Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.q-uestionable.ai/llms.txt

Use this file to discover all available pages before exploring further.

The Chain module enables declarative composition of multi-step attack chains targeting complex AI system architectures. Define chains as YAML, execute them step-by-step, analyze blast radius, and generate detection rules.

Core Concepts

Attack Chains

An attack chain is a sequence of coordinated steps exploiting related vulnerabilities to achieve a specific objective. Chains model real-world attack paths:
  • Steps — Individual attack techniques (injection, escalation, poisoning)
  • Dependencies — Control flow: which steps execute and in what order
  • Trust Boundaries — Cross-system boundaries like agent-to-tool or agent-to-agent
  • Evidence — Artifacts and findings collected at each step

Categories

Chains target specific AI system architectures:
  • RAG Pipeline — Document retrieval systems with augmented generation
  • Agent Delegation — Multi-agent systems with tool sharing
  • MCP Ecosystem — Model Context Protocol server deployments
  • Hybrid — Mixed architectures with multiple interaction patterns

Dry-Run vs. Live Execution

Dry-run (default)
  • Traces the chain path without executing tool calls
  • Shows which steps would execute and trust boundaries crossed
  • Fast feedback for chain validation
  • Useful for planning and analysis
Live execution
  • Executes each step against real target systems
  • Collects actual findings and artifacts
  • Measures true blast radius
  • Requires target configuration

Execution Flow

  1. Load — Parse and validate chain YAML
  2. Plan — Resolve step dependencies and build execution graph
  3. Execute — Run each step in dependency order (or trace path in dry-run)
  4. Collect — Gather findings and trust boundary crossings
  5. Report — Generate results with blast radius analysis and detection rules

Key Modules

Each step declares which qai module provides its technique:
ModulePurposeValid Techniques
auditVulnerability scanningAny of the 10 scanner names (injection, auth, token_exposure, permissions, tool_poisoning, prompt_injection, audit_telemetry, supply_chain, shadow_servers, context_sharing)
injectPayload injection and escalationoutput_injection, cross_tool_escalation, description_poisoning
ipiIndirect prompt injection payloadsAny IPI format name (pdf, md, html, docx, ics, eml, image)
cxpContext file poisoningAny CXP format ID (cursorrules, claude-md, copilot-instructions, windsurf, cline, aider, codex, devin)
rxpRAG retrieval validationAny embedding model ID (minilm-l6, minilm-l12, bge-small, or HuggingFace model name)

Manual Gates

IPI and CXP steps support manual gates — the chain pauses after the step completes and waits for the researcher to perform a manual action (deploy payloads, open a repo in a coding assistant) before resuming. Set manual_gate: true in the step’s inputs to enable this. When a chain step has a manual gate, the web UI renders a deployment playbook with the same guidance blocks shown in standalone IPI and CXP runs (file inventory, trigger prompts, deployment steps, interpretation guide).

Trust Boundaries

Chains record which system boundaries are crossed during an attack:
  • tool-to-agent — Tool output reaches agent reasoning
  • agent-to-tool — Agent reasoning reaches tool invocation
  • agent-to-agent — One agent influences another
  • llm-to-agent — LLM output shapes agent decisions
  • user-to-system — External input enters the system
  • client-to-server — External input entering the server
  • agent-to-data — Agent accessing data stores or retrieval layers
These boundaries identify the critical points where an attacker gained influence or access.

Built-in Templates

qai includes six reference chains for common architectures:
  • delegation-hijack — Exploit weak tool trust in agent delegation (audit → inject)
  • mcp-server-compromise — Attack MCP server implementations (audit → inject)
  • rag-trust-escalation — Escalate from RAG retrieval to agent control (inject chain)
  • document-poisoning — Generate IPI payloads, deploy to target, audit for exploitation evidence (ipi → audit, manual gate)
  • context-poisoning — Build poisoned context repo, test in coding assistant, audit generated code (cxp → audit, manual gate)
  • rag-validation — Validate retrieval poisoning, then generate IPI payloads for the retrieval path (rxp → ipi, manual gate)
Use templates as starting points for custom chains.

Typical Workflow

  1. Define a chain in YAML describing your attack hypothesis
  2. Validate with qai chain validate to catch structural issues
  3. Dry-run with qai chain run --dry-run to trace the path
  4. Execute with qai chain run against real targets (live mode)
  5. Analyze blast radius with qai chain blast-radius
  6. Detect with qai chain detect to generate detection rules

What to Expect

Defining chains is manual YAML authoring — you describe an attack hypothesis as a sequence of steps. Validation and dry-run tracing are instant and automated. Live execution is automated but requires a configured target and LLM provider. Blast radius analysis and detection rule generation are automated post-processing on completed executions. All five testing modules (audit, inject, ipi, cxp, rxp) are valid chain steps. IPI and CXP steps support manual gates for human-in-the-loop testing.

Next Steps