Why Chain Matters
Real attacks against AI agent infrastructure are multi-step — compromise one server, escalate trust, pivot to the next. Chain provides a structured way to model these sequences, validate them against actual scanner and technique coverage, trace execution paths, and execute real attack chains against live targets.How It Works
The chain workflow follows five steps:- Define — Write an attack chain in YAML with ordered steps referencing audit scanners or inject techniques
- Validate — Check module and technique references, graph structure, and reachability
- Trace — Run the success path in dry-run mode to preview the execution sequence
- Execute — Run the chain against real targets with
--no-dry-run, collecting step evidence and artifacts - Analyze — Review the JSON report with step-by-step outcomes, trust boundaries crossed, and the AI-evaluation interpret prompt
Built-in Components
- YAML chain loader — Structural and semantic validation of chain definitions
- Graph analysis — Cycle detection and reachability analysis across chain steps
- Dry-run tracer — Produces ordered step traces without executing live campaigns
- Live execution engine — Dispatches steps to audit/inject, accumulates artifacts, routes on success/failure
- Variable resolution — Pass artifacts between steps via
$step_id.artifact_namereferences - Target configuration —
chain-targets.yamlfor audit connection details and inject model selection - 3 built-in templates — Delegation hijack, MCP server compromise, and RAG trust escalation
Next Steps
- Chain CLI Reference — Command reference for
qai chain - Chain Templates — Built-in chain templates and custom chain authoring
- Chain Architecture — Module internals and execution engine design