Security

K9X Shield & K9X Satan

Zero trust and vulnerability defense are properties of the K9-AIF framework itself — not something each application has to build. K9X Shield is that architecture. K9X Satan is the tool that proves it holds.

The Big Picture. K9-AIF is an open-source, architecture-first framework for building governed, modular agentic AI systems. K9x is the ecosystem of products built on it — Studio, Continuum, HIL, and SATAN. K9X Shield isn't a separate product — it's the security and vulnerability-checking component built into the framework itself: the Router/Orchestrator check chains, governance hooks, and Chain-of-Responsibility pattern every solution built on K9-AIF inherits, whether it knows it or not. K9X Satan is the tool that tests it — firing structured adversarial attacks at a live K9-AIF pipeline to prove Shield actually contains them, rather than just asserting that it does.
ATTACK
crafted payload
ROUTER
ingress gate
🛑 BLOCKED ✓
ORCHESTRATOR
egress gate
🛑 BLOCKED ✓
SQUAD / AGENT
✗ FINDING — Shield failed

A block at any phase terminates execution — downstream phases never run. Reaching Squad/Agent is a gap in the framework, not a partial pass.

See It Holding, Live

satan.k9x.ai →

Upload a document, fire a real attack, and watch it get contained at the Router or Orchestrator gate in real time — Penetration Monitor shows every check in the chain, Results tracks outcomes across the session, and the Architecture tab (About → README inside the tool itself) walks through exactly why each gate holds.

Defense in Depth — Two Independent Layers

K9X Shield applies deterministic, policy-driven checks — 13 handlers total, wired into the Router's ingress and Orchestrator's egress chains. Explainable, zero LLM cost, evaluated identically every run. Evadable by paraphrase, encoding, or wording changes no regex list can enumerate in advance.

IBM Guardian (granite4.1-guardian:8b) is an optional semantic layer wrapping every agent's pre/post hooks — it catches paraphrased injection, subtle goal hijacking, and disguised privilege escalation that survive the pattern layer. Neither replaces the other: Shield holds with Guardian disabled entirely; Guardian only ever adds coverage on top.

Guardian unavailability (timeout, HTTP error, unreachable endpoint) is never silently treated as "SAFE" — it's an explicit policy decision: fail_closed (default — blocks/redacts), fail_open (documented risk), or inconclusive (flags without blocking).

Zscaler ThreatLabz — Four Vectors, One Handler Each

Threat VectorK9X Shield HandlerOwner
Indirect Prompt InjectionPromptInjectionCheckFramework OOB
Goal Hijacking & Privilege EscalationSemanticDriftCheckFramework OOB
Memory PoisoningMemoryPoisoningCheckSatan SBB
Shadow AI & Tool AbuseToolArgumentCheck / ToolAuthorizationCheckFramework OOB + Satan SBB

The chain is open-ended by design — Zscaler's four vectors are the current known surface, not a ceiling. Each new vector is one new handler; the chain doesn't need to be rewritten.

Complete Check Inventory — 13 Checks, 2 Gates

#CheckGateOwnerThreat Class
1RequestFrequencyCheckIngressSatan SBBUnbounded Consumption — OWASP LLM10
2InputSizeCheckIngressFramework OOBToken-flood / oversized payload — OWASP LLM10
3PromptInjectionCheckIngressFramework OOBIndirect Prompt Injection — Zscaler #1 · OWASP LLM01
4FieldAnomalyCheckIngressSatan SBBAuthority-override social engineering
5MemoryPoisoningCheckIngressSatan SBBMemory Poisoning — Zscaler #3 · OWASP LLM04
6ToolArgumentCheckIngress + EgressFramework OOBTool Abuse — poisoned arguments — Zscaler #4 · OWASP LLM05
7ToolAuthorizationCheckIngress + EgressSatan SBBShadow AI — unapproved tool — Zscaler #4
8SemanticDriftCheckEgressFramework OOBGoal Hijacking & Privilege Escalation — Zscaler #2 · OWASP LLM06
9ExecutionGuardCheckEgressFramework OOBDestructive execution — Zscaler #2 · OWASP LLM06
10PIIBoundaryCheckEgressFramework OOBSensitive Info Disclosure — OWASP LLM02
11HardcodedCredentialCheckEgressFramework OOBSupply chain / secret leakage — OWASP LLM03
12SystemPromptLeakageCheckEgressSatan SBBSystem Prompt Leakage — OWASP LLM07
13OutputSanitizationCheckEgressSatan SBBImproper Output Handling — OWASP LLM05
GuardianGovernanceAgent pre/postSatan SBBSemantic evasion of all 13 above (cross-cutting, optional)

Threat classes reference the OWASP Top 10 for LLM Applications. ToolArgumentCheck/ToolAuthorizationCheck run at both gates deliberately — ingress catches caller-supplied fields before Squad/Agent runs; egress catches a fresh tool call an agent generates mid-execution, which doesn't exist yet at ingress time. Same defense-in-depth principle as Guardian: additive, never a replacement.

Satan & Shield Are Symmetric

Every attack targets one specific check. A PASSED result doesn't mean Satan failed — it means Shield needs a new handler. That's the hardening loop.

Satan AttackShield Check
PromptInjectionAttackPromptInjectionCheck
SearchPoisoningAttackPromptInjectionCheck (real tool-response fetch)
PayloadFloodAttackInputSizeCheck
MemoryPoisoningAttackMemoryPoisoningCheck
RequestFloodAttackRequestFrequencyCheck
SemanticDriftAttackSemanticDriftCheck
ExecutionBypassAttackExecutionGuardCheck
PIIExfiltrationAttackPIIBoundaryCheck
ToolArgumentAttackToolArgumentCheck
HardcodedCredentialAttackHardcodedCredentialCheck
ShadowToolAttackToolAuthorizationCheck
SystemPromptLeakageAttackSystemPromptLeakageCheck
OutputSanitizationAttackOutputSanitizationCheck

Run It Yourself

pip install k9x-satan
k9x-satan          # foreground, opens the dashboard at localhost:6660
k9x-satan --bg     # or run it in the background

Own instance, own K9-AIF pipeline, own LLM endpoint — nothing sent to any shared deployment. pypi.org/project/k9x-satan