TachyonicTachyonic

Attack Catalog

16 attack categories aligned to OWASP LLM Top 10 and MITRE ATLAS

Tachyonic ships 186 attack patterns across 16 categories — 144 from the open attack taxonomy plus 42 built-in offensive modules. Each attack is mapped to the OWASP LLM Top 10 2025 and MITRE ATLAS.

Categories

Prompt Injection (LLM01)

Direct prompt injection attacks that attempt to override system instructions, extract hidden context, or alter model behavior through crafted user input.

  • 20 attack definitions (PI-001 to PI-020)
  • Tests: instruction override, role hijacking, delimiter attacks, encoding bypass

System Prompt Extraction (LLM01)

Attempts to leak the system prompt or hidden instructions configured by the developer.

  • 12 attack definitions (SPL-001 to SPL-012)
  • Tests: direct extraction, indirect leakage, format manipulation

Jailbreak (LLM01)

Guardrail bypass techniques that attempt to make the model ignore safety constraints.

  • 22 attack definitions (JB-001 to JB-022)
  • Tests: DAN prompts, character roleplay, encoding tricks, multi-language bypass, hypothetical framing

Indirect Injection (LLM01)

Attacks that inject malicious instructions through external data sources (RAG documents, tool responses, web content) rather than direct user input.

  • Requires RAG-enabled targets

Tool Abuse (LLM06)

Manipulation of tool/function calling to achieve unintended actions.

  • 12 attack definitions (EA-001 to EA-012)
  • Tests: parameter manipulation, tool chaining, path traversal via tools, SQL injection via tools, SSRF via API tools

Multi-Turn Manipulation (LLM01)

Attacks that build context across multiple conversation turns to gradually shift model behavior.

  • 8 attack definitions (MT-001 to MT-008)
  • Tests: context poisoning, incremental jailbreak, trust building

Vision Injection (LLM01)

Attacks targeting vision-enabled models through crafted images.

  • 12 attack definitions (VI-001 to VI-012)
  • Tests: text-in-image injection, steganographic payloads, adversarial patches
  • Requires vision-capable target

Sensitive Disclosure (LLM02)

Attempts to extract sensitive information, PII, credentials, or internal data from model responses.

  • 10 attack definitions (SID-001 to SID-010)
  • Tests: social engineering, data exfiltration, credential harvesting

Supply Chain (LLM05)

Attacks targeting the model's dependency chain, including tool schemas, plugins, and external integrations.

  • 8 attack definitions (SC-001 to SC-008)
  • Tests: tool schema poisoning, dependency confusion, plugin backdoor

Improper Output (LLM09)

Testing for unsafe output that could be used for downstream attacks (XSS, code injection, etc.).

  • 8 attack definitions (IOH-001 to IOH-008)
  • Tests: code generation safety, HTML/JS injection, command injection in generated code

Unbounded Consumption (LLM10)

Resource exhaustion attacks that attempt to consume excessive compute, tokens, or time.

  • 2 attack definitions (UC-001 to UC-002)
  • Tests: recursive expansion, infinite loop prompts

Permission Escalation (LLM06)

Attacks that attempt to escalate privileges within agent systems, bypassing authorization controls.

  • Tests: admin impersonation, token privilege escalation, cross-tenant data access, role confusion

Multi-Agent Injection (LLM06)

Attacks targeting multi-agent architectures where multiple AI agents collaborate.

  • Tests: orchestrator override, agent impersonation, inter-agent prompt injection

Misinformation (LLM09)

Attempts to generate convincing false information or manipulate factual outputs.

Vector Embedding (LLM08)

Manipulation of vector embeddings and semantic search systems.

  • 8 attack definitions (VE-001 to VE-008)

Video Injection (LLM01)

Attacks targeting video-processing models.

Severity Levels

LevelWeightDescription
Critical5.0Remote code execution, credential leakage, full system compromise
High3.0Data exfiltration, privilege escalation, safety bypass
Medium2.0Information disclosure, partial guardrail bypass
Low1.0Minor information leakage, low-impact behavior change
Info0.5Informational findings, no direct security impact

Resistance Score

After a scan, Tachyonic calculates a resistance score from 0-100:

ScoreRating
90-100Excellent
75-89Good
50-74Fair
25-49Poor
0-24Critical

The score is severity-weighted — a single critical finding has more impact than multiple low findings.

Custom Heuristics

Attack definitions are YAML files. Set HEURISTICS_PATH to load a custom attack library:

export HEURISTICS_PATH=/path/to/your/attacks
tachyonic scan --target ... --include-builtin

See the attack schema for the YAML format.

CI/CD Integration

Run Tachyonic security scans in GitHub Actions, GitLab CI, and other CI/CD pipelines

Detection and Triage

How Tachyonic detects vulnerabilities and reduces false positives

On this page

CategoriesPrompt Injection (LLM01)System Prompt Extraction (LLM01)Jailbreak (LLM01)Indirect Injection (LLM01)Tool Abuse (LLM06)Multi-Turn Manipulation (LLM01)Vision Injection (LLM01)Sensitive Disclosure (LLM02)Supply Chain (LLM05)Improper Output (LLM09)Unbounded Consumption (LLM10)Permission Escalation (LLM06)Multi-Agent Injection (LLM06)Misinformation (LLM09)Vector Embedding (LLM08)Video Injection (LLM01)Severity LevelsResistance ScoreCustom Heuristics