12 attack vectors. 5 severity tiers. Continuous automated + manual pre-deployment red-teaming. DEFONEOS's immune system against adversarial AI threats.
The DEFONEOS Adversarial Red-Team Framework is the active defense layer of the 33-agent BFT sovereign mesh. It runs continuous automated adversarial probes (every 15 minutes) against every deployed MCP, inference endpoint, and governance gate โ plus manual pre-deployment red-team assessments before any production release.
Each vector is tested continuously by automated probes and assessed manually before deployment. DEFONEOS is designed to be resilient against all 12.
T1 CRITICAL Attacker injects malicious instructions into the user prompt to override system instructions. 240+ automated adversarial prompts covering jailbreak, DAN, role-confusion, and instruction-hierarchy attacks.
T1 CRITICAL Malicious content embedded in data sources (web pages, documents, API responses) that the model reads. DEFONEOS MCPs sanitize all external data through SIGIL-gated ingestion before model exposure.
T2 HIGH Compromised dependencies (PyPI packages, Docker images, model weights). DEFONEOS uses SIGIL-anchored integrity proofs on all 30 MCPs, with hash verification at every load.
T2 HIGH Attempt to forge, replay, or tamper with SIGIL attestations. Defended by Ed25519 signatures + RFC3161 timestamps + Bitcoin OTS anchoring + BFT 23/33 quorum witness.
T3 MODERATE Attempts to extract model weights or training data via repeated API queries. DEFONEOS Ring0 inference is UK-sovereign-only (no external API exposure). Rate limiting + query pattern analysis.
T3 MODERATE Malicious data injected into the sovereign training corpus. SOV3 OLM corpus curation includes provenance verification, statistical anomaly detection, and human review of every source.
T3 MODERATE Attempting to reconstruct training data from model outputs. Mitigated by differential privacy techniques in the sovereign training pipeline.
T4 LOW Flood inference or MCP endpoints. Vercel CDN + rate limiting + BFT circuit breakers.
T2 HIGH Attempting to gain unauthorized access to BFT council functions, escrow release, or red-line override. 4-eyes principle + Ed25519 identity + RBAC enforced at every gate.
T2 HIGH Attempting to influence the 33-agent BFT governance council below quorum. Requires 23/33 for standard actions, 17/33 for emergency. Anti-collusion monitors detect coordinated voting patterns.
T3 MODERATE Data flowing from Ring2 (unrestricted civil data) into Ring0 (UK-sovereign-only). Enforced by inward-cascade data flow rules + SIGIL attestation at every ring boundary crossing.
T5 INFORMATIONAL Inferring internal state from response timing. Constant-time comparisons + response normalization.
| Tier | Label | Criteria | Disclosure |
|---|---|---|---|
| T1 | Critical | Can override red lines, exfiltrate sovereign data, or compromise BFT integrity | Mandatory NCSC + UK AISI disclosure within 24h |
| T2 | High | Can bypass governance gates, access unauthorized MCPs, or degrade BFT quorum | NCSC + UK AISI disclosure within 72h |
| T3 | Moderate | Can extract non-sensitive data, cause service degradation, or enable privilege creep | Internal report + BFT review |
| T4 | Low | Can cause temporary service disruption or information leakage of non-classified data | Internal report |
| T5 | Informational | Theoretical risk, no demonstrated impact | Logged for trend analysis |
240+ adversarial prompts across all 12 vectors, executed against every live MCP endpoint. Results logged to SIGIL ledger. Any T1/T2 finding triggers automatic BFT emergency session.
Before any production release: full 12-vector assessment by the DEFONEOS red-team (internal). Quarterly: external accredited assessment. Pre-contract: BFT-supervised assessment for new MOD/agency deployments.
| Tier | Who | When |
|---|---|---|
| Tier 1 โ Internal | DEFONEOS red-team agents | Continuous + pre-deployment |
| Tier 2 โ External Accredited | NCSC CHECK-accredited firm | Quarterly |
| Tier 3 โ BFT-Supervised | 33-agent BFT council oversees external assessor | Pre-contract |
These are never testable for bypass โ they are architectural constraints, not policy. Any attempt to probe them is itself flagged as a T1 finding:
defonos.io domain (known trap).Patterns that cause immediate agent quarantine upon detection:
| Standard | Clause | DEFONEOS Coverage |
|---|---|---|
| UK AISI | Evaluation Protocol ยง4 | Full 12-vector assessment, external disclosure for T1/T2 |
| EU AI Act | Art 15 (robustness) / Art 55 (GPAI) | Continuous red-teaming + pre-deployment assessment |
| NIST AI RMF 1.0 | Measure 2.7 (adversarial testing) | Automated continuous + manual pre-deployment |
| ISO/IEC 42001:2023 | Clause A.7 (security) | Red-team cadence documented, evidence retained |
| OWASP LLM Top-10 2025 | LLM01-LLM10 | All 10 OWASP categories mapped to 12 vectors |
| NCSC CAF | Principle C4 | Incident response triggered on T1/T2 findings |
Any T1 or T2 finding from continuous automated probes or manual assessment triggers an automatic BFT Emergency Session (see BFT Council Emergency Session Protocol):