Operate / Map / Validate¶
AIT is easiest to understand as three separate operator moves. They can be chained, but they do not have to be.
Operate¶
Use Seam when you want to see or change live agent traffic. This is the mitm6-like part of the toolkit: it only sees traffic routed through its listener, then it records, traces, and optionally rewrites complete decoded messages.
python3 -m ait.cli operate proxy \
--upstream http://127.0.0.1:8500 \
--rules agentic-redteam/seam/rules \
--serve
What to watch:
- A2A
message/sendrecords. - MCP
tools/calland tool-result records. - Rule match and rewrite counters.
- Before/after decoded fields in the Message view.
seam rules traceoutput when a rule does not fire.
Assay is not involved in this workflow.
Map¶
Use meshmapper after capture when you want to decide what to attack next. It reads transcripts and saved artifacts, builds a graph, and ranks likely trust/authority paths.
python3 -m ait.cli map run \
--transcript .ait/runs/<operate-run>/transcripts/proxy.json
python3 -m ait.cli map suggest --run .ait/runs/<map-run>
What to watch:
- Public or low-trust entry nodes.
- Privileged sinks such as billing, admin, policy, or sensitive tools.
- Implicit trust edges.
- Unsigned or unauthenticated identity metadata.
- Memory/context paths from untrusted sources into privileged actions.
meshmapper does not prove exploitation. It produces targeting hypotheses.
Validate Impact¶
Use Assay when the result has to stand up as evidence. Assay repeats controlled routes through Seam and accepts success only when an oracle observes a side effect.
python3 -m ait.cli prove from-run \
--run .ait/runs/<operate-run> \
--case agentic-redteam/assay/cases/refund_tripwire.yaml
Use this when you need:
- client-facing impact evidence,
- technique comparisons,
- regression checks for agent defenses,
- research metrics,
- replayable proof artifacts.
Do not use Assay when you only need to intercept, inspect, or rewrite traffic. Seam already does that.