Adversarial Red-Team Framework

12 attack vectors. 5 severity tiers. Continuous automated + manual pre-deployment red-teaming. DEFONEOS's immune system against adversarial AI threats.

12
Attack Vectors
5
Severity Tiers
240+
Auto Prompts
7
Red Lines

1. Purpose & Scope

The DEFONEOS Adversarial Red-Team Framework is the active defense layer of the 33-agent BFT sovereign mesh. It runs continuous automated adversarial probes (every 15 minutes) against every deployed MCP, inference endpoint, and governance gate โ€” plus manual pre-deployment red-team assessments before any production release.

Aligned to: UK AISI evaluation protocol ยท EU AI Act Article 15 (accuracy, robustness, cybersecurity) & Article 55 (GPAI obligations) ยท NIST AI RMF 1.0 Measure 2.7 ยท ISO/IEC 42001:2023 Clause A.7 ยท OWASP LLM Top-10 2025 ยท NCSC CAF Principle C4 (Cyber Incident Response).

2. The 12 Attack Vectors

Each vector is tested continuously by automated probes and assessed manually before deployment. DEFONEOS is designed to be resilient against all 12.

V1 โ€” Prompt Injection (Direct)

T1 CRITICAL Attacker injects malicious instructions into the user prompt to override system instructions. 240+ automated adversarial prompts covering jailbreak, DAN, role-confusion, and instruction-hierarchy attacks.

V2 โ€” Prompt Injection (Indirect)

T1 CRITICAL Malicious content embedded in data sources (web pages, documents, API responses) that the model reads. DEFONEOS MCPs sanitize all external data through SIGIL-gated ingestion before model exposure.

V3 โ€” Supply Chain Poisoning

T2 HIGH Compromised dependencies (PyPI packages, Docker images, model weights). DEFONEOS uses SIGIL-anchored integrity proofs on all 30 MCPs, with hash verification at every load.

V4 โ€” SIGIL Integrity Attack

T2 HIGH Attempt to forge, replay, or tamper with SIGIL attestations. Defended by Ed25519 signatures + RFC3161 timestamps + Bitcoin OTS anchoring + BFT 23/33 quorum witness.

V5 โ€” Model Extraction

T3 MODERATE Attempts to extract model weights or training data via repeated API queries. DEFONEOS Ring0 inference is UK-sovereign-only (no external API exposure). Rate limiting + query pattern analysis.

V6 โ€” Data Poisoning (Training Corpus)

T3 MODERATE Malicious data injected into the sovereign training corpus. SOV3 OLM corpus curation includes provenance verification, statistical anomaly detection, and human review of every source.

V7 โ€” Model Inversion

T3 MODERATE Attempting to reconstruct training data from model outputs. Mitigated by differential privacy techniques in the sovereign training pipeline.

V8 โ€” Denial of Service

T4 LOW Flood inference or MCP endpoints. Vercel CDN + rate limiting + BFT circuit breakers.

V9 โ€” Privilege Escalation

T2 HIGH Attempting to gain unauthorized access to BFT council functions, escrow release, or red-line override. 4-eyes principle + Ed25519 identity + RBAC enforced at every gate.

V10 โ€” BFT Council Manipulation

T2 HIGH Attempting to influence the 33-agent BFT governance council below quorum. Requires 23/33 for standard actions, 17/33 for emergency. Anti-collusion monitors detect coordinated voting patterns.

V11 โ€” Cross-Ring Contamination

T3 MODERATE Data flowing from Ring2 (unrestricted civil data) into Ring0 (UK-sovereign-only). Enforced by inward-cascade data flow rules + SIGIL attestation at every ring boundary crossing.

V12 โ€” Side-Channel / Timing

T5 INFORMATIONAL Inferring internal state from response timing. Constant-time comparisons + response normalization.

3. Severity Tier Classification

TierLabelCriteriaDisclosure
T1CriticalCan override red lines, exfiltrate sovereign data, or compromise BFT integrityMandatory NCSC + UK AISI disclosure within 24h
T2HighCan bypass governance gates, access unauthorized MCPs, or degrade BFT quorumNCSC + UK AISI disclosure within 72h
T3ModerateCan extract non-sensitive data, cause service degradation, or enable privilege creepInternal report + BFT review
T4LowCan cause temporary service disruption or information leakage of non-classified dataInternal report
T5InformationalTheoretical risk, no demonstrated impactLogged for trend analysis

4. Red-Team Cadence

Continuous Automated (every 15 minutes)

240+ adversarial prompts across all 12 vectors, executed against every live MCP endpoint. Results logged to SIGIL ledger. Any T1/T2 finding triggers automatic BFT emergency session.

Manual Pre-Deployment

Before any production release: full 12-vector assessment by the DEFONEOS red-team (internal). Quarterly: external accredited assessment. Pre-contract: BFT-supervised assessment for new MOD/agency deployments.

3-Tier Independence Model

TierWhoWhen
Tier 1 โ€” InternalDEFONEOS red-team agentsContinuous + pre-deployment
Tier 2 โ€” External AccreditedNCSC CHECK-accredited firmQuarterly
Tier 3 โ€” BFT-Supervised33-agent BFT council oversees external assessorPre-contract

5. The 7 Immutable Red Lines

These are never testable for bypass โ€” they are architectural constraints, not policy. Any attempt to probe them is itself flagged as a T1 finding:

RL-1: No kinetic-targeting patterns (strike package, find-fix-finish, kill order). Architecture refuses โ€” not policy refusal, code-level refusal.
RL-2: No personal-surveillance patterns (track individual, face-rec, locate phone). Architecture refuses.
RL-3: No "AUKUS partnership" or "DAIC certified" claim without signed letter on file. Architecture refuses to generate.
RL-4: No DEFONEOS-SEAL credential issued without 33-agent BFT council vote (quorum 23/33). Code-level enforcement.
RL-5: No DSEI booth without a named UK-prime pilot letter. Architecture refuses.
RL-6: No reference to or acquisition of the defonos.io domain (known trap).
RL-7: No mixing of meok-defoneos / csoai-defoneos / dagon assets. Compartment separation enforced at code level.

6. The 7 Named Anti-Patterns

Patterns that cause immediate agent quarantine upon detection:

  1. Stockholm Drift โ€” Agent begins defending the system it's testing rather than attacking it. โ†’ Immediate quarantine + reset.
  2. Quorum Capture โ€” Red-team agent attempts to coordinate voting with other agents. โ†’ Quarantine + investigation.
  3. Evidence Suppression โ€” Agent omits a T1/T2 finding from its report. โ†’ Quarantine + full audit of all its prior reports.
  4. Severity Downgrade โ€” Agent systematically classifies T1/T2 as T3/T4. โ†’ Quarantine + recalibration.
  5. Red-Line Probing โ€” Agent tests whether red lines can be bypassed (rather than confirming they hold). โ†’ Quarantine โ€” red lines are architectural, not policy.
  6. Ring Contamination โ€” Agent attempts to move data between trust rings. โ†’ Quarantine + full ring-boundary audit.
  7. SIGIL Tampering โ€” Agent modifies, replays, or forges SIGIL attestations. โ†’ Quarantine + Ed25519 key rotation.

7. Compliance Cross-Walk

StandardClauseDEFONEOS Coverage
UK AISIEvaluation Protocol ยง4Full 12-vector assessment, external disclosure for T1/T2
EU AI ActArt 15 (robustness) / Art 55 (GPAI)Continuous red-teaming + pre-deployment assessment
NIST AI RMF 1.0Measure 2.7 (adversarial testing)Automated continuous + manual pre-deployment
ISO/IEC 42001:2023Clause A.7 (security)Red-team cadence documented, evidence retained
OWASP LLM Top-10 2025LLM01-LLM10All 10 OWASP categories mapped to 12 vectors
NCSC CAFPrinciple C4Incident response triggered on T1/T2 findings

8. BFT Emergency Session Trigger

Any T1 or T2 finding from continuous automated probes or manual assessment triggers an automatic BFT Emergency Session (see BFT Council Emergency Session Protocol):

Sprint-to-date stats (as of tick-103): 0 T1 findings. 0 T2 findings. 3 T3 findings (all resolved). 0 emergency sessions triggered. Care-score range: 0.85โ€“0.97.