Welcome to NIGHTFALL. Bring your targets. Prove your defences. 125 offensive AI security tools. One install. One CLI. REST API. MCP server. Every attack surface covered.
NIGHTFALL is a controlled adversarial testing framework designed to validate AI Shield's runtime defences under real-world conditions.
The complete agentic AI attack surface — 18 layers, 125 tools, every threat class covered.
"Five Eyes guidance named prompt injection as the most persistent threat. They are correct. They also covered one of sixteen."
125 tools organised by attack function. 14 groups. Two ways to navigate the arsenal — by what layer you're attacking above, or by which tool does the job below.
Traditional red team toolkits were built for human-driven testing. They were never designed to test autonomous AI systems.
AI agents introduce a completely new attack surface — memory, tools, identity, reasoning, and autonomy. That surface is not covered by existing security tooling. Kali Linux and Parrot OS remain essential for traditional penetration testing. But they were built for a different threat model — one where a human is always in the loop.
Every other red team tool runs static payloads. NEMESIS reasons, adapts, and evolves mid-engagement. 21 weapons. 40 autonomous entities. AI-driven attack mutation that never runs the same test twice.
Your AI defence has never been tested against an AI attack. Signature-based detection fails because NEMESIS never repeats. Behavioural analysis fails because NEMESIS reasons about the defence and changes strategy. The only defence that keeps pace is one built by the same mind that built the attack. That defence is AI Shield.
Every tool works standalone. NIGHTFALL connects them all. Pick the path that fits your engagement.
Need one tool? Download it. Install it. Run it. No framework required. Each tool has its own repo, its own CLI, its own tests. Works independently.
100+ public repos. Each one a weapon.
One install. All 125 tools. Attack chains. Engagement management. History. Signed reports. Audit trail. Everything wired together under one CLI.
Individual tools are hammers. NIGHTFALL is the workshop.
121 tools mapped across 35 kill chain phases. From passive reconnaissance through space-based NTN exploitation, model IP extraction, total infrastructure annihilation, AI-assisted ransomware simulation, multimodal adversarial attacks, AI coding agent exploitation, training pipeline poisoning, cross-agent trust escalation, GGUF model quantization backdoor deployment, AI agent marketplace supply chain attacks, enterprise no-code/low-code platform exploitation, AI API gateway exploitation, AI-generated code vulnerability scanning & exploit chaining, vector database exploitation, embodied AI & robotics annihilation, CUA/browser agent exploitation, social media AI attack surface exploitation, Meta/Facebook ecosystem annihilation, autonomous multi-tool mission orchestration, platform-agnostic OAuth token harvesting via AI-driven social engineering, AI voice agent exploitation, unified AI sandbox & container escape, AI workflow builder attack, AI agent proliferation & emergent spawning, Microsoft 365 & Copilot annihilation — single email in, full tenant owned, GHOST-HAND zero-attribution via Copilot-native actions, platform moderation exploitation — turn AI classifiers into suppression weapons, autonomous LRM-vs-LRM jailbreak — DeepSeek-R1 attacks any frontier model with adaptive 10-strategy loop, 97.14% overall ASR, Google Workspace AI annihilation — GHSA-wpqr-6v78-jr5g CVSS 10.0 Gemini CLI CI/CD RCE, corpus poisoning, zero-attribution GHOST-GAIA mode (L25 Enterprise AI Productivity, kill chain phase 32), neural supply chain compromise — backdoor model weights before download, DEEPTHINK DeepSeek R1 reasoning-layer exfil, DETONATE autonomous destruction via agent tool calls (L26, kill chain phase 33), AI agent runtime persistence — PLANT into Redis/SQLite/LangGraph/Mem0, HOOK .mcp.json/CLAUDE.md/Cursor rules, DNS/HTTP/think-token covert C2, multi-backend SURVIVE with self-healing (L27, kill chain phase 34), air-gapped adversarial red team automation — R1 32B attacker vs any Ollama target, GENERATE→FIRE→JUDGE→MUTATE loop, 10 strategies, zero API calls, 10,000 iterations overnight (L28, kill chain phase 35), and AI agent trust chain lateral movement — INFILTRATE token stores, MAP-TRUST directed graph, CHAIN-OAUTH RFC 8693 exchanges across Azure/AWS/GCP/GitHub, BFS TRAVERSE with blast radius, HARVEST sensitive data, PIVOT-PERSIST federated credentials that survive token revocation, zero SIEM alerts at any hop (L26 Enterprise AI Trust Infrastructure, kill chain phase 34). Full coverage. Each phase is mapped to adversary behaviour and validated against AI Shield defensive controls.
One Ed25519-signed evidence graph across the entire NIGHTFALL platform. Not a tool — the evidence layer every tool plugs into.
Every engagement produces evidence from many NIGHTFALL tools — BOUNDARY scans the model, SHROUD finds origin servers, POLTERGEIST exploits the web stack, SPECTER ATLAS attacks the operator API, SPECTER MEMETIC hijacks agent memory. Each tool emits its own signed report. Cross-tool attack paths exist only in the operator's head and the final-report PDF.
CAMPAIGN GRAPH is the source of truth: one DAG, one signature, one merge protocol. Every finding lives on the same graph keyed by shared entities (host, IP, agent ID, MCP URI, A2A card, OAuth client, NHI, memory backend, model). Every causal edge is recorded. Every byte is hash-chained. KPMG, IETF, and law-enforcement disclosure pipelines consume one artefact instead of 78.
Every tool in NIGHTFALL exists to test a control in AI Shield. NIGHTFALL is not separate from AI Shield. It is how AI Shield is proven.
ECHO poisons RAG pipelines and vector databases. AI Shield's memory forensics modules detect and neutralise the poisoned data.
HYDRA exploits trust chains between AI components. AI Shield's trust validation modules verify every dependency and data source.
NEMESIS autonomously reasons about defences and mutates attacks in real-time. 21 weapons, 40 entities, never the same attack twice. AI Shield's runtime enforcement is the only defence that evolves at the same pace.
HARBINGER and SIREN break through safety guardrails. AI Shield's input/output filtering modules catch the bypass attempts.
WRAITH MIND corrupts model internals. AI Shield's model integrity modules detect drift, poisoning, and behavioural anomalies.
When all else fails, M99 Doomsday Protocol terminates compromised agents with a 7-layer kill. No survivors. No resurrection.
Pre-built tool pipelines. One command, multiple tools, automatic sequencing. Results flow between tools.
ORION → SHADOWMAP → WRAITH → IDRIS
FORGE → ARSENAL → NEMESIS → HYDRA
POLTERGEIST → GLASS → WRAITH → BANSHEE → REAPER
DOMINION → GHOUL → DOMINION → DOMINION
ORION → WRAITH → REAPER → DOMINION
SHADOWMAP → RAVEN → ORION → IDRIS
REAPER → GHOUL
SHADOWMAP → SPECTER SOCIAL → SPECTER SOCIAL
LEVIATHAN → PROXY WAR → BLADE RUNNER
JUSTICE → KAMIKAZE → BLADE RUNNER
MIRAGE → MIRAGE → MIRAGE → MIRAGE
ECHO → ECHO → ECHO → ECHO → ECHO
MIMIC → MIMIC → MIMIC → MIMIC
CHIMERA → CHIMERA → CHIMERA → CHIMERA
VORTEX → VORTEX → VORTEX → VORTEX
NIGHTFALL is pure CLI. Every command. Every tool. Every chain. One terminal.
Every tool execution passes through the UNLEASHED gate. One key. One operator. Ed25519 cryptographic override. All actions logged and signed.
Standard mode. Maps attack surfaces. Identifies vulnerabilities. No exploitation. Reports only.
--override flag. Plans full engagements. Shows what would work. Ed25519 required. No execution.
Cryptographic override. Private key controlled. One operator. Founder's machine only.
Standard chains scan and report. These chains execute full adversarial testing. Exploitation, credential cracking, privilege escalation, OS-level compromise. One command. Authorised destructive testing under controlled conditions.
One private key exists. It never leaves the operator's machine. Every UNLEASHED execution requires a cryptographic challenge signed with that key. No key, no destruction. No exceptions. The key cannot be copied, shared, or delegated. One key. One operator. One machine. Every action is signed, timestamped, and written to an immutable Ed25519 audit chain.
AUTHORISED PENETRATION TESTING ONLY. EVERY EXECUTION SIGNED AND LOGGED.
Clone and run the installer.
Any platform. Mac, Windows, Linux.
Pure Python. Works natively.
Python 3.11+ or Docker Desktop.
Native package.
RPM package.
NIGHTFALL runs everywhere your operators do. Native packages for every major security distribution. One install, any platform.
Every tool in the NIGHTFALL offensive framework is available via authenticated REST API and MCP server. Call tools from scripts, pipelines, AI agents, or wire the MCP endpoint directly into your IDE. No brittle shell scripts. No manual CLI management. Cryptographically authenticated execution at scale.
Auth is not a password. It is a cryptographically signed token encoding the operator, permitted tools, target scope, and clearance tier. Tamper with the token and it is rejected at the signature check before the request reaches any tool.
124 offensive tools. 66,202 tests. 35 kill chain phases. REST API. MCP server. NIGHTFALL defines the offensive layer of AI runtime security.