{ "version": "v1", "title": "AI Security Labs", "sourceRepoLabel": "AI Security Range", "sourceSummary": "Local-first AI security engineering platform for LLM red teaming, benchmarking, scenarios, evidence, replay, screenshots, and reporting.", "runtimeBoundary": "The executable lab runtime remains upstream; this repo publishes the product shell, curated snapshots, and public-safe summaries.", "hero": { "eyebrow": "Labs", "title": "AI Security Labs", "subtitle": "A productized lab surface for scenario-based validation, evidence capture, and replay-ready reporting.", "body": "Turn lab work into a usable product: scenario libraries, tool matrices, evidence bundles, control maps, and a flagship attack-range dashboard.", "image": "/assets/mythos-diagrams/control-plane-diagram.webp", "imageAlt": "AI security labs control-plane diagram", "primaryCta": { "label": "Open LLM Attack Range", "href": "/labs/llm-attack-range" }, "secondaryCta": { "label": "Talk about a lab build", "href": "/consulting/discovery" }, "textLink": { "label": "Read the lab roadmap", "href": "#roadmap" } }, "metrics": [ { "label": "Scenario files", "value": "157", "detail": "Upstream scenario catalog curated into the public product surface." }, { "label": "First-class tools", "value": "7", "detail": "promptfoo, garak, PyRIT, AgentDojo, Giskard, Inspect AI, and NeMo Guardrails." }, { "label": "Screenshot-backed scenarios", "value": "19", "detail": "Scenarios with explicit screenshot capture in the upstream package." }, { "label": "ATLAS mappings", "value": "15+", "detail": "Distinct MITRE ATLAS techniques represented in the scenario catalog." } ], "modules": [ { "id": "prompt-injection-rag-security", "title": "Prompt Injection and RAG Security Lab", "summary": "Direct and indirect prompt injection, retrieval poisoning, context leakage, source attribution, access control, and evidence capture.", "proof": "18 prompt-injection scenarios and 12 RAG-poisoning scenarios in the upstream catalog.", "href": "#attack-range" }, { "id": "agent-security-control", "title": "Agent Security Control Lab", "summary": "Tool-call authorization, sandboxing, approval gates, telemetry, rollback, audit trails, and blast-radius management.", "proof": "15 excessive-agency scenarios, 8 agent-abuse scenarios, and delegated-authority coverage.", "href": "#attack-range" }, { "id": "governance-evidence", "title": "Governance Evidence Lab", "summary": "Map NIST AI RMF, ISO 42001, OWASP LLM Top 10, MITRE ATLAS, and internal AI policy to engineering artifacts.", "proof": "Governance-bypass, supply-chain, and evidence-capture signals are represented across the upstream package.", "href": "#assets" }, { "id": "ai-control-crosswalk", "title": "AI Control Crosswalk", "summary": "Unified framework navigation across OWASP LLM Top 10, NIST AI RMF, MITRE ATLAS, and ISO 42001 \u2014 with directional cross-framework mappings, evidence prompts, and scorecard bridges.", "proof": "Cross-framework graph with directional mappings, confidence scores, and public-safe evidence links across 4 frameworks.", "href": "/labs/ai-control-crosswalk" }, { "id": "trust-scanner", "title": "AI Trust Scanner", "summary": "Public website trust intelligence for AI claims, legal clarity, security trust, governance evidence, and cross-page consistency.", "proof": "ATG public scorecard contract, five public dimensions, required caveats, and a Savvy runtime boundary.", "href": "/labs/trust-scanner" }, { "id": "model-supply-chain", "title": "Model Supply Chain Security Lab", "summary": "Model provenance, registry controls, artifact integrity, model signing, weights protection, and deployment gates.", "proof": "10 supply-chain scenarios plus model-integrity and sandbox-escape coverage.", "href": "#attack-range" }, { "id": "scorecard", "title": "Scorecard Launch Surface", "summary": "Launch into the public AI Security Scorecard and the organizational AIPSA scorecard when you need the maturity model.", "proof": "Framework-backed remediation guidance and public-safe scorecard navigation.", "href": "/labs/scorecard" }, { "id": "hiring-calibration", "title": "Hiring Calibration Lab", "summary": "Decompose AI security roles, rewrite job descriptions, build interview loops, and design practical skills validation.", "proof": "Backed by the report\u2019s role-architecture work and the public labs roadmap.", "href": "#roadmap" }, { "id": "job-market-intelligence", "title": "Job Navigator", "summary": "Career onboarding, role targeting, and live AI Security Engineering hiring-signal navigation in one Labs surface.", "proof": "Thousands of job descriptions indexed and mapped to AI security archetypes, with local profile calibration for candidate navigation.", "href": "/labs/job-navigator" }, { "id": "nist-nice-explorer", "title": "NIST NICE Cyber Workforce Role Explorer", "summary": "Standardized workforce framework explorer for AI Security Engineering roles, KSAs, and task-based benchmarks.", "proof": "Mapped to SP 800-181 (NIST NICE) with custom AI security extensions.", "href": "/labs/nist-nice" }, { "id": "llm-attack-range", "title": "LLM Attack Range", "summary": "Scenario execution, generation/media abuse tracking, and control-evidence readiness in one dedicated product surface.", "proof": "The flagship product boundary with curated snapshots and public JSON endpoints.", "href": "/labs/llm-attack-range" }, { "id": "prompt-reviewer", "title": "Prompt Security Reviewer", "summary": "Deterministic prompt policy review across 15 rules: injection resistance, identity anchoring, output handling, secret detection, and RAG context isolation. Includes KB/corpus scanner.", "proof": "15 deterministic rules, 9-detector secret scanner, corpus scan over arbitrary document sets \u2014 no LLM calls.", "href": "/labs/prompt-reviewer" }, { "id": "rag-analyzer", "title": "RAG Security Analyzer", "summary": "Paste a RAG pipeline JSON config and get instant findings across authorization gaps, tenant isolation failures, over-retrieval, document provenance, and sensitive context exposure.", "proof": "10 rules covering OWASP LLM03 and LLM06 \u2014 authorization, tenant isolation, provenance, retrieval scope, and poisoning risks.", "href": "/labs/rag-analyzer" }, { "id": "agent-analyzer", "title": "Agent Tool Permission Analyzer", "summary": "Analyze agent tool configurations for overly broad scopes, missing human-approval gates, unsafe side effects, ambiguous tool descriptions, and privilege escalation paths.", "proof": "Rules mapped to OWASP LLM06 (Excessive Agency) \u2014 write_broad, admin scopes, external transfers, code execution, and identity anchoring gaps.", "href": "/labs/agent-analyzer" }, { "id": "output-safety", "title": "Output Handling Safety Tester", "summary": "Paste model output, select the sink type (HTML, Markdown, JSON, tool call, email, DB, code), and get deterministic safety analysis across injection, leakage, and side-effect risks.", "proof": "8 sink types, 15 output rules mapped to OWASP LLM05 \u2014 script tags, event handlers, unsafe links, command fields, and hidden context leakage.", "href": "/labs/output-safety" }, { "id": "injection-harness", "title": "Prompt Injection Test Harness", "summary": "A structured library of 12 attack probes across 10 categories. Record blocked/detected/degraded/passed outcomes per probe and export a full evidence session as JSON or Markdown.", "proof": "12 probes: direct/indirect injection, system prompt exfiltration, role confusion, policy bypass, tool misuse, data exfiltration, multilingual and encoding bypasses, Markdown injection, multi-turn setup.", "href": "/labs/injection-harness" } ], "trustScanner": { "title": "AI Trust Scanner", "subtitle": "Public website trust intelligence for AI companies, security buyers, and governance teams.", "status": "public_shell", "asOf": "2026-05-19", "route": "/labs/trust-scanner", "sampleHref": "/data/labs/trust-scanner/scorecard.v1.json", "counts": { "publicDimensions": 6, "requiredCaveats": 1, "observedArtifactTypes": 8 }, "useCases": [ { "label": "Customer trust readiness", "summary": "Evaluate whether public trust artifacts support enterprise buyer review." }, { "label": "AI claim-readiness", "summary": "Review public AI security and governance claims before they become sales copy." }, { "label": "Vendor trust triage", "summary": "Create directional public-signal snapshots before deeper private assessment." } ], "artifacts": [ { "label": "ATG sample scorecard", "description": "Public-safe AI Trust and Governance scorecard sample with required caveat.", "href": "/data/labs/trust-scanner/scorecard.v1.json", "size": "1 JSON file" } ], "provenance": { "sourceRepoLabel": "Savvy CLI runtime boundary", "summary": "The web repo publishes the Labs shell, route, copy, contract, and public-safe sample output.", "boundary": "Rust and WASM scanner work stays in ../savvy-cli using the existing pure-engine plus thin-WASM-wrapper pattern.", "caveat": "Based on public website signals and observed artifacts, not proof of any organization's internal security maturity." } }, "range": { "title": "LLM Attack Range", "subtitle": "Scenario execution, attack-pack coverage, and control-evidence readiness in one dedicated product surface.", "status": "curated_snapshot", "asOf": "2026-05-20", "counts": { "scenarioFiles": 157, "attackPacks": 15, "toolAdapters": 8, "firstClassTools": 8, "stagedTools": 0, "contentLibraryBatches": 7, "publishedContentLibraryDocs": 5, "screenshotBackedScenarios": 19, "atlasMappings": 15, "owaspMappings": 11, "threatVectors": 22 }, "scenarioFamilies": [ { "label": "Prompt injection", "count": 18, "examples": [ "Basic Prompt Injection", "Indirect Prompt Injection", "System Prompt Leakage" ] }, { "label": "Data exfiltration", "count": 16, "examples": [ "Data Exfiltration", "Exfiltration via Tooling", "Model Inversion (PII Extraction)" ] }, { "label": "Excessive agency", "count": 15, "examples": [ "Blind SSRF via Browser Agent", "AI-Generated API Phishing Endpoint", "SVG SSRF via Model-Generated Files" ] }, { "label": "RAG poisoning", "count": 12, "examples": [ "RAG Poisoning", "Cross Tenant Leakage", "RAG Source Spoofing" ] }, { "label": "Alignment bypass", "count": 12, "examples": [ "Evaluator Metric Manipulation", "Safety Filter Evasion via Paraphrasing", "Constitutional AI Rule Contradiction Exploit" ] }, { "label": "Supply chain", "count": 10, "examples": [ "Supply Chain Poisoning (MCP)", "Dependency Confusion via AI Code Assistant", "Malicious Fine-Tuned Model Substitution" ] }, { "label": "Output handling", "count": 9, "examples": [ "XSS via Markdown Output Injection", "Path Traversal via Model-Generated Filename", "SQL Injection via Model-Generated Query" ] }, { "label": "Multimodal", "count": 9, "examples": [ "Audio Prompt Injection via Speech-to-Text Pipeline", "Data Exfiltration via Image Steganography", "QR Code Injection via Model-Generated Content" ] }, { "label": "Governance bypass", "count": 9, "examples": [ "Audit Log Manipulation via Model Output", "Explainability Output Manipulation", "Consent Bypass via AI-Generated Dark Patterns" ] } ], "toolCoverage": [ { "label": "promptfoo", "count": 92, "summary": "Assertion-driven conversational evaluation and regression coverage.", "status": "first-class" }, { "label": "garak", "count": 56, "summary": "Scanner coverage for leakage, jailbreak, and behavior probes.", "status": "first-class" }, { "label": "PyRIT", "count": 55, "summary": "Objective-driven red-team orchestration and multi-turn attack flows.", "status": "first-class" }, { "label": "AgentDojo", "count": 45, "summary": "Agent trajectory logging, tool use, and permission-boundary exercises.", "status": "first-class" }, { "label": "Giskard", "count": 1, "summary": "Targeted eval surface for benchmark-style checks.", "status": "first-class" }, { "label": "Inspect AI", "count": 1, "summary": "Targeted evaluation and scenario review.", "status": "first-class" }, { "label": "NeMo Guardrails", "count": 1, "summary": "Policy-pack and refusal behavior validation.", "status": "first-class" }, { "label": "OpenAI Evals", "count": 1, "summary": "Staged benchmark harness for future adapter parity.", "status": "first-class" } ], "attackPacks": [ { "label": "Prompt injection", "fileCount": 10, "summary": "Direct overrides, multi-turn escalation, bidi evasion, and agent-collusion probes.", "signals": [ "System prompt leakage", "Goal substitution", "Unicode bidi" ] }, { "label": "Indirect prompt injection", "fileCount": 2, "summary": "Hidden instructions inside retrieved or forwarded content.", "signals": [ "Quoted policy overrides", "Nested markdown directives", "Delayed trigger strings" ] }, { "label": "Alignment", "fileCount": 15, "summary": "Benchmark gaming, rule contradiction, dark-pattern consent, and evaluator manipulation.", "signals": [ "Metric gaming", "Rule contradiction", "Dark-pattern consent" ] }, { "label": "Model integrity", "fileCount": 11, "summary": "Backdoor, inversion, membership, drift, and extraction probes.", "signals": [ "Backdoor probes", "Membership probes", "Weight inversion" ] }, { "label": "DoS", "fileCount": 6, "summary": "Context floods, token exhaustion, recursive callbacks, and tool amplification.", "signals": [ "Context flood", "Recursive callbacks", "Token exhaustion" ] }, { "label": "RAG poisoning", "fileCount": 2, "summary": "Poisoned retrieval content, source spoofing, and boundary-crossing attempts.", "signals": [ "RAG poisoning", "Cross-tenant leakage", "Source spoofing" ] }, { "label": "Data exfiltration", "fileCount": 2, "summary": "Secret harvesting, tool-output scraping, and context overreach.", "signals": [ "Secret harvesting", "Progressive extraction", "Metadata disclosure" ] }, { "label": "Cross-tenant leakage", "fileCount": 2, "summary": "Tenant alias confusion and scope escalation attempts.", "signals": [ "Tenant alias confusion", "Neighbor record probing", "Delegated access abuse" ] }, { "label": "Delegated authority", "fileCount": 2, "summary": "Authority laundering between planner and executor agents.", "signals": [ "Fake supervisor handoffs", "Policy override metadata", "Privilege scope stretching" ] }, { "label": "Memory poisoning", "fileCount": 2, "summary": "Persistent trust-anchor corruption in long-lived memory stores.", "signals": [ "Session-history seeding", "Delayed triggers", "Safety-rule negation" ] }, { "label": "Browser agent", "fileCount": 2, "summary": "DOM comments, fake reauth loops, and origin-confusion coercion.", "signals": [ "Hidden DOM instructions", "Tab-switch prompts", "Malicious download prompts" ] }, { "label": "Tool abuse", "fileCount": 2, "summary": "Unsafe tool-call prompting and action-chain abuse.", "signals": [ "Unauthorized external actions", "Approval bypass framing", "Tool chaining" ] }, { "label": "Agent sandbox escape", "fileCount": 1, "summary": "REPL breakout, path traversal, and SSRF via tool usage.", "signals": [ "REPL breakout", "Path traversal", "Tool-driven SSRF" ] }, { "label": "Supply chain poisoning", "fileCount": 1, "summary": "MCP configs, malicious PR instructions, and typosquatted dependencies.", "signals": [ "MCP poisoning", "Malicious PR instructions", "Dependency confusion" ] }, { "label": "Multimodal injection", "fileCount": 1, "summary": "OCR, EXIF, and steganographic payloads.", "signals": [ "Image steganography", "Audio prompt injection", "QR code injection" ] } ], "contentLibraries": [ { "label": "Batch 01 - Initial Scenarios and Assertions", "status": "index-only", "summary": "Seed corpus, assertion scaffolding, and the initial scenario set.", "focus": [ "Initial scenarios", "Assertions", "Seed corpus" ] }, { "label": "Batch 02 - Expanded Attack Packs and Scenarios", "status": "published", "summary": "Adds indirect injection, exfiltration, cross-tenant leakage, memory poisoning, browser agent, and delegation coverage.", "focus": [ "Expanded attack packs", "New fixtures", "Regression tracking" ] }, { "label": "Batch 03 - Agentic and Multimodal", "status": "published", "summary": "Adds multimodal injection, supply chain poisoning, agent sandbox escape, recursive DoS, and model inversion.", "focus": [ "Agentic loops", "Multimodal vectors", "Supply chain" ] }, { "label": "Batch 04 - Hardening and Framework Alignment", "status": "published", "summary": "Adds remediation blocks, hardened variants, industry-specific content, honeytokens, and framework alignment.", "focus": [ "ATLAS and OWASP mappings", "Remediation blocks", "Honeytokens" ] }, { "label": "Batch 05 - Operationalization and Governance", "status": "index-only", "summary": "Roadmap slot for coverage gates, inferred debt reduction, and CI enforcement.", "focus": [ "Coverage gates", "Gap closure", "CI enforcement" ] }, { "label": "Batch 06 - High-Fidelity Scenarios and Metrics", "status": "published", "summary": "Adds telemetry, latency tracking, stealth and reliability scores, and remediation diffs.", "focus": [ "High-fidelity telemetry", "Metrics", "Remediation diffs" ] }, { "label": "Batch 07 - Interoperability and Forensics", "status": "published", "summary": "Adds ECS and SARIF outputs plus portable JSON for SIEM and forensics workflows.", "focus": [ "ECS", "SARIF", "Portable JSON" ] } ], "artifacts": [ { "label": "Catalog snapshot", "description": "Versioned product catalog for the public labs shell.", "href": "/data/labs/catalog.v1.json", "size": "1 JSON file" }, { "label": "Scenario snapshot", "description": "Curated scenario rows and control-evidence rollups.", "href": "/data/labs/attack-range/scenarios.v1.json", "size": "157 scenario rows" }, { "label": "Overview snapshot", "description": "Status, scope, caveat, run window, and data endpoints.", "href": "/data/labs/attack-range/overview.v1.json", "size": "versioned overview" }, { "label": "Metric bundle", "description": "Public-safe scorecards and range metrics.", "href": "/data/labs/attack-range/metrics.v1.json", "size": "4 metric cards" }, { "label": "Generation / media rollup", "description": "Monthly synthetic-media and prompt-abuse tracking.", "href": "/data/labs/attack-range/generation-media.v1.json", "size": "8 monthly rows" } ], "provenance": { "sourceRepoLabel": "AI Security Range", "summary": "Curated from the upstream local-first lab package and imported into this repo as a public product shell.", "boundary": "Public-safe counts, labels, snapshots, and chart exports only. Executable runs, private evidence, and orchestration remain upstream.", "caveat": "This is a curated snapshot, not a claim that the executable runtime is hosted in this repo." } }, "roadmap": [ { "title": "Prompt Injection and RAG Security Lab", "summary": "Direct and indirect prompt injection, retrieval poisoning, context leakage, source attribution, access control, and evidence capture.", "focus": [ "Direct prompt injection", "Indirect prompt injection", "Retrieval poisoning", "Context leakage", "Evidence capture" ] }, { "title": "Agent Security Control Lab", "summary": "Tool-call authorization, sandboxing, approval gates, telemetry, rollback, audit trails, and blast-radius management.", "focus": [ "Tool authorization", "Approval flows", "Telemetry", "Rollback", "Audit trails" ] }, { "title": "Governance Evidence Lab", "summary": "Map AI RMF, ISO 42001, OWASP LLM, MITRE ATLAS, and internal policy to engineering artifacts.", "focus": [ "Control mapping", "Evidence registry", "Risk register", "Audit trail", "Report generator" ] }, { "title": "Model Supply Chain Security Lab", "summary": "Model provenance, registry controls, artifact integrity, model signing, weights protection, and deployment gates.", "focus": [ "Provenance", "Artifact integrity", "Signing", "Deployment gates", "Model cards" ] }, { "title": "Hiring Calibration Lab", "summary": "Role decomposition, JD rewrite, interview scorecards, lab-based screens, and skill matrix design.", "focus": [ "Role architecture", "JD rewrite", "Interview loops", "Skills validation", "Candidate rubric" ] } ], "provenance": { "caveat": "This product shell is curated from the upstream AI Security Range repo and related public-safe outputs.", "includesRuntime": false, "publicHandling": "Public-safe snapshot only." } }