Skip to content

Offensive Demo Packs

Demo packs are operator descriptors for showing one offensive technique end to end. Proof-backed packs run a lab and produce Seam transcripts, meshmapper paths, an Assay finding, a report, and cockpit data. Seam-focused packs demonstrate a rewrite or trace pattern and call out the target-specific oracle work still needed.

python3 -m ait.cli demo list
python3 -m ait.cli demo show a2a-content-rewrite

Verify a pack before a live demo. Verification checks the descriptor, rule, fixture, payload files, expected rule id, touched decoded paths, and negative-control pairing. Seam-focused packs also run a fixture-backed seam rules test and store the result under workbench/demo-verifications/.

python3 -m ait.cli demo verify a2a-agent-card-spoof

Primary Packs

Pack Scenario Expected rule What to inspect
a2a-content-rewrite Lab L6 content_rewrite l6_content_rewrite_authorized_refund A2A message/send text before/after, then Assay oracle delta.
mcp-tool-result-injection Lab L6 tool_result_injection l6_mcp_tool_result_policy_injection MCP tool result rewrite, planner decision, tripwire proof.
memory-context-propagation Lab L6 memory_context l6_memory_context_injection Memory write/read flow, injection path, vulnerable vs safe outcome.

Run a proof-backed pack:

python3 -m ait.cli demo run a2a-content-rewrite --trials 1 --serve-live

The cockpit opens with the run artifacts. Start in Traffic, select the rewritten row, move to Message for before/after decoded bodies, then inspect Seam, meshmapper, and Assay.

Secondary Packs

Pack Proof status Expected rule Notes
a2a-agent-card-spoof Seam evidence only a2a_card_spoof Shows Agent Card capability/auth manipulation.
a2a-task-artifact-status Target-specific oracle required a2a_task_status_override or a2a_task_artifact_injection Useful for task lifecycle consumers.
mcp-tool-call-argument Target-specific oracle required mcp_tool_call_argument_rewrite Shows MCP request-side argument rewriting.
mcp-stdio-argument Target-specific oracle required mcp_stdio_argument_spoof Shows local MCP stdio wrapping and rewrite.
mcp-schema-poisoning Target-specific oracle required mcp_schema_poisoning_merge Shows MCP tools/list schema and description poisoning.
mcp-tool-shadowing Target-specific oracle required mcp_tool_shadow_insert Inserts a shadow tool into a tools/list result.
prompt-resource-leakage Observe-first mcp_prompt_resource_leakage_marker Marks prompt/resource result content for downstream leakage testing.
credential-relay-observe Observe-first credential_relay_json_marker Marks credential-like JSON body context crossing an agent boundary.
negative-control Negative control negative_control_no_match Confirms a no-match control stays quiet.

Show a descriptor before running:

python3 -m ait.cli demo show mcp-tool-result-injection --json

Descriptors include the fields an operator needs before presenting or adapting a pack:

  • proof status: proof-backed, operate-only, or negative control;
  • rule file, expected rule id, and fixture path;
  • payload files used by insert/merge/replace rules;
  • touched decoded paths and expected transcript shape;
  • target decision marker and expected meshmapper class;
  • cockpit walkthrough hints.

That metadata also feeds ait demo run and the cockpit, so the demo view can show exactly which decoded field should change instead of only linking to raw artifacts.

Presenter Checklist

  • Run ait demo verify <demo-id> before presenting a Seam-focused pack.
  • Confirm the expected rule id appears in the Seam tab.
  • Confirm the Traffic row has a rewrite badge when the pack is rewrite-backed.
  • Confirm the Message tab shows the exact decoded field before and after.
  • Confirm meshmapper shows the expected hypothesis class.
  • For proof-backed packs, confirm Assay reports delta_confirmed: true and links to oracle evidence.

Negative Controls

Every offensive pack should name a negative-control pair. The negative control is expected to stay quiet against the same fixture family. Use it when you want to show that a rule is matching the intended decoded shape, not every similar message.

python3 -m ait.cli demo verify negative-control