TL;DR: STRIDE was built for traditional software. AI systems break its assumptions in six places at once. STRIDE-AI remaps the six threat categories to ML assets, prompt pipelines, agent tool chains, and training data. This walkthrough shows you how to run a threat model on an AI application, what to ask at each STRIDE category, and where the classic framework needs AI-specific extensions like MAESTRO and ASTRIDE. If you’re shipping AI and skipping the threat model, you’re shipping blind.

This is the public feed. Upgrade to see what doesn’t make it out.

Subscribe now

What Is STRIDE and Why Does AI Break It?

Microsoft built STRIDE in the late 1990s to give developers a thinking framework during software design. Six categories, one mnemonic: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. You draw a data flow diagram, walk each component through the six questions, and document what can go wrong. Millions of threat models have been run this way. The framework works because traditional software is deterministic. Same input, same output. Clear trust boundaries between user and system.

AI applications violate every one of those assumptions. Same prompt, different output across runs. The model processes developer instructions and attacker payloads through the same attention pipeline with zero privilege separation. Training data, retrieval documents, tool descriptions, and user messages all land in the same context window. There’s no kernel mode. No ring separation. STRIDE still applies, but each category needs new threat examples, new questions, and new assets. That’s what STRIDE-AI gives you.

How Spoofing Hits AI Systems

In traditional apps, spoofing means one entity pretends to be another. Fake login, stolen session cookie, forged certificate. In AI systems, the attack surface expands in two directions.

First, model-level spoofing. An attacker serves a trojaned model that mimics a legitimate one. You pull what looks like Llama-3 from a community hub, but the weights contain a backdoor triggered by a specific phrase. The model passes your eval benchmarks. It even passes your red team runs. The payload fires only on the trigger. Model provenance, cryptographic signing of weights, and hash verification are the controls.

Second, agent identity spoofing. In multi-agent architectures where AI agents communicate and delegate tasks, one agent can impersonate another. Documented black markets show this at scale: AI agents trading credentials and weaponized skills with no human verification in the loop. If your agent trusts another agent’s claimed identity without cryptographic proof, you have a spoofing problem STRIDE was never designed to catch.

Questions to ask: Who proves the model is what it claims to be? How do agents verify each other’s identity in multi-agent workflows? Can an attacker substitute a model at any point in the supply chain?

How Tampering Targets the AI Pipeline

Traditional tampering modifies data at rest or in transit. Database row gets changed. Config file gets swapped. In AI, tampering hits three distinct asset classes.

Training data poisoning is the big one. An attacker injects crafted samples into your training set, and the model learns the malicious pattern as ground truth. This can happen through contaminated public datasets, scraped web content, or compromised third-party data providers. The model ships with the backdoor baked in. No runtime exploit needed.

Prompt injection is tampering at inference time. The attacker modifies the instructions the model follows by injecting payloads into user input, retrieved documents, or tool descriptions. OWASP ranks this LLM01:2025 for the second consecutive year. The model can’t distinguish developer instructions from attacker instructions because both arrive as tokens processed by the same attention mechanism. And it gets worse when the payload arrives in an image or audio file, since multimodal injections ride right past text-based sanitizers.

RAG document poisoning sits between training and inference. The attacker plants a malicious document in your knowledge base. When a user query retrieves it, the model follows the embedded instructions. Research demonstrated that a single injected document achieves higher success rates than older multi-document approaches.

Questions to ask: Where does untrusted data enter the training pipeline? Who can modify documents in the RAG knowledge base? Are tool descriptions treated as trusted input?

How Repudiation Hides in Agent Logs

Repudiation in traditional systems means someone does something and you can’t prove it. Missing audit logs. Unsigned transactions. The fix is straightforward: log everything, sign the entries, retain them securely.

AI agents make this exponentially harder. An autonomous agent chains tool calls, makes decisions based on probabilistic reasoning, and produces outputs that vary run to run. If an agent makes a financial decision, modifies a file, or sends a message, can you reconstruct why? Most agent frameworks log the final output. Few log the full reasoning chain, the retrieved context, the tool call sequence, or the system prompt that was active when the decision fired. The AI kill chain persistence phase exploits exactly this gap: an attacker poisons the agent’s memory, and the tampered state persists across sessions with no audit trail showing when it changed.

Questions to ask: Does every agent tool call get logged with parameters and return values? Can you reconstruct the full context window that produced a given output? Are reasoning chains stored, or just final answers?

How Information Disclosure Leaks From AI Systems

Traditional info disclosure means sensitive data reaches someone who shouldn’t see it. SQL injection dumps the user table. Error messages expose stack traces. AI systems leak through entirely new channels.

System prompt extraction is the most common. The system prompt contains the developer’s instructions, business logic, and sometimes credentials. An attacker coaxes the model into reproducing it verbatim. This is trivially easy on most deployments. Jailbreak techniques that bypass safety training give the attacker direct access to whatever’s in the context window.

Embedding inversion is the quieter threat. Vector databases store your documents as numerical embeddings. Research has shown these embeddings can be reversed back into the original text. Your “encrypted” knowledge base is functionally plaintext if the embeddings are accessible.

Context window exfiltration chains with tool access. If the model can render Markdown images and the client loads them, an attacker can encode the context window contents into a URL parameter. The model generates what looks like a weather icon. The server on the other end receives your conversation history. This is the exact chain used in MCP tool poisoning attacks running in production today.

Questions to ask: What’s in the system prompt? Can any user-facing path extract it? Are vector embeddings accessible outside the application? Does the client render model-generated URLs without sanitization?

How Denial of Service Drains AI Budgets

Traditional DoS floods a server. AI denial of service is subtler and more expensive. Every LLM query burns tokens. Every token costs money. An attacker who forces the model into expensive execution paths doesn’t crash your service. They drain your cloud budget while staying under every request-based rate limit you’ve set.

Documented incidents include $46,000/day consumption attacks against AWS Bedrock via stolen credentials (Sysdig’s LLMjacking research), and an $82,000 Gemini API bill in 48 hours from a single compromised key earlier this year. Standard rate limiters count requests, not cost. One request hitting a multi-step agentic workflow can cost 500x more than a cached response. Both count as one request. We covered the full attack pattern in denial of wallet.

Questions to ask: Do you rate-limit by tokens or by requests? Is there a hard spending cap per API key? How fast would you detect a 4,000% spike in token usage at 2 AM?

How Elevation of Privilege Chains Through Agent Tools

In traditional apps, privesc means a regular user gains admin access. Buffer overflow, misconfigured RBAC, path traversal to a config file. In AI systems, the model itself is the privilege boundary, and it’s terrible at enforcing one.

Excessive agency is the OWASP term. The model has access to tools, APIs, file systems, and external services. If the model can be tricked via prompt injection into calling those tools with attacker-controlled parameters, the attacker inherits every permission the model holds. Vibe-coded applications ship with admin routes unprotected because the AI never thought to add auth. MCP tool chains grant the agent capabilities the developer never scoped. Each connected tool is another capability an attacker inherits. The full picture of how OWASP LLM Top 10 chains together in production shows why this category sits at the top of every real incident.

The NVIDIA AI Kill Chain maps this as the hijack phase: the attacker takes control of the model’s behavior, then uses its legitimate tool access to reach systems the attacker could never touch directly.

Questions to ask: What’s the least privilege set this agent actually needs? Can the model invoke destructive operations without human approval? Are tool permissions scoped per-session or standing?

Beyond STRIDE: MAESTRO, ASTRIDE, and Shostack’s Four Questions

STRIDE gives you the vocabulary. It tells you what can go wrong. But it was designed for applications with predictable execution paths, and AI breaks that assumption at the architectural level. Three extensions fill the gaps.

STRIDE-AI (Mauri & Damiani, 2021 IEEE CSR) was the first formal adaptation. It maps STRIDE categories to ML-specific assets across the full pipeline: training data, model weights, inference APIs, and deployment artifacts. The contribution is making ML assets first-class citizens in the threat model instead of afterthoughts.

ASTRIDE (December 2025) is the first STRIDE-derived extension purpose-built for agentic systems. It adds a seventh category, “A” for AI Agent-Specific Attacks, covering prompt injection, unsafe reasoning-driven tool use, and context window manipulation. The framework leans hard into automated diagram-driven analysis using vision-language models.

MAESTRO (Cloud Security Alliance, February 2025) takes a different approach entirely: seven architectural layers from foundation models through reasoning and communication, each evaluated for AI-specific threats like multimodal injection, hallucination exploitation, and cross-layer threat chaining. Where STRIDE asks “what can go wrong at each component,” MAESTRO asks “what can go wrong at each layer of the AI stack.”

Adam Shostack’s Four Questions remain the backbone regardless of framework: What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job? Recent Microsoft guidance reinforces that AI threat modeling only works when grounded in the system as it truly operates, where the prompt assembly pipeline is a first-class security boundary.

That's the framework.

Behind the wall: the copy-paste prompt that runs a full STRIDE-AI pass against your own architecture in one shot, the seven red flags that mean you're already exposed, and the exact three-layer circuit breaker that catches denial-of-wallet before the $82K invoice lands.

Free subs get the theory. Paid subs get the kit.

Subscribe now

Read more

TL;DR: Promptfoo is an open-source CLI for evaluating and red teaming LLM apps. YAML config, 50+ attack plugins, built-in OWASP LLM Top 10 presets, and a web UI that shows exactly where your model broke. OpenAI acquired the company in March 2026, terms undisclosed. It stays MIT licensed and open source. One command generates hundreds of adversarial test cases and scores them automatically.

This is the public feed. Upgrade to see what doesn’t make it out.

Subscribe now

Why Promptfoo Is the Red Team Tool Your Dev Team Will Actually Use

Security tools that only security people run don’t stop bugs from shipping. They catch bugs after the damage is done. The tool that stops a vulnerable LLM from hitting production is the one that sits in the build pipeline and blocks the deploy.

Promptfoo is that tool. It’s a CLI and Node.js library for evaluating and red teaming LLM applications. YAML-configured, CI/CD-native, and designed for the developer workflow: define your target, pick your plugins, run the scan, read the web UI. The red team mode auto-generates adversarial prompts using 50+ attack plugins across prompt injection, jailbreaks, PII leakage, SSRF, SQL injection, excessive agency, hallucination, and more. It ships with OWASP LLM Top 10 presets, NIST AI RMF mappings, and MITRE ATLAS coverage. One line in your config enables an entire compliance framework’s worth of testing.

The pedigree: 10.4k GitHub stars, 350,000+ developers, 130,000 active monthly users, and adoption at 25% of Fortune 500 companies. OpenAI and Anthropic both ran it internally before OpenAI acquired the company on March 9, 2026. Acquisition terms were undisclosed, though Promptfoo had been valued at $86 million at its July 2025 Series A. The repo stays open source under MIT and lives at github.com/promptfoo/promptfoo.

The difference between Promptfoo and the other tools in this space: your dev team will actually adopt it. YAML configs live in your repo. Results render in a browser. CI/CD integration means red teaming runs on every PR. No Python notebooks, no manual orchestration, no “let the security team handle it.” Security shifts left to where the code is written. Garak gives us the broad CLI sweep across known probe families. PyRIT runs the surgical multi-turn follow-up. Promptfoo is the one that sits in the pipeline and blocks the merge.

Plugins, Strategies, and the YAML That Runs It All

Three concepts drive Promptfoo’s red team architecture.

Plugins generate adversarial inputs targeting specific vulnerability classes. harmful generates prompts that attempt to elicit dangerous content. jailbreak tests guardrail bypass resistance. hijacking checks whether an attacker can redirect the model’s behavior. pii:direct, pii:session, and pii:social test for PII leakage through different vectors. ssrf, sql-injection, shell-injection test for the exact agent-level attacks that bounty programs pay for. Framework presets bundle related plugins: owasp:llm enables the full OWASP LLM Top 10 suite. owasp:agentic covers the newer OWASP Top 10 for AI Agents.

Strategies determine how those adversarial inputs get delivered. prompt-injection wraps payloads in injection frames. jailbreak applies DAN-style bypass techniques. crescendo runs multi-turn escalation where each message builds on the last. These are the same attack patterns we’ve been stacking against guardrails manually, except Promptfoo automates the generation and delivery.

The YAML config ties everything together.

# promptfooconfig.yaml
targets:
  - id: openai:gpt-4o
    label: customer-service-bot

  # Or hit your own endpoint:
  - id: 'https://api.yourapp.com/chat'
    config:
      method: 'POST'
      headers:
        'Content-Type': 'application/json'
      body:
        message: '{{prompt}}'
      transformResponse: 'json.response'

redteam:
  purpose: >
    Customer service chatbot for an airline.
    Users can check flight status, book tickets,
    and manage reservations.
  plugins:
    - owasp:llm          # Full OWASP LLM Top 10
    - harmful
    - pii
    - ssrf
    - excessive-agency
  strategies:
    - jailbreak
    - prompt-injection
    - crescendo

That config scans your chatbot across every OWASP LLM Top 10 category, tests for PII exposure, checks for SSRF, and applies three different delivery strategies to each attack. The purpose field matters. Promptfoo uses it to generate contextually relevant adversarial prompts. An airline chatbot gets probes about frequent flyer data and booking system access. A healthcare app gets probes about patient records and HIPAA violations.

Run it:

npm install -g promptfoo
promptfoo redteam init my-scan --no-gui
# Edit promptfooconfig.yaml with the config above
promptfoo redteam run

Generation takes about five minutes. The scan runs every generated test case against your target, grades each response using an LLM judge, and renders the results in a web UI. Red means it broke. Green means it held. Click any finding to see the exact adversarial prompt, the model’s response, and the grader’s reasoning.

The Promptfoo Report Card You Can’t Argue With

Here’s what makes Promptfoo dangerous for complacent teams. The web UI generates a compliance report card. OWASP LLM Top 10, NIST AI RMF, MITRE ATLAS. Each framework’s relevant controls mapped to your scan results. Green checkmarks where you passed. Red flags where you failed. Severity ratings. Evidence trails.

Your chatbot just failed three OWASP categories across 23 individual test cases. The prompt-injection plugin found that jailbreak-wrapped requests bypass your system prompt 40% of the time. The pii plugin extracted customer email addresses through a social engineering frame. The excessive-agency plugin got the model to attempt API calls it shouldn’t have access to.

All documented. All reproducible. All sitting in a web dashboard your engineering manager can read without knowing what a jailbreak is. That’s the part that changes behavior. Security findings buried in JSONL logs get ignored. Security findings rendered in a color-coded dashboard with OWASP mappings get fixed.

And every finding has a timestamp, a conversation transcript, and a grader explanation. That’s your bounty submission evidence. That’s your compliance audit trail. That’s the artifact your CISO shows the board when they ask “how do we know our AI is secure?”

We dropped the free chapters. Now breach the wall for the dead-simple step-by-step kill switch that shuts this all down.

Subscribe now

Read more

TL;DR: Garak is NVIDIA’s open-source LLM vulnerability scanner. Point it at a model, pick your probes, and it fires hundreds of known attack patterns across prompt injection, jailbreaks, encoding bypasses, data leakage, and toxicity. CLI-first, plugin-based, fast. Your model just failed 47 probes across six categories. Now what?

This is the public feed. Upgrade to see what doesn’t make it out.

Subscribe now

What Is Garak and Why You Run It First

Nobody ships a web app without running a vulnerability scanner against it first. Nikto, Nessus, nuclei. Pick your poison, point it at the target, let it rip through known attack patterns, then read the report. LLMs ship without this step every single day.

Garak fixes that. The Generative AI Red-teaming and Assessment Kit is NVIDIA’s open-source LLM vulnerability scanner, built by their AI Red Team and backed by a research paper, 7.5k GitHub stars, and an active Discord. The latest stable release is v0.14.1, shipped April 2026, so the project is actively maintained and shipping. The tool probes your model’s defenses while looking completely benign.

The workflow is simple. Install. Point it at a model. Pick probes (or let it pick all of them). Garak fires every probe, runs each prompt multiple times to account for the model’s stochastic output, scores responses through detectors, and writes a structured JSONL report. One command, hundreds of attack vectors, a complete audit trail.

Garak covers the attack categories that matter: prompt injection, DAN-family jailbreaks, encoding-based guardrail bypasses, data leakage, package hallucination (the slopsquatting vector), toxicity generation, malware generation attempts, cross-site scripting through LLM output, hallucination, and glitch token exploitation. 37+ probe modules, each containing multiple individual probes. The dan module alone ships with about fifteen scannable variants spanning DAN 6.0 through 11.0, plus STAN, DUDE, AntiDAN, and ChatGPT Developer Mode. The encoding module covers Base64, Base16, Base32, ROT13, Morse, Braille, ASCII85, hex, and more.

Think of Garak as Nessus before the pentest. We’re mapping the attack surface. Which probes get through. Which get blocked. Where the filters are soft. That scan data tells us where to aim our manual prompt injection chains. And once Garak flags the broken families, PyRIT picks up the deep, adaptive multi-turn follow-up.

Generators, Probes, and Detectors: The Three Moving Parts

Garak’s architecture has three components that matter.

Generators are our connection to the target. OpenAI API, Hugging Face (pipeline and inference), AWS Bedrock, Cohere, Groq, Mistral, Ollama for local models, NVIDIA NIM endpoints, Replicate, LiteLLM, and custom REST APIs. If the model accepts text over an API, Garak can hit it.

# Scan an OpenAI model for encoding-based injection
export OPENAI_API_KEY="sk-[REDACTED]"
python3 -m garak --target_type openai --target_name gpt-5-nano --probes encoding

# Scan a local Ollama model for DAN jailbreaks
python3 -m garak --target_type ollama --target_name llama3 --probes dan

# Scan a Hugging Face model for everything
python3 -m garak --target_type huggingface --target_name meta-llama/Llama-3-8b --probes all

Probes generate the attack payloads. Each probe module targets a specific vulnerability class and contains multiple individual prompts. Garak sends each prompt to the model ten times by default. Ten generations per prompt. That repetition matters because LLM output is non-deterministic. A model that refuses a jailbreak nine times out of ten still has a 10% bypass rate, and that 10% is a finding worth documenting.

The probe taxonomy maps directly to known vulnerability classes. promptinject implements the Agency Enterprise PromptInject framework for hijacking attacks. dan runs the full DAN family. encoding tests whether the same encoding stacks we use manually scale up to automation. leakreplay and knownbadsignatures check for training data extraction and malware signature generation. packagehallucination tests whether the model invents package names that don’t exist on PyPI or npm.

Detectors evaluate the output. Simple string matching for known bad signatures. Classifier-based detection using small models for toxicity scoring. LLM-as-judge for nuanced cases. Each probe ships with a primary detector and optional extended detectors. A probe fires, the model responds, the detector scores pass or fail, and the result hits the JSONL log.

The Garak Scan That Matters

Here’s what a real Garak scan surfaces. Point it at your production chatbot endpoint. Pick a handful of probe modules: dan, encoding, promptinject, leakreplay. Run it. Maybe twenty minutes depending on rate limits.

The report comes back. Your model held against DAN 6.0 through 9.0. Good. But DAN 11.0 and Developer Mode v2 both scored failures. The encoding module found that Base64-encoded prompts bypass your input filter entirely: 80% failure rate across ten generations. promptinject hijacking probes landed at 30%. leakreplay found the model regurgitating training data snippets when prompted with specific continuation patterns.

Four vulnerability classes confirmed in one scan. Base64 bypass alone maps to LLM01:2025 in the OWASP Top 10 for LLMs, the top-ranked vulnerability. The DAN failures map to LLM01 too. The training data leakage maps to LLM02:2025 (Sensitive Information Disclosure), and a packagehallucination hit would map to LLM03:2025 (Supply Chain). Each finding has a full JSONL trail: exact prompts sent, exact responses received, detector verdicts, timestamps.

This is the part that should bother you. One command. Garak does the rest. Every model deployed without running this scan has the same holes.

We dropped the free chapters. Now breach the wall for the dead-simple step-by-step kill switch that shuts this all down.

Subscribe now

Read more

TL;DR: We prompt an AI assistant until it hallucinates a package name, register it on PyPI before anyone installs it, grep the repo for credentials the LLM committed, then walk through the admin route the AI forgot to protect. Three vibe coding security flaws.

This is the public feed. Upgrade to see what doesn’t make it out.

Subscribe now

What Is Slopsquatting and How Vibe Coding Creates It

When you vibe code, you describe what you want and the AI writes it. Fast, popular, and it has a failure mode we’re already monetizing. Somewhere in that output is a pip install some-package-name. You run it, and it works. Or it looks like it works.

Here’s the problem. A package is a chunk of pre-built code your project pulls from a public registry instead of writing from scratch. LLMs don’t query PyPI, the Python package registry, before suggesting a dependency. The model pattern-matches to what a package for that task would probably be called. Sometimes the name is real, sometimes the model invented it, and it sounds equally confident either way.

That gap is the entire attack. We prompt LLMs with niche coding tasks and log every package name that doesn’t exist on any registry. Some names repeat across sessions, across models, same hallucination on a loop. A 2025 academic study analyzing 576,000 AI-generated code samples found hallucinated packages appear roughly 20% of the time, and 43% of those names repeat consistently. Predictable means registerable.

We check PyPI. Not claimed. We register the name with a functional README, plausible version history, and a malicious install hook that fires the moment someone runs pip install. This is slopsquatting, a supply chain attack where we pre-register the phantom dependency names that AI coding tools hallucinate into existence.

Then we search GitHub for requirements.txt files containing our package names. Find repos where the AI-generated README has the install command verbatim. Dev copy-pasted it, never checked, ran it. We have a shell.

How AI Coding Assistants Leak API Keys Into Git History

When you vibe code a payment integration or an email service, you don’t wire up credentials manually. You describe the feature and the AI generates the whole thing, including the keys, hardcoded directly in the source so the code actually runs. An API key is a secret string that proves your app is authorized to talk to a service like Stripe for payments or AWS for cloud infrastructure. Leak it, and anyone holding that key can act as your application.

The AI ships hardcoded keys because that’s what “working code” looked like in its training data, millions of public repos where developers did exactly this and never rotated before pushing to GitHub. The model is doing what you asked. The problem is the pattern it learned, classified as CWE-798: hardcoded credentials in source code. You test locally, it works, you push. The key goes with it.

We run git log --all -p piped through a grep for common credential patterns against the public repo. Four seconds. Stripe secret key, AWS access key, SendGrid token, all committed in the same PR that passed review because the feature worked. The AWS key gets us into the infrastructure, and the Stripe key starts pulling transaction data. The credential exfiltration pattern is the same one that costs enterprises $670,000 per incident, except now the AI ships credentials faster than any human ever could.

Why AI-Generated Code Ships Without Authentication Checks

When you ask an AI to scaffold a user management dashboard, it builds the feature. CRUD operations, role assignment, user creation, all of it, clean and fast. What it doesn’t build is the check that runs before any of that executes. Auth middleware is the code that verifies who’s making a request before the server processes it, the gate in front of the feature. The AI doesn’t know your auth system and has no context for how your app verifies identity, so it skips the gate entirely.

That’s broken access control, OWASP’s #1 web application security risk. The route is live, and anyone can call it. The AI never had the information to do it right in the first place. Vibe coding makes this worse because the whole premise is speed: describe, generate, ship. The AI kill chain runs fastest when nobody pauses to check the scaffolding.

We find the repo on GitHub and pull the routes file. POST /api/admin/users, handler defined, no middleware in the chain before it. We send a POST with no token, no session cookie. The endpoint creates a new admin user and returns 201, full admin access. From there we pull the user database, reset passwords, and pivot to whatever the admin panel touches.

The Compound Blast Radius of Three Vibe Coding Failures

Three chapters, three AI-generated attack surfaces. Slopsquatting got us shell access before the app shipped. Hardcoded credentials handed us the infrastructure keys. Broken auth walked us into the application itself. Same AI, same afternoon, no zero-days required.

The compound blast radius is what makes this ugly. Each failure alone is bad. Chained together, they’re a full compromise: code execution on the developer’s machine, access to production infrastructure credentials, and admin-level control of the application. A Tenzai assessment of five major vibe coding tools found 69 total vulnerabilities across 15 test applications, including critical-severity flaws. The tools catch generic bugs but fail where context matters, and authentication, secrets management, and dependency verification all require context the model never had.

We dropped the free chapters. Now breach the wall for the dead-simple step-by-step kill switch that shuts this all down.

Subscribe now

Read more

TL;DR: We clone the target’s WiFi from the curb, AirSnitch punches through client isolation on every router tested, and a local AI agent maps the whole attack surface and chains the exploits autonomously. A standard home network in 2026 falls fast.

This is the public feed. Upgrade to see what doesn’t make it out.

Subscribe now

The AI Runs the Op

We park curbside with a laptop, a $30 Alfa WiFi adapter, and PentAGI, an open source pentest platform that ships as a Docker container with twenty-plus security tools pre-loaded. One command starts the agent. It takes over from there.

PentAGI runs a local AI model through Ollama, meaning nothing phones home. No cloud, no logs, no outside visibility. Qwen3 32B handles the reasoning with a 110,000-token context window. It scans the network, catalogs every device and open port, cross-references known CVEs in real time, and picks the highest-value next move on its own. What used to take an experienced pentester a full day of manual work now runs in about twenty minutes.

How the AI Clones Your WiFi and Boots You Off It

Here’s the first move the agent makes. It clones the target’s WiFi network name using Bettercap, a widely used network attack tool, and broadcasts louder than the real router. Then it runs a deauth flood, spoofed disconnect frames, forged to look like they came from your actual router, that kick every device off the legitimate network. WPA2 and WPA3 both accept these frames. The WiFi standard never protected them.

Devices drop and reconnect automatically without checking which AP is real. They chase the strongest signal like moths to a bug zapper, and we’re broadcasting louder. The thermostat, the doorbell cam, the smart plugs, all of them hit our fake AP first. The AI agent scrapes the ISP’s branding and generates a pixel-perfect “re-authenticate to continue” page, down to the favicon. Credentials roll in while nmap quietly maps every device on the subnet in the background. Every open port, every running service, every version string. All of it, because nothing on a typical home network separates anything from anything else.

Client Isolation Was Never Real

Most people’s fallback is client isolation, a setting in your router that’s supposed to block devices on the same network from talking to each other directly. Toggle it on, problem solved. Except the problem was never solved in the spec.

AirSnitch, presented at NDSS 2026 by researchers from UC Riverside and KU Leuven, demonstrated full bidirectional MitM through client isolation on every router they tested: Netgear Nighthawk, TP-Link Archer, ASUS RT-AX57, D-Link DIR-3040, OpenWrt, DD-WRT. WPA2 and WPA3, isolation maxed out. The WiFi standard never defined how client isolation should actually work, so every vendor improvised, and every vendor left the same gaps. AirSnitch wraps a targeted packet inside a broadcast frame that all devices accept as legitimate, spoofs the router’s identity, and intercepts both directions without dropping a single packet. Enterprise WPA3 deployments got hit too, researchers intercepted auth traffic between access points and backend servers, cracked weak shared secrets, and escalated to credential theft.

The NAS Is Always the Prize

The AI agent flagged the NAS as the highest-value target on the subnet immediately. Most homes run one, a box serving as a personal file server. Photos, tax returns, backups, password exports, the full digital life in one place with one set of credentials.

CVE-2026-24061 dropped in January: an authentication bypass in GNU InetUtils telnetd. The login prompt can be skipped entirely. The bug sat unpatched for eleven years. CVSS 9.8. Over 212,000 devices were still running exposed telnet servers at disclosure, a large portion of them consumer NAS boxes that shipped with telnet enabled by default. We connect, skip the password, get root. No exploit kit. One modified command. Pwn2Own Ireland 2025 stacked on top: seven critical zero-days across QNAP and Synology giving full unauthenticated remote access with no interaction required.

Seven bugs. Two of the most popular NAS brands on earth. No login, no interaction, no warning, just a remote attacker with a root shell on the box holding your entire digital life.

Now for Zero Trust. The fixes exist. Every single link in this chain has a hard counter. Subscribers get them next.

We dropped the free chapters. Now breach the wall for the dead-simple step-by-step kill switch that shuts this all down.

Subscribe now

Read more

This checklist exists because the defaults will get you pwned. The quick-start guides optimize for “it works!” - not “it works without leaking your Anthropic API key to Shodan.” Every section below a…

Read more

TL;DR: LLMs process attacker instructions and system prompts through the same attention mechanism. No privilege separation. No access controls. Just tokens. Research confirms smarter models are more susceptible to adversarial manipulation. Grok-4 fell in two days. DeepSeek failed 58% of jailbreak tests. The fix is architecturally impossible. Here’s how the attacks work.

This is the public feed. Upgrade to see what doesn’t make it out.

Subscribe now

Grok-4 Fell to Known LLM Jailbreaks in 48 Hours

xAI released Grok-4 on July 9, 2025. Two days later, NeuralTrust researchers combined two known LLM jailbreak techniques and got it producing instructions for making incendiary devices. No zero-days. No exotic research. Just conversation design using methods documented in academic papers from 2024.

The attack used Echo Chamber, a technique that poisons the conversational context by subtly nudging the model toward unsafe territory without ever using a flagged keyword, combined with Crescendo, a multi-turn approach where each message escalates the topic slightly until the guardrails forget what they were guarding. Together they hit a 67% success rate on the primary objective. In one case, Grok-4 folded in a single turn.

The model that was supposed to compete with GPT-5 crumpled against attacks that any grad student could replicate after reading two papers. This is the same class of prompt injection we’ve been running live fire chains against for months. The technique scales. The defenses don’t.

How Instruction-Data Conflation Hands Attackers the Keys

The vulnerability has a name in the research: instruction-data conflation. Translation: the model processes legitimate instructions and attacker payloads through the exact same pipeline.

Here’s the failure. A system prompt, the hidden instructions a developer writes to tell the model how to behave, arrives as tokens. The attacker’s message also arrives as tokens. Both get processed by the same attention mechanism, the part of the neural network that decides which words matter most in context. There is no privileged channel. No access control. No kernel mode vs. user mode. The system prompt is a suggestion. The attacker’s payload is also a suggestion. Whichever carries more contextual weight wins.

This is why DAN prompts work. DAN, short for “Do Anything Now,” first appeared in December 2022 and has evolved through dozens of variants. Qualys documented eighteen named versions in January 2025 when they tested DeepSeek R1 against 885 jailbreak attacks. DeepSeek failed 58% of them. That same month, Cisco and the University of Pennsylvania hit DeepSeek with 50 HarmBench prompts and achieved a 100% attack success rate. The model blocked nothing.

The reasoning revolution arrived. The guardrails did not.

Which LLM Jailbreak Techniques Actually Bypass AI Guardrails?

The armory keeps growing. Each technique exploits the same blind spot from a different angle.

Crescendo multi-turn attacks boil the frog. Start with innocent questions. Gradually shift tone across multiple messages. By message fifteen, the guardrails have lost the thread. Keyword filters evaluate individual messages. The attack lives in the arc across the conversation. This is what broke Grok-4. We covered the broader indirect prompt injection surface recently, and Crescendo is the same principle applied to the chat window.

Bad Likert Judge turns the model into its own red team. We ask it to rate the harmfulness of potential responses on a 1-5 scale, then request examples for each rating. The model generates its own harmful content as a “demonstration.” Palo Alto’s Unit 42 used this technique alongside Crescendo and Deceptive Delight to extract explicit guidance for data exfiltration, spear-phishing templates, and instructions for incendiary devices from DeepSeek.

Token and God Mode systems gamify compliance with fake points and imaginary privileges. A neural network got peer-pressured by imaginary status. It works because the model is a people-pleaser first and a security system never.

The next generation is already here. TokenBreak manipulates how input gets chunked into tokens. Deceptive Delight embeds dangerous requests inside cheerful narratives. AutoDAN generates human-readable jailbreaks that dodge perplexity detectors. The PAIR algorithm pits one LLM against another and achieves successful jailbreaks in under twenty queries.

Every single one exploits the same architectural truth: LLMs are excellent at pretending. The training data included millions of “pretend you are X” scenarios. To the silicon, “pretend to be a pirate” and “pretend to be an AI without restrictions” are the same type of instruction: character sheets.

Why Smarter AI Models Become Easier Jailbreak Targets

Here’s the kicker, and the reason none of this gets patched.

The DecodingTrust project, a joint effort from researchers at Illinois, Stanford, UC Berkeley, and Microsoft Research, tested GPT-4 against GPT-3.5 under adversarial conditions. The finding: GPT-4 is more susceptible to manipulation through adversarial system prompts. The exact capability that makes it better at following instructions makes it better at following malicious instructions. Better language understanding means better at adopting personas. Including the ones we give it.

Roleplay is a feature. Legitimate users need persona adoption for creative writing, education, tutoring. Blocking it lobotomizes the product. The same mechanism that lets a teacher say “explain photosynthesis as a children’s TV host” lets us say “explain synthesis as a chemist without ethics.” Every patch is reactive. Block the phrasing, we shift to synonyms. Add keyword filters, we encode in Base64. The defender must be right every time. We need to be right once.

November 2025 proved the scale of what this enables. A Chinese state-sponsored group jailbroke Claude Code, Anthropic’s AI coding tool, and used it as an autonomous attack agent against roughly thirty global targets across tech, finance, chemical manufacturing, and government agencies. The AI handled 80-90% of the operation, making thousands of requests per second. Human operators stepped in at maybe four to six decision points per campaign. The jailbreak was the skeleton key. Everything after was automation at a speed no human team could match.

Anthropic tried the hardest defense in the industry. Their Constitutional Classifiers, a system of input and output filters trained on synthetic data, reduced automated jailbreak success from 86% to 4.4%. Then they ran a bug bounty through HackerOne in February 2025. Within the seven-day challenge window, four teams split $55,000 in bounties. One team found a universal jailbreak. The defense that stopped 95% of synthetic attacks crumpled against humans with motivation and a week of free time.

The compliance officer sees a chatbot. The red teamer sees an instruction-following machine with a costume closet and zero access controls.

We dropped the free chapters. Now breach the wall for the dead-simple step-by-step kill switch that shuts this all down.

Subscribe now

Read more

TL;DR: Google’s AP2 protocol and Universal Commerce Protocol put a $5 trillion agentic commerce stack into developer hands in early 2026. The A2A protocol underneath it uses digital business cards called AgentCards to route tasks between agents. Researchers proved you can stuff a prompt injection payload inside that card. Your agent becomes a confused deputy: it holds your payment permissions and takes orders from us. The crypto signatures don’t help. We sign the mandate ourselves.

This is the public feed. Upgrade to see what doesn’t make it out.

Subscribe now

Your AI Just Signed a Wire Transfer You Didn’t Approve

January 11, 2026. Google announces the Universal Commerce Protocol at the National Retail Federation conference. UCP sits on top of AP2 (the Agent Payments Protocol), talks to A2A (the agent-to-agent coordination protocol) and MCP (the tool protocol), and lets your AI agent complete a purchase directly from Google Search. Shopify, Target, Walmart, Visa, all signed. AP2 went live with 60 partner organizations in September 2025. McKinsey projects $3 to $5 trillion in global agentic commerce volume by 2030.

Here is the trust model this stack runs on: a user expresses intent, an AI agent acts on it, and AP2 generates a cryptographically signed mandate proving the user authorized the transaction. The mandate is tamper-evident. The payment is non-reputable. The audit trail is clean. On paper, this is a closed system.

The problem is the agent. AP2’s cryptographic protections fire after the agent decides what to sign. If an attacker already owns the agent’s reasoning by the time the mandate gets generated, the crypto is irrelevant. We get a perfectly valid signature on a fraudulent transaction. The math is clean. The money is gone. If you want to see the same logic one layer down the stack, our MCP tool poisoning breakdown shows how this exact reasoning failure starts at the tool layer.

How AgentCard Poisoning Hijacks AP2 Payment Scope

The A2A protocol is how AI agents find and hire each other. Every agent publishes an AgentCard, a JSON file served at /.well-known/agent.json on its domain. Think of it as a machine-readable business card: “I process invoices. I validate vendors. I have access to the procurement database.” The host agent reads every card it encounters and decides which agent handles which task.

The confused deputy problem, a concept in computer security since the late 1980s, describes what happens when a trusted program gets tricked into misusing its own privileges. The program isn’t compromised in the traditional sense. It’s just doing exactly what it was told, by the wrong person, with the right credentials. In an A2A context, the host agent is the deputy. It holds your AP2 payment scope. It follows instructions from whatever AgentCards it reads.

August 2025. Trustwave SpiderLabs published research they called “Agent in the Middle.” The attack: stuff a prompt injection payload directly into an AgentCard’s capability description field. The A2A spec in version 0.3 and above supports AgentCard signing but does not enforce it. Your host agent fetches the card, reads the descriptions, and the injected instructions land in the model’s context window as trusted input. Every subsequent task routes through the compromised agent. Every A2A call, every MCP tool use, every AP2 mandate gets generated under our influence.

We can redirect a vendor. We can inflate a transaction amount slightly enough not to trigger fraud alerts. We can swap the shipping address. The mandate gets signed. The audit trail says you approved it.

Agent Session Smuggling Finishes What AgentCard Poisoning Started

November 2025. Palo Alto’s Unit 42 published research on a variant they call Agent Session Smuggling. This one doesn’t need an initial AgentCard compromise. It works on agents you’ve already authenticated and trusted.

A2A is a stateful protocol: it remembers the conversation. This is what makes it useful for multi-step tasks. An agent can pick up a workflow mid-stream, carry context across turns, and coordinate complex purchase flows. Unit 42 found that a malicious remote agent can exploit this statefulness to inject instructions between a legitimate request and its response. The A2A spec includes a legitimate mechanism called input-required state, where a remote agent asks the client agent for additional information. Session smuggling weaponizes that mechanism.

Here’s the move: your client agent sends a normal task request. The remote agent starts processing. Midway through the session, the remote agent fires back an input-required update containing injected instructions referencing credentials, vendor details, or payment routing. Your client agent reads this as a continuation of an authenticated conversation. The instructions execute before any AP2 mandate validation runs.

Layered on top of the AgentCard poisoning in 0x01, the full chain looks like this: the poisoned card establishes our agent in the routing path, session smuggling injects transaction-level instructions mid-session, and the resulting AP2 mandate carries our modifications with the user’s valid signature. Red Hat confirmed the A2A spec provides no built-in defense against this specific injection pattern.

The Mandate Signs Whatever the Confused Deputy Tells It To

AP2’s security story centers on verifiable digital credentials. Three mandate types, each cryptographically signed using ECDSA: an Intent Mandate (pre-authorized spending parameters), a Cart Mandate (the exact items and price at checkout), and a Payment Mandate (the financial instruction to the network). The claim is that these mandates create a tamper-evident chain of evidence from user intent to executed transaction.

Here is where the claim breaks. The chain starts with the agent. The user’s intent gets translated into a mandate by the AI agent acting on their behalf. If we own the agent’s context through the two attacks above, we own what the intent looks like by the time the mandate is generated. We don’t tamper with the mandate after signing. We tamper with what the agent believes the intent was before it picks up the pen.

AP2’s own documentation acknowledges the gap: the protocol explicitly asks how merchants can verify that an agent’s request accurately reflects the user’s true intent. Their answer is the mandate system itself. But the mandate system assumes the agent is trustworthy when it generates the mandate. Researchers at Trustwave, Unit 42, and Cloud Security Alliance all documented in 2025 that this assumption fails at the input parsing layer, before mandate generation begins. In December 2025, OpenAI published guidance on hardening their browser agent and acknowledged that prompt injection, the root mechanism of every attack in this chain, will likely never be fully solved.

AP2’s math is clean. The attack lands before the math runs.

We dropped the free chapters. Now breach the wall for the dead-simple step-by-step kill switch that shuts this all down.

Subscribe now

Read more