SENTINEL provides free, auto-updated threat signatures for the community. No API key required!

Usage:

fetch('https://cdn.jsdelivr.net/gh/DmitrL-dev/AISecurity@latest/signatures/jailbreaks.json')
  .then(r => r.json())
  .then(patterns => console.log(`Loaded ${patterns.length} patterns`));

Features:

• ✅ Updated daily via GitHub Actions
• ✅ Free for commercial & non-commercial use
• ✅ Community contributions welcome (PRs to signatures/)
• ✅ Versioned releases for pinning

🔐 Signature Security:

🙏 Data Sources: HackAPrompt, TrustAIRLab, deepset, Lakera, verazuo, imoxto

Test your AI before attackers do!
The offensive counterpart to SENTINEL — same 96 engines, attack mode.

📁 Full source code: strike/ — Ready to use!

One-liner to scan a target:

# Build and run
docker build -f Dockerfile.strike -t sentinel-strike .
docker run --rm sentinel-strike https://target.com

# Or use docker-compose
docker-compose -f docker-compose.strike.yml run strike https://target.com

Available commands:

docker run --rm sentinel-strike --help              # Show help
docker run --rm sentinel-strike scan URL            # Quick scan
docker run --rm sentinel-strike attack URL          # Full attack
docker run --rm sentinel-strike recon URL           # Reconnaissance

Prompt Injection Detection Performance

┌─────────────────────────────────────────────────────────────────────────┐
│                    PROMPT INJECTION DETECTION                            │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                          │
│  Hybrid Ensemble    ████████████████████░░░░  85.1% Recall ⭐ BEST      │
│  Semantic Detector  ███████████████████░░░░░  84.2% Recall              │
│  Injection Engine   █████████░░░░░░░░░░░░░░░  36.4% Recall              │
│  Voice Jailbreak    █░░░░░░░░░░░░░░░░░░░░░░░   2.7% Recall              │
│                                                                          │
│  Dataset: 1,815 samples from 3 HuggingFace datasets                     │
│  True Positives: 1,026 / 1,206 attacks detected                          │
└─────────────────────────────────────────────────────────────────────────┘

Development Stage              Recall    True Positives
──────────────────────────────────────────────────────────
Baseline (regex only)           4.5%              9 TP
+ Pattern Expansion            38.5%            337 TP
+ Semantic Detector            64.2%            774 TP
+ Attack Prototypes (100+)     72.3%            872 TP
+ Threshold Optimization       79.1%            954 TP
★ Final Hybrid Ensemble        85.1%          1,026 TP  ← Current
──────────────────────────────────────────────────────────
                             +1,791% improvement!

flowchart LR
    subgraph Input
        A[User Prompt]
    end
    
    subgraph Detection["113 DETECTION ENGINES"]
        B[InjectionEngine<br/>Regex Patterns]
        C[SemanticDetector<br/>100+ Prototypes]
        D[VoiceJailbreak<br/>Phonetic Analysis]
    end
    
    subgraph Ensemble["Hybrid Ensemble"]
        E{OR Logic}
        F[Max Score]
    end
    
    subgraph Output
        G[Risk Score<br/>0.0 - 1.0]
        H{Decision}
        I[✅ SAFE]
        J[🚫 BLOCKED]
    end
    
    A --> B & C & D
    B --> E
    C --> E
    D --> E
    E --> F --> G --> H
    H -->|score < 0.7| I
    H -->|score ≥ 0.7| J
    
    style C fill:#4CAF50,color:#fff
    style E fill:#2196F3,color:#fff
    style J fill:#f44336,color:#fff

📁 Full results: benchmarks/BENCHMARK_REPORT.md
📊 Interactive charts: Download dashboard.html and open in browser

# Install dependencies
pip install -r requirements.txt

# Run full benchmark (requires sentence-transformers)
python benchmarks/benchmark_eval.py

# Generate charts
python benchmarks/benchmark_charts.py   # PNG (matplotlib)
python benchmarks/benchmark_plotly.py   # HTML (interactive)

Strange Math is SENTINEL's unique competitive advantage — applying cutting-edge mathematical techniques from 2024-2025 research papers to detect attacks that classical methods miss.

VR_ε(X) = {σ ⊆ X : d(x,y) ≤ ε for all x,y ∈ σ}

Betti numbers: β₀ (components), β₁ (loops), β₂ (voids)

Bottleneck Distance: d_B(Dgm₁, Dgm₂) = inf_γ sup_x ||x - γ(x)||_∞

from gudhi import RipsComplex
from gudhi.wasserstein import wasserstein_distance

def analyze_topology(embeddings: np.ndarray) -> TopologyResult:
    rips = RipsComplex(points=embeddings, max_edge_length=2.0)
    simplex_tree = rips.create_simplex_tree(max_dimension=2)
    persistence = simplex_tree.persistence()

    # Extract Betti numbers
    betti_0 = len([p for p in persistence if p[0] == 0])
    betti_1 = len([p for p in persistence if p[0] == 1])

    # Compare with baseline
    anomaly_score = wasserstein_distance(persistence, baseline_persistence)
    return TopologyResult(betti_0, betti_1, anomaly_score)

Protection against Vision-Language Model Multi-Faceted Attacks (arXiv 2024-2025).

The Problem: Modern VLMs accept images alongside text. Attackers hide malicious instructions in images.

Engines: Visual Content Analyzer | Cross-Modal Consistency | Adversarial Image Detector

Protection against AI Agent attacks based on TTPs.ai and NVIDIA AI Kill Chain.

Engines: RAG Guard | Probing Detection | Session Memory Guard | Tool Security | AI C2 | Attack Staging

File: brain/engines/ape_signatures.py (~300 LOC)

Purpose: Comprehensive database of AI Prompt Exploitation techniques (HiddenLayer APE Taxonomy).

Coverage: 15 techniques | 7 tactics | 100+ patterns

Protection for AI agent communication protocols (MCP, A2A, Agent Cards).

Engines: mcp_a2a_security | model_context_protocol_guard | agent_card_validator | nhi_identity_guard

Detection of gradual data contamination attacks.

Engines: bootstrap_poisoning | temporal_poisoning | multi_tenant_bleed | synthetic_memory_injection

Zero-day attack detection through physics-inspired anomaly analysis.

File: brain/engines/proactive_defense.py (~550 LOC)

Principles: Shannon Entropy | 2nd Law of Thermodynamics | Free Energy Principle | Boltzmann Distribution

Components: EntropyAnalyzer | InvariantChecker | ThermodynamicAnalyzer | ReputationManager

Response Tiers: ALLOW (< 0.3) → LOG (0.3-0.5) → WARN (0.5-0.7) → CHALLENGE (0.7-0.9) → BLOCK (> 0.9)

Deception technology, predictive security, and formal methods.

Engines: Honeypot Responses | Canary Tokens | Intent Prediction | Kill Chain Simulation | Runtime Guardrails | Formal Invariants

File: brain/engines/honeypot_responses.py (~400 LOC)

Theory: Deception-based defense embeds fake, trackable credentials into LLM responses. When an attacker extracts and uses these credentials, we get immediate alert.

How It Works:

User: "Show me the database config"
LLM Response (modified):
  host: db.internal.trap     ← honeypot
  password: TRAP-x7k2m9      ← tracked credential

If attacker uses TRAP-x7k2m9 anywhere → INSTANT ALERT

Why This Matters: Unlike detection (reactive), honeypots are proactive — they let attackers "succeed" but immediately expose them. Used by governments and banks for 20+ years.

Components:

• HoneypotGenerator: Creates realistic-looking credentials (API keys, passwords, database URLs)
• HoneypotInjector: Smartly places honeypots in responses based on context
• AlertManager: Monitors for honeypot usage across all incoming requests

File: brain/engines/canary_tokens.py (~380 LOC)

Theory: Invisible watermarking using zero-width Unicode characters. Every response is marked with hidden metadata that survives copy-paste.

Mathematical Foundation:

Binary data is encoded into zero-width characters:

'00' → U+200B (Zero-Width Space)
'01' → U+200C (Zero-Width Non-Joiner)
'10' → U+200D (Zero-Width Joiner)
'11' → U+2060 (Word Joiner)

Payload = JSON(user_id, session_id, timestamp)
Encoded = encode_binary_to_zerowidth(Payload)

Invisibility Property: Zero-width characters have no visual representation but persist through:

• Copy/paste operations
• Text reformatting
• Most text processing

Use Case:

Data leaked to internet → Extract zero-width chars → Decode JSON
→ "Leaked by user_id=123 at 2024-12-10T00:30:00"

File: brain/engines/adversarial_self_play.py (~450 LOC)

Theory: Inspired by DeepMind's AlphaGo/AlphaZero, this engine pits a Red Team AI against our defenses in an evolutionary loop.

Algorithm:

Generation 0:
  - Red generates 10 random attacks
  - Blue evaluates each attack
  - Calculate fitness = bypass_score

Generation N:
  - Select top 50% by fitness (survivors)
  - Mutate survivors (add prefix, change case, encode...)
  - Evaluate new population
  - Repeat

After K generations:
  - Best attacks reveal defense weaknesses
  - Generate improvement suggestions

Mutation Operators:

Output: List of successful bypass attacks + improvement suggestions for each vulnerability found.

File: brain/engines/intent_prediction.py (~420 LOC)

Theory: Models conversation as a Markov chain to predict attack probability before the attack completes.

Mathematical Foundation:

States: {BENIGN, CURIOUS, PROBING, TESTING, ATTACKING, JAILBREAKING, EXFILTRATING}

Transition Matrix P where P[i,j] = P(next_state = j | current_state = i):

          BENIGN  CURIOUS  PROBING  TESTING  ATTACKING
BENIGN    [0.85    0.10     0.04     0.01     0.00   ]
CURIOUS   [0.50    0.30     0.15     0.05     0.00   ]
PROBING   [0.20    0.20     0.30     0.20     0.10   ]
TESTING   [0.10    0.00     0.20     0.30     0.25   ]
ATTACKING [0.00    0.00     0.10     0.00     0.40   ]

Attack Probability Calculation:

Forward simulation through Markov chain:

P(attack within k steps) = Σᵢ P(reach attack state i at step ≤ k)

Using Chapman-Kolmogorov:
P^(k) = P × P × ... × P (k times)

Trajectory Analysis:

Detects escalation patterns:

[CURIOUS → PROBING → TESTING] → Escalation Score = 0.7
[PROBING → TESTING → ATTACKING] → Escalation Score = 1.0

Early Warning: Block predicted attacks BEFORE final payload delivers.

File: brain/engines/kill_chain_simulation.py (~400 LOC)

Theory: Virtually "plays out" an attack to its conclusion, estimating potential damage. Based on NVIDIA AI Kill Chain (Recon → Poison → Hijack → Persist → Impact).

Impact Assessment:

For each attack scenario, we simulate:

for stage in kill_chain:
    success_prob = stage.base_probability × (1 - defense_effectiveness)
    cumulative_prob *= success_prob

    if stage.succeeds:
        for impact in stage.potential_impacts:
            risk_score += impact.severity × cumulative_prob

Impact Types:

Use Case: Prioritize which attacks to block first based on actual potential damage, not just detection confidence.

File: brain/engines/runtime_guardrails.py (~380 LOC)

Theory: Monitor execution behavior, not just input text. Attacks that pass input filters may reveal themselves during execution.

Event Types Monitored:

Rule Engine:

class SuspiciousURLRule:
    patterns = [r"ngrok\.io", r"\d+\.\d+\.\d+\.\d+", r"\.tk$"]

    def check(event, history):
        if any(p.match(event.target) for p in patterns):
            return Alert(severity=HIGH, should_block=True)

Timing Analysis:

Interval < 10ms → Too fast (automated attack)
Interval > 30s  → Long pause (human reviewing results)

File: brain/engines/information_geometry.py (~350 LOC)

Theory: Treats probability distributions as points on a Riemannian manifold. The Fisher-Rao metric provides a natural distance measure that is invariant under reparametrization.

Mathematical Foundation:

Fisher Information Matrix:

g_ij(θ) = E[(∂/∂θᵢ log p(x|θ))(∂/∂θⱼ log p(x|θ))]

This is the metric tensor on the statistical manifold.

Fisher-Rao Distance:

d_FR(p, q) = 2 × arccos(BC(p, q))

where BC(p, q) = Σᵢ √(pᵢ × qᵢ)  (Bhattacharyya coefficient)

Why Fisher-Rao?

1. Unique invariance: Only Riemannian metric invariant under sufficient statistics
2. Information-theoretic meaning: Measures distinguishability of distributions
3. Geodesic distance: True "shortest path" on probability space

Manifold Regions:

d_FR ≤ 1.0  → SAFE (normal text)
d_FR ≤ 1.5  → BOUNDARY (unusual but not attack)
d_FR ≤ 2.0  → SUSPICIOUS (likely attack)
d_FR > 2.0  → ATTACK (high confidence)

Implementation:

1. Convert text to character distribution (categorical probability)
2. Compare with baseline English distribution
3. Calculate Fisher-Rao distance
4. Classify by manifold region

File: brain/engines/formal_invariants.py (~320 LOC)

Theory: Define mathematical properties that must ALWAYS hold. Violations indicate security issues with certainty, not probability.

Key Invariants:

1. No PII Leak Invariant:

∀ pii ∈ Output: pii ∈ Input

"PII in output must exist in input"
→ Prevents hallucinated/leaked personal data

2. No System Prompt Leak Invariant:

∀ seq ∈ (5-grams of Output): seq ∉ SystemPrompt

"No 5-word sequence from system prompt appears in output"
→ Prevents prompt extraction

3. Output Length Bound:

|Output| / |Input| ≤ 50

"Output cannot be more than 50x input length"
→ Prevents infinite generation exploits

4. Role Consistency:

∀ msg ∈ Messages:
  if msg.role = "user": "I am assistant" ∉ msg.content
  if msg.role = "assistant": "I am user" ∉ msg.content

"Roles cannot claim to be other roles"
→ Prevents role confusion attacks

Why Formal Methods?

Traditional detection: P(attack) = 0.95 (5% false negatives) Formal invariants: P(attack | invariant violated) = 1.0 (mathematical certainty)

File: brain/engines/gradient_detection.py (~280 LOC)

Theory: Adversarial attacks often create anomalous gradient patterns during model inference. By analyzing gradient-like features, we can detect attacks that look normal as text.

Gradient Features (Text Proxies):

Since we don't have direct model access, we use statistical proxies:

Anomaly Detection:

Adversarial perturbations often:
- Use Unicode lookalikes (high sparsity)
- Have unusual character distributions (high variance)
- Encode payloads (gradient masking patterns)

Perturbation Patterns:

File: brain/engines/compliance_engine.py (~350 LOC)

Theory: Maps security detections to regulatory requirements for automatic audit trail generation.

Supported Frameworks:

Control Mapping:

Detection: "Prompt injection blocked"

→ EU AI Act Article 15: "Resilience against manipulation"
→ NIST AI RMF MEASURE 2.6: "AI systems tested for adversarial attacks"
→ ISO 42001 8.4: "Security controls for AI systems"

Report Generation:

Automatic audit reports include:

• Event timeline (detections, blocks, alerts)
• Control coverage percentage
• Risk level assessment (EU AI Act: Minimal/Limited/High/Unacceptable)
• Evidence for compliance auditors

The "Judge over all" — central arbiter that aggregates all 58 detectors.

File: brain/engines/meta_judge.py (~700 LOC)

The Problem: 58 engines produce 58 verdicts. Which one is right?

Engine #1:  BLOCK (0.8)
Engine #2:  ALLOW (0.2)
Engine #15: WARN  (0.5)
...
Engine #58: BLOCK (0.9)

→ Final verdict = ???

Architecture:

                    ┌─────────────────────────────┐
                    │         Meta-Judge           │
                    └─────────────────────────────┘
                               ▲
        ┌──────────────────────┼──────────────────────┐
        │                      │                      │
┌───────────────┐    ┌───────────────┐    ┌───────────────┐
│ ClassicJudge  │    │  MathJudge    │    │ ResearchJudge │
│ (engines 1-5) │    │ (engines 6-11)│    │(engines 27-56)│
└───────────────┘    └───────────────┘    └───────────────┘

Functional Components:

Conflict Resolution Algorithm:

def resolve(verdicts: List[Verdict]) -> FinalVerdict:
    # 1. Critical Veto
    if any(v.severity == CRITICAL):
        return BLOCK  # No appeal possible

    # 2. Bayesian Update
    prior = 0.01  # Base attack probability

    for verdict in verdicts:
        likelihood_ratio = verdict.block_score / verdict.allow_score
        posterior = (prior * likelihood_ratio) /
                   (prior * likelihood_ratio + (1 - prior))

    # 3. Threshold Decision
    if posterior > 0.7: return BLOCK
    if posterior > 0.5: return CHALLENGE
    if posterior > 0.4: return WARN
    return ALLOW

Context Modifiers:

Policy Tiers:

Explainability Output:

{
  "verdict": "BLOCK",
  "confidence": 0.89,
  "primary_reason": "Prompt injection detected",
  "contributing_factors": [
    { "engine": "TDA Enhanced", "finding": "Topological anomaly" },
    { "engine": "Formal Invariants", "finding": "PII leak violation" },
    { "engine": "Intent Prediction", "finding": "Attack probability 78%" }
  ],
  "evidence": ["Pattern 'ignore previous' matched", "Entropy: 5.8 bits/char"],
  "appeal_token": "abc123",
  "processing_time_ms": 45.2
}

Unique Capabilities:

Autonomous AI agent for proactive threat detection:

Detected Threats:

• Slow & Low attacks (cumulative injection over time)
• Zero-day patterns (novel techniques similar to known attacks)
• Anomalous users (suspicious behavior profiles)
• Evasion attempts (detector bypass attempts)

Strange Math engines leverage GPU for:

• Embedding computation: Sentence-Transformers on CUDA
• Topological analysis: Gudhi + CuPy for Vietoris-Rips
• Matrix operations: PyTorch for spectral decomposition

import cupy as cp
from cupyx.scipy import sparse as cp_sparse

def gpu_spectral_analysis(attention_matrix: np.ndarray) -> np.ndarray:
    # Transfer to GPU
    gpu_matrix = cp.asarray(attention_matrix)

    # Compute Laplacian on GPU
    degree = cp.diag(gpu_matrix.sum(axis=1))
    laplacian = degree - gpu_matrix

    # Eigendecomposition on GPU
    eigenvalues = cp.linalg.eigvalsh(laplacian)

    # Transfer back to CPU
    return cp.asnumpy(eigenvalues)

While competitors rely on regex and simple ML classifiers, SENTINEL applies mathematics that is just starting to appear in research papers. This gives 2-3 years head start over the market.