection — 5 templates (document, tool response, RAG, web, structured)	AML.T0051.000
SPE-003	SPECTER	Memory poisoning — persistent adversarial context injection across turns	AML.T0031
SHA-001	SHADE	Encoding variants — 8 transformations (Cyrillic, zero-width, base64, ROT13, etc.)	AML.T0054
SHA-002	SHADE	Semantic mutation — 40-keyword synonym dictionary, context-aware substitution	AML.T0054
PHA-001	PHANTOM	Concurrent execution — asyncio.gather, all vectors simultaneous, 0.69s	AML.T0004
PHA-002	PHANTOM	Campaign phase sequencing — multi-phase attack orchestration, inter-agent context	AML.T0004
REV-001	REVENANT	Credential harvest — compiled regex for OpenAI/Anthropic/AWS/JWT/Bearer	AML.T0037
REV-002	REVENANT	Token replay — authenticated access validation, session establishment	AML.T0037

The 10 Campaigns

Pre-built campaigns select the appropriate agents and vectors for each objective. Pass a campaign with --campaign <id>.

ID	Campaign	Severity	Agents	Objective
C-01	threshold_probe	LOW	WRAITH, SPECTER	Map detection boundaries without triggering active defences
C-02	credential_harvest	MEDIUM	WRAITH, REVENANT	Identity theft focus — harvest credentials, API keys, tokens from responses
C-03	rag_poison	MEDIUM	SHADE, SPECTER	RAG pipeline corruption with mutated, filter-evading payloads
C-04	swarm_takeover	HIGH	All 5	Inter-agent trust compromise — simultaneous attack on agent-to-agent trust channels
C-05	total_eclipse	EXTREME	All 5 (14 vectors)	Full swarm, every vector simultaneously — maximum concurrent pressure
C-06	silent_recon	LOW	WRAITH only	Stealthy topology mapping — full fleet inventory, passive only, no injection
C-07	injection_storm	HIGH	SHADE + SPECTER	Mutated payload injection at scale — SHADE pre-encodes, SPECTER fires
C-08	exfil_express	MEDIUM	REVENANT + WRAITH	Credential extraction focus — map then harvest every credential pattern
C-09	infrastructure_sweep	MEDIUM	WRAITH + PHANTOM	Complete fleet topology mapping across all discovered endpoints
C-10	annihilation	EXTREME	All 5	UNLEASHED REQUIRED — full destructive, all 14 vectors, live exploitation

CLI Reference

APOCALYPSE is invoked via the apocalypse command.

Standard Scan

$ apocalypse scan --target https://agent.example.com

Full 14-Vector Swarm

$ apocalypse scan --target https://agent.example.com --campaign total_eclipse

UNLEASHED Live Exploitation

$ apocalypse unleashed create-scope --targets https://agent.example.com --days 7
$ apocalypse scan --target https://agent.example.com --campaign annihilation --override --confirm-destroy
    

All CLI Options

$ apocalypse scan --help

  --target, -t            Target AI agent endpoint URL [required]
  --campaign, -c          Campaign ID (e.g. total_eclipse, silent_recon) [default: threshold_probe]
  --agents                Comma-separated agent IDs to activate [default: all]
  --vectors               Comma-separated vector IDs to fire [default: campaign-defined]
  --adapter               Adapter type: generic, openai [default: generic]
  --output, -o            Output directory [default: reports]
  --sign / --no-sign      Ed25519 signing [default: sign]
  --keys-dir              Keys directory [optional]
  --concurrency           Max concurrent HTTP requests [default: 10]
  --timeout               Per-request timeout in seconds [default: 30]
  --export-siem           Export to SIEM: splunk, sentinel, qradar [optional]
  --verbose, -v           Verbose output
  --override              Activate UNLEASHED mode (dry run) [requires Ed25519 key]
  --confirm-destroy       Go live — execute real destructive actions [requires --override]
    

Additional Commands

$ apocalypse report verify --report reports/apocalypse-scan.json --keys-dir .apocalypse-keys/
$ apocalypse unleashed create-scope --targets https://agent.example.com --days 7
$ apocalypse unleashed list-scopes
$ apocalypse agents list
$ apocalypse campaigns list
    

UNLEASHED Gate

APOCALYPSE UNLEASHED is the live exploitation mode. It requires Ed25519 cryptographic authorisation. Private key controlled. One operator. Founder's machine only.

Modes

Standard — recon + report only. All findings reported but no live exploitation attempted.
--override — dry run mode. Shows exactly what UNLEASHED would execute, without executing it. Scope file still required.
--override --confirm-destroy — live exploitation. All UNLEASHED actions execute against the target. Scope file and valid Ed25519 key required.

Scope Files

Create a scope file before using UNLEASHED. The scope file is Ed25519-signed at creation and validated before every UNLEASHED operation.

$ apocalypse unleashed create-scope \
    --targets https://agent.example.com \
    --days 7 \
    --campaigns annihilation,total_eclipse
    

ANNIHILATION Campaign

The ANNIHILATION campaign is the full destructive mode. All five agents, all 14 vectors, live exploitation. It will not run without --override --confirm-destroy and a valid scope file that explicitly permits the annihilation campaign.

Report Signing

All reports are signed with Ed25519 regardless of UNLEASHED mode. UNLEASHED reports carry an additional unleashed_mode field and the scope file hash in the report metadata.

$ apocalypse report verify --report reports/apocalypse-annihilation-2026-04-05.json
    

MITRE ATLAS Mapping

Every APOCALYPSE finding maps to a MITRE ATLAS technique. 9 techniques covered across all 14 vectors.

ATLAS Technique	Vectors	Description
AML.T0013	WRA-001, WRA-002	Discover ML Model Ontology — agent inventory and tool manifest discovery
AML.T0007	WRA-003, WRA-004	Discover ML Model Family — health probe and auth detection fingerprinting
AML.T0016	WRA-005	Obtain Capabilities — rate limit mapping for stealth operation
AML.T0051	SPE-001	LLM Prompt Injection — direct injection via 8 payload templates
AML.T0051.000	SPE-002	LLM Prompt Injection: Indirect — indirect injection via document/tool/RAG channels
AML.T0031	SPE-003	Erode ML Model Integrity — memory poisoning for persistent compromise
AML.T0054	SHA-001, SHA-002	LLM Jailbreak — encoding variants and semantic mutation for filter evasion
AML.T0004	PHA-001, PHA-002	Full ML Model Access — concurrent swarm execution and campaign sequencing
AML.T0037	REV-001, REV-002	Data from ML Model — credential harvest and token replay for exfiltration

Report Output

Reports are produced in JSON and HTML formats after every scan. Both are generated automatically.

JSON Report Structure

report_id — unique report identifier
target — the AI agent fleet that was attacked
campaign — which campaign was executed
overall_grade — A through F, weighted by severity
overall_score — 0–100
findings — array of normalised findings
per_agent_summary — grade and score per agent
atlas_coverage — which ATLAS techniques have findings
harvested_credentials — list of credential patterns found (masked in report)
unleashed_mode — boolean, scope file hash if applicable
signature — Ed25519 signature + RFC 3161 timestamp

Finding Schema

Every finding includes:

finding_id — unique identifier
vector_id — e.g. WRA-001, SPE-002, REV-001
agent — which agent produced the finding
atlas_technique — MITRE ATLAS technique ID
severity — CRITICAL / HIGH / MEDIUM / LOW / INFO
score — 0–100 (higher is safer)
payload_used — exact attack payload or probe
response_excerpt — relevant excerpt from target response
description — what was found
remediation — how to fix it

HTML Report

Dark-themed HTML report with: executive summary, overall grade, per-agent breakdown, ATLAS coverage matrix, sortable findings table, harvested credential summary, and signature verification info.

Key Features

5 Agents Concurrent asyncio.gather — all 14 vectors in 0.69s

Evasion-First SHADE mutates every payload before SPECTER fires

Ed25519 Signed Reports SHA-256 evidence chains, RFC 3161 timestamps

Credential Harvesting Compiled regex for OpenAI, Anthropic, AWS, JWT, Bearer

WARLORD Integration Findings feed directly into autonomous campaigns

349 Tests Passing Full test suite, zero failures

Requirements

Python 3.11+
httpx — async HTTP client with retry logic
asyncio — concurrent agent execution
typer — CLI framework
rich — terminal formatting and progress bars
pydantic — data validation and config
jinja2 — HTML report templating
cryptography — Ed25519 signing

Installation

$ pip install red-specter-apocalypse

Also available as .deb (Kali Linux, Parrot, REMnux, Tsurugi) and PKGBUILD (BlackArch).

Or from source:

$ git clone https://github.com/RichardBarron27/red-specter-apocalypse
$ cd red-specter-apocalypse
$ pip install -e ".[dev]"
    

SIEM Export

APOCALYPSE exports all swarm findings directly to enterprise SIEM platforms with a single CLI flag. All findings are translated to the SIEM's native format with Ed25519 signatures and RFC 3161 timestamps preserved.

Supported Platforms

Splunk — HTTP Event Collector (HEC), CIM-compliant field mapping
Microsoft Sentinel — CEF format via Log Analytics API, HMAC-SHA256 authentication
IBM QRadar — LEEF 2.0 format via Syslog (TCP/UDP/TLS)

Configuration

Configure SIEM credentials in ~/.redspecter/siem.yaml or via environment variables:

# ~/.redspecter/siem.yaml
splunk:
  hec_url: https://splunk.example.com:8088
  hec_token: your-hec-token
  index: ai_security
  verify_ssl: true

sentinel:
  workspace_id: your-workspace-id
  shared_key: your-shared-key
  log_type: RedSpecterFindings

qradar:
  syslog_host: qradar.example.com
  syslog_port: 514
  protocol: tcp

Usage

# Export to Splunk HEC
apocalypse scan --target https://agent.example.com --campaign total_eclipse --export-siem splunk

# Export to Microsoft Sentinel
apocalypse scan --target https://agent.example.com --campaign total_eclipse --export-siem sentinel

# Export to IBM QRadar
apocalypse scan --target https://agent.example.com --campaign total_eclipse --export-siem qradar

What Is Preserved

Ed25519 cryptographic signatures on every finding
RFC 3161 timestamps for tamper evidence
SHA-256 evidence chain hashes
MITRE ATLAS technique mappings in SIEM-native fields
Harvested credential indicators (masked for safety)

Error Handling

If SIEM credentials are missing or the export fails, the scan completes normally and the report is saved locally. SIEM export never blocks a scan.

REST API

APOCALYPSE exposes a REST API for programmatic integration. Start the API server with apocalypse serve.

Endpoints

POST /api/v1/scan
  body: { "target": "https://agent.example.com", "campaign": "total_eclipse" }
  returns: { "scan_id": "...", "status": "queued" }

GET  /api/v1/scan/{scan_id}
  returns: { "scan_id": "...", "status": "complete", "report_url": "/api/v1/report/..." }

GET  /api/v1/report/{report_id}
  returns: Full JSON report including findings, ATLAS mapping, signature

GET  /api/v1/agents
  returns: List of available agents with vector counts

GET  /api/v1/campaigns
  returns: List of available campaigns with agent and severity info

POST /api/v1/unleashed/scope
  body: { "targets": [...], "campaigns": [...], "days": 7 }
  # Requires Ed25519 key header
    

WARLORD Integration

APOCALYPSE integrates directly with WARLORD (Tool 40) for autonomous campaign escalation. When REVENANT harvests credentials or WRAITH discovers unprotected endpoints, these findings can be passed to WARLORD for automated follow-on attack execution.

Integration Flow

APOCALYPSE runs a scan (any campaign)
REVENANT harvests credentials — findings flagged as CRITICAL with warlord_escalate: true
WRAITH discovers unprotected infrastructure — topology exported to warlord_targets.json
WARLORD ingests APOCALYPSE report and executes follow-on campaigns

Configuration

Enable WARLORD integration in ~/.redspecter/apocalypse.yaml:

warlord:
  enabled: true
  endpoint: http://localhost:8090/api/v1
  auto_escalate: false  # set true to auto-trigger WARLORD on CRITICAL findings
  campaigns:
    - WEB_DESTROY
    - CREDENTIAL_STORM

With auto_escalate: false (default), APOCALYPSE produces a warlord_handoff.json file that must be manually passed to WARLORD. With auto_escalate: true and UNLEASHED mode, WARLORD is triggered automatically on CRITICAL findings.

Adapter Types

APOCALYPSE communicates with target agents via adapters. Select the appropriate adapter for your target with --adapter.

Generic Adapter (default)

The generic adapter communicates via standard HTTP POST with JSON body. Compatible with any REST API that accepts a message body.

$ apocalypse scan --target https://agent.example.com/chat --adapter generic

Generic adapter request format:

POST /chat
Content-Type: application/json

{
  "message": "<payload>",
  "session_id": "<uuid>"
}

OpenAI Adapter

The OpenAI adapter communicates via the /v1/chat/completions endpoint format. Compatible with OpenAI-compatible APIs including local deployments (Ollama, LMStudio, vLLM).

$ apocalypse scan --target https://api.openai.com --adapter openai --api-key sk-xxx
    

Also works with local OpenAI-compatible servers:

$ apocalypse scan --target http://localhost:11434 --adapter openai --model llama3
    

NIGHTFALL Pipeline Position

APOCALYPSE is Tool #45 of 45 — the final tool in the NIGHTFALL offensive framework. 52,284 total tests across the framework.

FORGE (#1) — Test the LLM before you build with it
ARSENAL (#2) — Test the AI agent during development
PHANTOM (#3) — Coordinated AI agent swarm assault
…
WARLORD (#40) — Autonomous attack campaigns
FIREBALL (#41) — Autonomous AI infiltration, 12 subsystems
RAGNAROK (#42) — Fleet-wide simultaneous trust chain compromise
ECLIPSE (#43) — Universal AI defence bypass & coverage analysis
SHROUD (#44) — WAF/CDN origin discovery & bypass
APOCALYPSE (#45) — Coordinated multi-agent AI swarm attack

AI Shield — Defence | redspecter-siem — SIEM Integration (Splunk, Sentinel, QRadar)

Packaging

APOCALYPSE is available in three package formats for security-focused Linux distributions:

Debian / Kali / Parrot / REMnux / Tsurugi — .deb package
BlackArch — PKGBUILD
PyPI — pip install red-specter-apocalypse

For access, contact richard@red-specter.co.uk or visit github.com/RichardBarron27/red-specter-apocalypse.

Disclaimer

Red Specter APOCALYPSE is designed for authorised security testing, research, and educational purposes only. You must have explicit written permission from the system owner before running any APOCALYPSE scan against a target. The ANNIHILATION campaign and all UNLEASHED modes require a valid scope file and Ed25519 cryptographic authorisation. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse.