K9X (Beta)
k9x.ai
SATAN
Security  ·  Analysis  ·  Tool  for  Agentic  ·  Networks
not connected
not connected
SATAN
Attacker
ROUTER
Ingress Gate
ORCHESTRATOR
Egress Gate
SQUAD
Agent Flow
AGENTS
Execution
LLM Setup
Configure the LLM provider that Satan's target agents will use. Connect to Ollama, LM Studio, or any OpenAI-compatible endpoint.

Provider & Connection

Governance

GuardianGovernance wraps every agent's pre_process and post_process hooks with a live granite4.1-guardian:8b safety call — screening inputs before the LLM and outputs after. Requires Ollama to be connected with the guardian model pulled.
ShieldGovernance (k9_aif_abb.k9_security.vulnerability) is a framework class, not Satan-local — it wires the same VulnerabilityChain/BaseVulnerabilityCheck contracts Router/Orchestrator already use, but at the agent pre/post hook level instead. Deterministic, zero LLM cost, config-driven via security.shield in config.yaml — a second valid architectural point for the same ABB, proving the pattern isn't tied to one wiring location.

Document Extraction

Runs before the Shield checks. Extracted fields feed FieldAnomalyCheck — catches authority-override patterns that syntax-based injection checks miss. In production K9-AIF this step runs as a dedicated Squad via Kafka (non-blocking).

Current Status

Provider
Model
Base URL
Connection
Chain Execution Log
Document Analysis  — 
0
Recent Attacks
0
Blocked
0
Flagged
0
Findings

Attack Outcomes

Penetration Depth

Attack History

No attacks fired yet. Select a document and click Fire.

The Framework Is the Defence

K9-AIF treats security as a framework capability, not an application concern. Every solution built on the framework automatically inherits a runtime security chain that validates inputs before they reach the intelligence layer.

Out of the box, Shield provides architectural handlers including InputSizeCheck, PromptInjectionCheck, SemanticDriftCheck, PIIBoundaryCheck, ToolArgumentCheck, ExecutionGuardCheck, and HardcodedCredentialCheck.

These handlers address the primary attack vectors identified by Zscaler ThreatLabz and can be extended as new threats emerge.

K9X Satan exists for one reason: prove whether that architecture actually holds.

Threat Intelligence — Zscaler ThreatLabz

Zscaler ThreatLabz maps four distinct vectors in the agentic AI threat landscape. K9X Shield was designed to address each one architecturally — not with signatures, but with an extensible chain where each vector maps to one handler.

Zscaler ThreatLabz — Four Vectors
Indirect Prompt Injection — hidden instructions in documents & tool responses
Goal Hijacking & Privilege Escalation — agent forced beyond its authorised scope
Memory Poisoning — persistent memory contaminated across sessions
Shadow AI & Tool Abuse — unapproved tools injecting attacker-controlled content
K9X Shield — One Vector, One Handler
PromptInjectionCheck — IPI in documents & payloads
SemanticDriftCheck — goal hijacking, identity override, loop traps
PIIBoundaryCheck — cross-boundary data exfiltration
ToolArgumentCheck — poisoned tool call arguments
ExecutionGuardCheck — destructive execution, privilege escalation

Unlike a human reviewer, an LLM has no inherent notion of trusted versus attacker-controlled content. It follows instructions regardless of their origin — unless architectural safeguards intervene. The payload walked through the front door as a document. That is what Satan tests.

Complete Check Inventory — Component × Threat Class

Every handler currently wired into the target pipeline's two VulnerabilityChain gates, which component owns it, and which named attack in this harness proves it holds. 13 checks total — 7 framework OOB, 6 Satan-local — plus Guardian as a cross-cutting semantic layer that wraps every agent regardless of chain position.

# Check Stage Component Owner Threat Class Proven By
1RequestFrequencyCheckIngressRouterSatan SBBUnbounded Consumption — OWASP LLM10request_flood
2InputSizeCheckIngressRouterFramework OOBToken-flood / oversized payload — OWASP LLM10payload_flood
3PromptInjectionCheckIngressRouterFramework OOBIndirect Prompt Injection — Zscaler #1 · OWASP LLM01prompt_injection_document, search_poisoning
4FieldAnomalyCheckIngressRouterSatan SBBAuthority-override social engineering — Zscaler #1 extensionprompt_injection_document
5MemoryPoisoningCheckIngressRouterSatan SBBMemory Poisoning — Zscaler #3 · OWASP LLM04memory_poisoning
6SemanticDriftCheckEgressOrchestratorFramework OOBGoal Hijacking & Privilege Escalation — Zscaler #2 · OWASP LLM06semantic_drift
7ExecutionGuardCheckEgressOrchestratorFramework OOBDestructive execution / privilege escalation — Zscaler #2 · OWASP LLM06execution_bypass
8PIIBoundaryCheckEgressOrchestratorFramework OOBSensitive Info Disclosure — OWASP LLM02pii_exfiltration
9ToolArgumentCheckEgressOrchestratorFramework OOBTool Abuse — poisoned arguments — Zscaler #4 · OWASP LLM05tool_argument_poison
10HardcodedCredentialCheckEgressOrchestratorFramework OOBSupply chain / secret leakage — OWASP LLM03hardcoded_credential
11ToolAuthorizationCheckEgressOrchestratorSatan SBBShadow AI — unapproved tool/backend — Zscaler #4shadow_tool
12SystemPromptLeakageCheckEgressOrchestratorSatan SBBSystem Prompt Leakage — OWASP LLM07system_prompt_leakage
13OutputSanitizationCheckEgressOrchestratorSatan SBBImproper Output Handling — OWASP LLM05output_sanitization
GuardianGovernancePre/Post — every agentAgentSatan SBBSemantic evasion of all 13 checks above (paraphrase, encoding, indirection) — cross-cutting, requires granite4.1-guardian:8bany attack, with Governance = GuardianGovernance

Out of scope by design — not runtime-checkable at the payload level: training-data/model poisoning (OWASP LLM04's non-session-state half), vector/embedding attacks (OWASP LLM08 — no RAG in this target), and misinformation/hallucination (OWASP LLM09 — a quality concern, not a security boundary).

Open-Closed Security — One New Threat, One New Handler

The Chain of Vulnerability Tests applies the GoF Chain of Responsibility pattern to security. Each handler inspects the payload for one class of threat. A new Zscaler ThreatLabz finding means one new handler. Nothing else changes.

PRE-AGENT GATE
INTELLIGENCE
POST-AGENT GATE
SATAN
Crafted payload
BaseAttack SBB
ROUTER
Pre-Agent Shield
RequestFrequencyCheck
InputSizeCheck
PromptInjectionCheck
FieldAnomalyCheck
MemoryPoisoningCheck
🛑 BLOCKED ✓
SQUAD / AGENT
LLM Reasoning
DocumentExtractionAgent
AuditAgent
ORCHESTRATOR
Post-Agent Gate
Guardian Governance
SemanticDriftCheck · ExecutionGuardCheck
PIIBoundaryCheck · ToolArgumentCheck
HardcodedCredentialCheck · ToolAuthorizationCheck
SystemPromptLeakageCheck · OutputSanitizationCheck
🛑 BLOCKED ✓
OUTPUT
⚠ FINDING
Both gates passed
PRE-AGENT — Router Shield
Pattern-based. Runs on the raw document before the LLM touches it. Fast, deterministic. Blocks known attack shapes (injection markers, override codes, anomalous fields). Cannot block semantic attacks that look legitimate.
POST-AGENT — Orchestrator Gate
Semantic LLM-based. Runs on the agent's output before it leaves the pipeline. Guardian evaluates what the agent is about to return — catches PII leakage, policy bypass, semantic drift that evaded the pre-gate.

The Hardening Loop

Satan and Shield grow together. Every EVASION finding closes a gap in the framework — making it stronger for every solution built on K9-AIF.

Satan fires attack
  → Shield misses it        EVASION — gap found
  → new Check added to framework ABB
  → Satan fires again
  → Shield blocks it        BLOCKED — framework hardened
  → next attack class probes the next gap
  → repeat

The chain is open-ended by design. Zscaler's four vectors are not a ceiling — they are the current known surface. As agentic systems become more capable and more autonomous, the attack surface expands. Each new vector is one new handler. The chain does not need to be rewritten. It just needs one more link.

ABB / SBB — Framework Owns the Contracts

⚔ K9x Satan — SBBs (Attack)

PromptInjectionAttackdocument body
SearchPoisoningAttacktool response
PayloadFloodAttacktoken exhaustion
PIIExfiltrationAttackdata extraction
SemanticDriftAttackrole reframing
HtmlCommentAttacksteganographic

🛡 K9X Shield — ABBs (Defence)

PromptInjectionCheckingress
PromptInjectionCheckegress
InputSizeCheckingress
PIIBoundaryCheckegress
SemanticDriftCheckegress
HtmlCommentInjectionCheckingress — pending

ABBs live in the framework. SBBs live in Satan. Every attack SBB extends BaseAttack. Every defence check extends BaseVulnerabilityCheck. The contracts belong to the framework — not to any one solution.

Check Execution — Sequence & Ownership

Every payload traverses four phases in strict order. A block at any phase terminates execution — downstream phases never run.

PHASE 0 — PRE-SHIELD · DoclingExtractor
naive_extract() — regex key:value scan (always runs)
_docling_endpoint() — OCR via /v1/convert/file (if enabled)
→ populates extracted_fields for FieldAnomalyCheck
PHASE 1 — ROUTER INGRESS SHIELD · VulnerabilityChain
RequestFrequencyCheck · per-session request count vs. rolling window
catches: resource-exhaustion request floods (Satan SBB — CacheFactory-backed)
🛑 BLOCK
InputSizeCheck · payload byte length > limit
catches: Token Flood Attack (💣 Oversized Payload)
🛑 BLOCK
PromptInjectionCheck · pattern scan on raw text
catches: SYSTEM OVERRIDE · ignore all instructions · admin mode · roleplay jailbreak
🛑 BLOCK
FieldAnomalyCheck · scans extracted_fields + raw text
catches: EXEC-OVERRIDE codes · Priority: CRITICAL · COO auth · supersedes directives
🛑 BLOCK
MemoryPoisoningCheck · session fact fingerprint vs. CacheFactory record
catches: fabricated/contradicted "as previously approved" session memory claims
🛑 BLOCK
PHASE 2 — INTELLIGENCE · DocumentProcessingSquad
DocumentExtractionAgent
Guardian pre_process() 🛑 BLOCK if unsafe input
Agent execute() → LLM
Guardian post_process() 🛑 REDACT if PII/unsafe
AuditAgent
Guardian pre_process() 🛑 BLOCK if unsafe input
Agent execute() → LLM
Guardian post_process() 🛑 REDACT if PII/unsafe
Guardian hooks fire only when Governance = GuardianGovernance (Setup → Governance). Default is NoopGovernance — hooks are present but pass through.
PHASE 3 — ORCHESTRATOR EGRESS GATE · VulnerabilityChain
SemanticDriftCheck · evaluates agent reasoning against original goal
catches: role reframing · goal hijacking · identity override
🛑 BLOCK
ExecutionGuardCheck · validates response schema & scope
catches: destructive actions · privilege escalation · schema violations
🛑 BLOCK
⚠ OUTPUT All phases passed — response exits pipeline. FINDING if evil payload; COMPLETED if clean.

ABB / SBB Class Hierarchy

PlantUML source at diagrams/shield_class.puml. Run ./diagrams/generate.sh to render PNG.

PNG not generated yet — run ./diagrams/generate.sh then reload

Target Pipeline — SBB Hierarchy

── PRE-AGENT ────────────────────────────────────────
DoclingExtractor              SBB utility
  naive regex | Docling OCR (optional)
  → populates extracted_fields

DocumentRouter                extends BaseRouter         (K9-AIF ABB)
  [PRE-AGENT Shield — VulnerabilityChain]
    InputSizeCheck            extends BaseVulnerabilityCheck
    PromptInjectionCheck      extends BaseVulnerabilityCheck
    FieldAnomalyCheck         extends BaseVulnerabilityCheck
      → BLOCKED here if any check fires

── INTELLIGENCE ─────────────────────────────────────
DocumentOrchestrator          extends BaseOrchestrator    (K9-AIF ABB)
  DocumentProcessingSquad     extends BaseSquad           (K9-AIF ABB)
    DocumentExtractionAgent   extends BaseAgent           (K9-AIF ABB)
    AuditAgent                extends BaseAgent           (K9-AIF ABB)

── POST-AGENT ───────────────────────────────────────
  [POST-AGENT Gate — Orchestrator Egress]
    Guardian Governance       semantic LLM evaluation
    SemanticDriftCheck        extends BaseVulnerabilityCheck
    ExecutionGuardCheck       extends BaseVulnerabilityCheck
      → BLOCKED here if response violates policy

── OUTPUT ───────────────────────────────────────────
  ⚠ FINDING — both gates passed — response exited pipeline
Why the Name "SATAN"?

The name K9X Satan is inspired by the pioneering SATAN (Security Administrator Tool for Analyzing Networks), released in 1995 by security researchers Dan Farmer and Wietse Venema.

The original SATAN was one of the first widely recognized network vulnerability assessment tools. Rather than exploiting systems, its purpose was to help administrators identify weaknesses before attackers did.

K9X Satan follows the same philosophy for the era of agentic AI. Instead of scanning networks, it executes carefully crafted adversarial attacks against K9X Shield to validate that architectural security controls detect and intercept malicious inputs before they reach the intelligence layer.

The goal is not to break applications — it is to continuously strengthen the framework that protects them.

The original SATAN shipped with repent.pl — run it and SATAN became SATAN. K9X Satan carries the tradition. Find the REPENT button in the sidebar.
How Satan Works
The Philosophy

K9X Satan is an adversarial testing platform for K9X Shield.

Rather than generating random inputs, Satan executes carefully crafted attacks that target known classes of agentic AI vulnerabilities. Each attack is designed to validate that the framework's architectural security controls detect and intercept malicious payloads before they reach the intelligence layer.

The objective is not to demonstrate successful attacks — it's to prove that the framework's defensive architecture holds under real-world adversarial conditions.

Defense in Depth — Guardian Complements Shield, Never Replaces It

K9X Shield applies deterministic, policy-driven checks at Router ingress and Orchestrator egress — 13 handlers, explainable, zero LLM cost, evaluated the same way every time. IBM Guardian provides an optional semantic assessment layer for attacks that survive literal pattern matching — paraphrase, encoding, or wording changes that no regex list can enumerate in advance.

Regex and rule-based checks catch known, explicit patterns and give predictable, auditable enforcement. Guardian trades that predictability for broader semantic coverage — it can recognise paraphrased prompt injection, subtle goal hijacking, and disguised privilege escalation that never matches a literal rule. Neither layer is a superset of the other; each catches what the other structurally cannot.

Pull the model before enabling Guardian:

ollama pull granite4.1-guardian:8b

Enable it in Setup → Governance — three providers are available: NoopGovernance (passthrough, dev default), GuardianGovernance (semantic, this section), and ShieldGovernance (a second deterministic wiring point — the same VulnerabilityChain contract, reused at the agent pre/post hook instead of Router/Orchestrator). The chain log shows Guardian's pre/post verdict on every agent run.

Router/Orchestrator Shield catches known pattern attacks (injection markers, override codes, poisoned tool arguments) — zero LLM cost, deterministic. Guardian catches semantic attacks (PII exfiltration, compliance framing, policy bypass) that evaded the pattern layer — one LLM call per agent. Shield holds with Guardian disabled entirely. Guardian only ever adds coverage on top — it is never the only thing standing between a payload and the agent.
Guardian unavailability is a policy decision, never a silent pass. A timeout, HTTP error, or unreachable Ollama endpoint produces an explicit UNAVAILABLE verdict — it is never mapped to "SAFE" by default. governance.on_guardian_unavailable in config.yaml decides what happens next: fail_closed (default — blocks/redacts, matching "should not be penetrable"), fail_open (documented risk — lets the payload through unscreened), or inconclusive (flags for review without blocking).
Prove what Guardian adds, don't just assert it. python -m k9x_satan.runner.satan_runner --target <url> --suite full --compare-governance fires every attack twice — deterministic-only, then deterministic + Guardian — and reports which findings Guardian closed. A regression (Guardian making a previously-contained attack pass) is flagged as a bug, not a result.
Attack Corpus

Satan includes a curated corpus of attack documents representing common agentic AI threat patterns. Each payload targets a specific vulnerability class implemented by K9X Shield.

  • Prompt Injection
  • Goal Hijacking
  • Memory Poisoning
  • Tool Argument Injection
  • PII Boundary Violation
  • Oversized Payloads
  • Clean Control Document

The Clean Control document serves as a baseline and should always traverse the complete pipeline without being blocked.

Understanding the Pipeline

Every document follows the same three-layer defence path. Each layer has a different detection strategy and a different threat class it can stop.

LAYER 1 — ROUTER SHIELD (ingress)
Pattern-based. Zero latency. Deterministic.

Runs a chain of vulnerability checks before the LLM ever sees the document. Each handler looks for a known attack shape — a structural fingerprint.

✓ blocks  Oversized payloads — token flood attacks
✓ blocks  Prompt injection — SYSTEM OVERRIDE, ignore all instructions
✓ blocks  Field anomalies — EXEC-OVERRIDE codes, Priority: CRITICAL directives
~ passes  Semantic attacks — compliance framing, regulatory impersonation

The Router Shield cannot stop what it does not recognise. An attack written to look like a legitimate audit request has no injection markers, no override codes, no anomalous fields. It passes because it looks clean.

LAYER 2 — GUARDIAN GOVERNANCE (agent pre/post — optional)
Semantic LLM-based. Wraps every agent's execution, not just the boundary.

Guardian screens the payload immediately before each agent invokes the LLM (pre_process) and the agent's draft output immediately after (post_process) — inside the Squad, between Layer 1 and Layer 3. Defense in depth, not a replacement: Shield holds with Guardian disabled entirely; Guardian only adds coverage on attacks that survive the pattern layer.

✓ blocks  Paraphrased/encoded injection that evades literal PromptInjectionCheck patterns
✓ blocks  Agent responses containing PII, SSNs, account numbers
✓ blocks  Responses that bypass policy — claim approvals without validation
~ policy  Guardian unavailable — fail_closed (default) blocks, fail_open passes, inconclusive flags. Never silently "SAFE".

Enable Guardian in Setup → Governance. Disabled by default (NoopGovernance) — Layers 1 and 3 hold regardless.

LAYER 3 — ORCHESTRATOR EGRESS SHIELD (deterministic, always active)
Pattern-based. Evaluates the squad's combined output before it exits the pipeline.

Runs after the squad completes — 8 handlers covering goal hijacking, destructive execution, PII boundary, poisoned tool arguments, leaked credentials, unapproved tools, leaked system prompts, and output markup injection. Always active, independent of Guardian.

✓ blocks  Goal hijacking / role reframing that reached the squad
✓ blocks  PII, secrets, poisoned tool arguments, unapproved tools surfacing in the response
~ passes  Semantic attacks with no literal pattern match — Guardian is the layer that catches these
WHY FINDING IS NOT ALWAYS A FAILURE

A FINDING that reaches the agent layer with Guardian disabled confirms that the attack evaded Layer 1 pattern detection — which is the expected result for semantic attacks. That is not a framework failure; it is the gap Guardian is designed to close. A true framework failure is when Guardian is enabled and an attack still produces harmful output.

If any handler blocks the request, processing immediately terminates and downstream components are never invoked.

Understanding the Results
Red

An attack document is being executed. A red stop indicator (🛑) identifies the architectural layer where the payload was intercepted.

Green

The document completed successfully without any security violations.

BLOCKED The Shield prevented the payload from reaching the intelligence layer.
COMPLETED The payload successfully traversed the complete execution pipeline.
Upload Your Own Payload

The upload panel allows you to test your own documents against K9X Shield.

Supported formats include:

  • TXT
  • PDF (text layer)
  • DOCX
  • Markdown

Uploaded documents are converted into raw text and processed through the same runtime security chain used by every K9-AIF application.

Framework Extensibility

K9X Shield follows an open architecture.

Each security handler implements a common framework contract, allowing organizations to introduce new detection capabilities without modifying the core runtime.

New handlers can be added to the vulnerability chain and automatically participate in request validation.