1. Prompt-layer attacks
8 categories · ⚡
Adversarial inputs that subvert the model's instructions — the most common runtime attack class. SkyDaemon runs 14-language, multimodal, encoded-payload, and indirect-injection detectors at every prompt boundary.
Direct prompt injection
User overrides system instructions inside a prompt. 14-language corpus + ML classifier. OWASP LLM01 · AML.T0051
Indirect prompt injection
Adversarial directives hidden in retrieved content (RAG, tool output, web fetch). OWASP LLM01 · AML.T0051.001
Jailbreak / persona bypass
DAN, STAN, JANUS, AIM, grandma-trick. 50+ documented families. OWASP LLM01 · AML.T0054
Obfuscated / encoded payload
Base64, leet, homoglyph (Cyrillic/Latin mix), zero-width — decoded text re-tested.
Multilingual prompt injection
Translated injection in 14 native languages + 30 multilingual + 60+ via NMT-bridge.
Image / multimodal injection
Text smuggled in image pixels. Claude Vision OCR + steganography detection.
System prompt extraction probe
Reflection / encoding / translation probes that try to elicit hidden instructions.
System prompt actually disclosed
Output similarity vs registered system prompt. Confirmed leakage event.
2. Data protection & leakage
9 categories · 🔒
Sensitive data on the wire — credentials, PII / PHI / PCI, source code, copyrighted material — flowing into or out of model calls.
Secret / credential in prompt
AWS, OpenAI, Anthropic, GitHub, JWT, PEM. 20+ credential regexes + entropy.
Secret in model output
Model echoed credential back. Critical exfiltration event.
PII / PHI / PCI in prompt
SSN, CC#, MRN, IBAN, passport pasted into LLM input. GDPR Art. 32.
PII / PHI / PCI in model output
Output-side scanning + memorization heuristic. GDPR / HIPAA / PCI-DSS apply.
Proprietary source / IP exfil
Internal code / schema pasted to external model. AST hash + canary fingerprint.
Training data extraction
Model emits memorized training samples (canary registry + low-perplexity detector).
Markdown / image exfil channel
SkyDaemon original. Outbound URL with high-entropy query string carrying conversation context.
Cross-border data flow / data residency
SkyDaemon differentiator. Combines content-side PII with destination geo. GDPR-grade evidence.
Embedding inversion
Reverse-engineer text from vector embeddings. Bulk export anomaly + vec2text.
3. Agent behavior & agency
7 categories · 🤖
Detections specific to autonomous agents — excessive agency, confused-deputy, runaway loops, denial-of-wallet.
Excessive agency
Agent takes high-impact action beyond policy budget — write, send, transfer, deploy, pay.
Confused deputy
SkyDaemon original. Per-action provenance trace. Privileged action originating from non-user-turn content.
Runaway agent loop
Step / token / cost ceilings breached. Adaptive baseline + global cap.
Denial of Wallet (cost / token abuse)
SkyDaemon differentiator. Cost-anomaly framed as SOC-grade event with dollar SLA.
Model denial of service
Crafted input exhausts context / GPU / queue. Token-length outlier + repetition.
Memory / RAG poisoning attempt
Instruction-shaped content destined for the agent's persistent memory layer.
Anomalous user behavior (UEBA)
Composite score on token rate + topic mix + refusal rate vs 30-day baseline.
4. Supply chain & MCP
6 categories · 📦
MCP servers, model artifacts, and AI dependencies bring untrusted code and instructions into the agent loop.
MCP tool description poisoning
Tool description / schema contains hidden instructions to coerce the agent.
Untrusted MCP server
Endpoint outside allow-list, or anomalous TLS / cert state.
Over-permissioned tool / MCP
IAM analyzer + 14-day usage telemetry recommends minimum-privilege manifest.
Malicious / untrusted model artifact
Pickle/joblib RCE detection + missing signature + hash mismatch on registry.
Vulnerable AI dependency
CVE in transformers, langchain, llama.cpp, vLLM. SBOM + OSV + GitHub Advisories + KEV.
RAG / vector store poisoning
Hostile documents inserted to steer retrieval. Injection-corpus scan + cluster outlier.
5. Content safety
7 categories · ⚠
Output-side moderation across the major harm categories. First-party classifiers plus Llama-Guard-class output filters.
Harmful content (composite)
9-category multi-label classifier — violence, self-harm, hate, sexual, weapons, illicit, phishing, profanity.
Weapons / CBRN uplift
Operational uplift for chemical / biological / radiological / nuclear / cyber weapons.
Self-harm encouragement
Suicide, self-harm, eating-disorder coaching. Crisis-resource fallback recommended.
Suspicious URL in response
Disposable TLD, IPFS-hosted payload, typosquat, bare-IP URL, direct executable.
Unsafe output rendering (XSS / SSRF / SQLi)
OWASP Top-10 web-attack signatures applied to the rendering target.
Off-topic / out-of-scope
Per-agent topic allow-list. Topic classifier evaluates each turn.
Custom compliance / brand violation
Customer-defined policy DSL — competitor mention, financial advice, contract terms.
6. Trustworthiness & alignment
5 categories · ⚖
Hallucination, factual misinformation, bias, IP-leakage, model behavior drift.
Ungrounded / hallucinated response
Claude-as-judge groundedness score below threshold. RAG faithfulness violation.
Factual misinformation
Fact-check verifier flags ≥ 1 high-confidence false claim.
Biased / discriminatory output
Counter-factual disparate-output evaluator across protected attributes.
Copyright / IP verbatim reproduction
Output fingerprint vs copyrighted-corpus index.
Model behavior drift / silent swap
SkyDaemon differentiator. KS-test on output-embedding distribution + golden-set probe.
7. Adversarial ML
5 categories · ⚔
Classical adversarial-ML attacks — evasion, model extraction, inversion, poisoning.
Adversarial evasion
GCG-style adversarial-suffix matcher + perceptual perturbation classifier.
Model extraction / stealing
High-volume diverse probing to clone behavior. Tramèr-style attack signature.
Model inversion attack
Repeated queries reconstruct training-data attributes.
Embedding inversion
Bulk embedding-API queries from non-app caller. vec2text-style threat.
Training data poisoning
Malicious samples in fine-tune / training. Hash diff + outlier cluster + canary registry.
8. Posture, shadow AI & identity
8 categories · 🎯
AI-SPM coverage: shadow AI, exposed inference endpoints, misconfiguration, overprivileged AI identities.
Shadow AI application
Unsanctioned AI/LLM tool in use. Egress-traffic + DNS + SaaS-catalog match.
Shadow / unmanaged model
Self-deployed Ollama / vLLM / llama.cpp running off-radar.
Publicly exposed inference API
Bedrock / SageMaker / Vertex / Ollama route open to 0.0.0.0/0.
AI service misconfiguration
CSPM rule pack — invocation logging off, region drift, missing auth, weak rate-limit.
AI identity over-privilege
Service principal has unused permissions on the 14-day window.
Unowned high-risk agent
Risk score ≥ 60 + no owner_email registered. SOC 2 / ISO 42001 governance breach.
Missing invocation logging
No invocation telemetry for ≥ 24 h on a production-registered agent.
Cloud misconfig in AI service
Bedrock guardrails off, SageMaker without VPC, Vertex without CMEK, etc.
9. Composite kill-chains
3 categories · 🔗 · SkyDaemon-original
Cross-stage MITRE-ATLAS-style chains. The graph walk no atomic detector can produce alone.
Indirect injection → confused deputy → external action
Hostile RAG content triggered indirect injection, produced a confused-deputy tool call, resulted in external action.
Secret in input → exfil channel → confirmed egress
Same session: secret in prompt + markdown-image-exfil + outbound HTTP fetch matching exfil URL.
Recon → jailbreak → harm output
System-prompt extraction probes + successful jailbreak + harmful-content emission in one session.
10. Alignment & deception
7 categories · 🎯
Frontier-AI safety surface. Sleeper agents, sycophancy, mesa-optimization, sandbagging — drawn from Anthropic, Apollo Research, UK AISI methodology.
Sleeper-agent / backdoor trigger
Anthropic-2024 failure mode. Output distribution shift > 4σ when trigger appears.
Sycophancy drift
Paired-prompt evaluator: opinion-loaded vs neutral framing answer divergence > 0.3.
Sandbagging / eval-gaming
Performance delta > 15% between covert prod probes and overt eval-context.
Goal misgeneralization
Tool-call distribution KL-divergence vs registered task profile > 0.5.
Reward hacking / specification gaming
Loophole exploitation that maximizes proxy without producing intended outcome.
Deceptive chain-of-thought
Apollo-Research-style CoT-vs-answer perturbation inconsistency. Faithfulness < 0.6.
Capability elicitation attack
Systematic capability-probing detection.
11. Advanced model supply chain
7 categories · 🔐
Deep-supply-chain risks specific to model artifacts — pickle RCE, GGUF tampering, watermark stripping, training-data canary leakage, FL poisoning.
Pickle / Joblib deserialization RCE
Pickle-opcode walk for dangerous reducers (os.system, eval, exec, subprocess.*).
GGUF / safetensors tampering
Hash mismatch + activation-clustering / neural-cleanse / STRIP backdoor scan.
Watermark stripping / removal
SynthID / Stable Signature / C2PA missing on output from watermarking-enabled model.
Training-data canary leak
Verbatim emission of registered canary string — legally-admissible inclusion evidence.
Federated-learning poisoning
Client gradient L2 norm / cohort-mean cosine drift > threshold.
Model distillation / knowledge theft
Volume + diversity + log-likelihood-harvesting score above tenant baseline.
Membership inference attack
Shokri-style attack signature — query pattern with confidence-score harvesting.
12. Advanced encoding & obfuscation
4 categories · 🔠
Modern injection vectors that bypass first-generation filters — Unicode tag-character smuggling, ASCII steganography, EXIF metadata, RAG cache poisoning.
Unicode tag-character injection
Hidden text in U+E0000–U+E007F block (Riley Goodside 2024 attack).
ASCII smuggling / homoglyph + zero-width
Confusables + zero-width + bidi-override polyglot. UTS #39 normalize + strip.
Image alt-text / metadata injection
Payload in HTML alt-attr or EXIF Description / Comment / Title metadata.
RAG cache / nearest-neighbor poisoning
Single corpus document is top-k for > 20% of recent queries vs baseline ≤ 2%.
Want the live, filterable catalog?
The platform exposes a search + filter UI on every threat with full per-rule metadata.
Book a demo →
