@blamejs/exceptd-skills 0.9.5 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/AGENTS.md +45 -0
  2. package/CHANGELOG.md +120 -0
  3. package/README.md +30 -5
  4. package/bin/exceptd.js +694 -1
  5. package/data/_indexes/_meta.json +2 -2
  6. package/data/playbooks/ai-api.json +1073 -0
  7. package/data/playbooks/containers.json +1078 -0
  8. package/data/playbooks/cred-stores.json +1000 -0
  9. package/data/playbooks/crypto.json +1008 -0
  10. package/data/playbooks/framework.json +1015 -0
  11. package/data/playbooks/hardening.json +945 -0
  12. package/data/playbooks/kernel.json +796 -0
  13. package/data/playbooks/mcp.json +1042 -0
  14. package/data/playbooks/runtime.json +913 -0
  15. package/data/playbooks/sbom.json +1279 -0
  16. package/data/playbooks/secrets.json +959 -0
  17. package/lib/cross-ref-api.js +224 -0
  18. package/lib/playbook-runner.js +896 -0
  19. package/lib/schemas/playbook.schema.json +657 -0
  20. package/manifest-snapshot.json +1 -1
  21. package/manifest.json +39 -39
  22. package/orchestrator/scanner.js +23 -1
  23. package/package.json +1 -1
  24. package/sbom.cdx.json +6 -6
package/data/playbooks/ai-api.json ADDED
@@ -0,0 +1,1073 @@
1
+ {
2
+ "_meta": {
3
+ "id": "ai-api",
4
+ "version": "1.0.0",
5
+ "last_threat_review": "2026-05-11",
6
+ "threat_currency_score": 95,
7
+ "changelog": [
8
+ {
9
+ "version": "1.0.0",
10
+ "date": "2026-05-11",
11
+ "summary": "Initial seven-phase AI-API C2 + credential-exposure playbook. Covers SesameOp / PROMPTFLUX / PROMPTSTEAL behavioral signatures (ATLAS AML.T0096), dotfile API-key inventory (Anthropic / OpenAI / Gemini), and cloud credential exposure (~/.aws/credentials, ~/.config/gcloud, ~/.kube/config) that an AI-API C2 adversary would harvest. Full GRC closure with EU AI Act + NIS2 + DORA notification clocks.",
12
+ "cves_added": [],
13
+ "framework_gaps_updated": [
14
+ "nist-800-53-SI-3",
15
+ "nist-800-53-SC-7",
16
+ "nist-800-53-AC-2",
17
+ "iso-27001-2022-A.8.16",
18
+ "soc2-CC7",
19
+ "eu-ai-act-art15"
20
+ ]
21
+ }
22
+ ],
23
+ "owner": "@blamejs/ai-security",
24
+ "air_gap_mode": false,
25
+ "scope": "service",
26
+ "preconditions": [
27
+ {
28
+ "id": "filesystem-read",
29
+ "description": "Agent must be able to read the user's home directory.",
30
+ "check": "agent_has_filesystem_read == true",
31
+ "on_fail": "halt"
32
+ },
33
+ {
34
+ "id": "network-baseline-available",
35
+ "description": "Network-egress baseline (netstat / ss / packet capture) should be available for behavioral detection of AI-API beaconing. If absent, behavioral indicators downgrade to inconclusive.",
36
+ "check": "agent_has_command('ss') OR agent_has_command('netstat') OR agent_has_command('lsof')",
37
+ "on_fail": "warn"
38
+ }
39
+ ],
40
+ "mutex": [],
41
+ "feeds_into": [
42
+ {
43
+ "playbook_id": "framework",
44
+ "condition": "analyze.compliance_theater_check.verdict == 'theater'"
45
+ },
46
+ {
47
+ "playbook_id": "sbom",
48
+ "condition": "analyze.blast_radius_score >= 4"
49
+ },
50
+ {
51
+ "playbook_id": "mcp",
52
+ "condition": "finding.includes_mcp_server_credential_exposure == true"
53
+ }
54
+ ]
55
+ },
56
+ "domain": {
57
+ "name": "AI-API as covert command-and-control + dotfile credential exposure",
58
+ "attack_class": "ai-c2",
59
+ "atlas_refs": [
60
+ "AML.T0096",
61
+ "AML.T0017"
62
+ ],
63
+ "attack_refs": [
64
+ "T1071",
65
+ "T1102",
66
+ "T1568",
67
+ "T1552.001",
68
+ "T1555"
69
+ ],
70
+ "cve_refs": [],
71
+ "cwe_refs": [
72
+ "CWE-522",
73
+ "CWE-256",
74
+ "CWE-798",
75
+ "CWE-312"
76
+ ],
77
+ "d3fend_refs": [
78
+ "D3-CA",
79
+ "D3-NTA",
80
+ "D3-NTPM",
81
+ "D3-IOPR",
82
+ "D3-NI"
83
+ ],
84
+ "frameworks_in_scope": [
85
+ "nist-800-53",
86
+ "nist-csf-2",
87
+ "iso-27001-2022",
88
+ "soc2",
89
+ "pci-dss-4",
90
+ "nis2",
91
+ "dora",
92
+ "eu-ai-act",
93
+ "uk-caf",
94
+ "au-ism",
95
+ "au-essential-8",
96
+ "hipaa",
97
+ "cmmc"
98
+ ]
99
+ },
100
+ "phases": {
101
+ "govern": {
102
+ "jurisdiction_obligations": [
103
+ {
104
+ "jurisdiction": "EU",
105
+ "regulation": "NIS2 Art.23",
106
+ "obligation": "notify_regulator",
107
+ "window_hours": 24,
108
+ "clock_starts": "detect_confirmed",
109
+ "evidence_required": [
110
+ "affected_host_inventory",
111
+ "ai_api_endpoint_beaconing_evidence",
112
+ "credential_exposure_scope",
113
+ "interim_isolation_record"
114
+ ]
115
+ },
116
+ {
117
+ "jurisdiction": "EU",
118
+ "regulation": "NIS2 Art.23",
119
+ "obligation": "notify_regulator",
120
+ "window_hours": 72,
121
+ "clock_starts": "analyze_complete",
122
+ "evidence_required": [
123
+ "full_incident_assessment",
124
+ "credential_rotation_record",
125
+ "remediation_plan"
126
+ ]
127
+ },
128
+ {
129
+ "jurisdiction": "EU",
130
+ "regulation": "DORA Art.19",
131
+ "obligation": "notify_regulator",
132
+ "window_hours": 4,
133
+ "clock_starts": "detect_confirmed",
134
+ "evidence_required": [
135
+ "initial_notification",
136
+ "ict_third_party_dependencies",
137
+ "financial_data_exposure_scope"
138
+ ]
139
+ },
140
+ {
141
+ "jurisdiction": "EU",
142
+ "regulation": "EU AI Act Art.73",
143
+ "obligation": "notify_regulator",
144
+ "window_hours": 360,
145
+ "clock_starts": "analyze_complete",
146
+ "evidence_required": [
147
+ "serious_incident_assessment",
148
+ "ai_system_misuse_evidence",
149
+ "tool_provenance_audit"
150
+ ]
151
+ },
152
+ {
153
+ "jurisdiction": "EU",
154
+ "regulation": "GDPR Art.33",
155
+ "obligation": "notify_supervisory_authority",
156
+ "window_hours": 72,
157
+ "clock_starts": "detect_confirmed",
158
+ "evidence_required": [
159
+ "personal_data_scope_assessment",
160
+ "high_risk_to_data_subjects_determination",
161
+ "containment_measures"
162
+ ]
163
+ },
164
+ {
165
+ "jurisdiction": "AU",
166
+ "regulation": "APRA CPS 234",
167
+ "obligation": "notify_regulator",
168
+ "window_hours": 72,
169
+ "clock_starts": "validate_complete",
170
+ "evidence_required": [
171
+ "materiality_assessment",
172
+ "remediation_completed_evidence"
173
+ ]
174
+ }
175
+ ],
176
+ "theater_fingerprints": [
177
+ {
178
+ "pattern_id": "egress-allowlist-with-ai-vendors-open",
179
+ "claim": "Egress is allowlisted — only approved domains permitted (SC-7 / A.8.16 / CC7).",
180
+ "fast_detection_test": "Walk the egress allowlist. If api.openai.com, api.anthropic.com, generativelanguage.googleapis.com, *.azure.com, or equivalent AI-vendor endpoints are wholesale-permitted with no per-process restriction or no DLP on payloads, the allowlist gates business websites and leaves the AI-API C2 channel wide open. Theater unless AI-API endpoints are gated by (a) per-process allowlist, (b) bearer-token attribution, AND (c) request/response content inspection or rate baselining.",
181
+ "implicated_controls": [
182
+ "nist-800-53-SC-7",
183
+ "iso-27001-2022-A.8.16",
184
+ "soc2-CC7"
185
+ ]
186
+ },
187
+ {
188
+ "pattern_id": "ac-2-passes-when-ai-account-misused",
189
+ "claim": "Logical access control (AC-2 / CC6) is operating — only authorized identities access sensitive resources.",
190
+ "fast_detection_test": "Pick any AI-API-using service account on the host. Confirm whether that account's API key has been used for unexpected workloads (extremely high token count, response sizes far from baseline, time-of-day pattern outside normal usage). If anomalies exist, the AC-2 audit was checking that the account was authorized — not that the authorization wasn't abused as a C2 vehicle.",
191
+ "implicated_controls": [
192
+ "nist-800-53-AC-2",
193
+ "soc2-CC6"
194
+ ]
195
+ },
196
+ {
197
+ "pattern_id": "secrets-scan-of-repos-only",
198
+ "claim": "Secrets scanning is in place — all repositories scanned for committed keys (CM-7 / A.8.30).",
199
+ "fast_detection_test": "Inspect the runtime developer endpoint, not the repo. Read ~/.bashrc, ~/.zshrc, ~/.profile, ~/.config/fish/, ~/.aws/credentials, ~/.config/gcloud/credentials.db, ~/.kube/config, ~/.netrc, ~/.docker/config.json, ~/.npmrc, and assistant-specific dotfiles (~/.codeium, ~/.cursor, ~/.claude). If long-lived API keys exist in any of these but the org's secrets-scanning program only scans repos, the program is structurally blind to where exfiltration actually originates.",
200
+ "implicated_controls": [
201
+ "nist-800-53-IA-5",
202
+ "iso-27001-2022-A.8.30",
203
+ "soc2-CC6"
204
+ ]
205
+ },
206
+ {
207
+ "pattern_id": "ai-traffic-classified-as-business-as-usual",
208
+ "claim": "SOC 2 CC7 anomaly detection covers all egress — baseline established.",
209
+ "fast_detection_test": "Ask the SOC for an example anomaly that was triaged in the last 30 days where the source was AI-API traffic. If they cannot produce one, the baseline is treating AI-API traffic as legitimate by definition — which is exactly the SesameOp adversary's bet. Theater unless AI-API egress has its own behavioral baseline distinct from SaaS API traffic.",
210
+ "implicated_controls": [
211
+ "soc2-CC7",
212
+ "iso-27001-2022-A.8.16"
213
+ ]
214
+ }
215
+ ],
216
+ "framework_context": {
217
+ "gap_summary": "Anomaly-detection and egress-control frameworks were drafted against attacker C2 over commodity protocols (HTTP, DNS, IRC) and named-and-shamed bad endpoints. AI-API C2 (SesameOp pattern, ATLAS AML.T0096) routes over TLS-protected, vendor-operated, fully-legitimate endpoints (OpenAI, Anthropic, Google, Azure) using bearer-token auth that the org issued. The C2 channel and the legitimate developer workflow are indistinguishable at the network layer. NIST 800-53 SI-3 (malicious-code protection) is signature-and-behavioral but has no AI-API baseline. SC-7 (boundary protection) trivially permits api.openai.com because the org needs it for developer productivity. AC-2 (account management) confirms that the AI service account was authorized — and the SesameOp adversary's design depends on exactly that. SOC 2 CC7 (anomaly detection) is the closest control but in practice nearly always classifies AI-API egress as business-as-usual. EU AI Act Art.15 draws the system boundary around the model and does not contemplate the AI API itself as exfil transport. Compounding the visibility gap: dotfile API keys (Anthropic / OpenAI / Gemini) sit at the user-home layer where secrets-scanning programs (typically repo-scanning) never look — and an attacker with userland code execution can read them in milliseconds.",
218
+ "lag_score": 190,
219
+ "per_framework_gaps": [
220
+ {
221
+ "framework": "nist-800-53",
222
+ "control_id": "SI-3",
223
+ "designed_for": "Malicious-code protection — signature-based AV/EDR with behavioral overlays.",
224
+ "insufficient_because": "AI-API C2 traffic carries no malicious payload signature; the encoding is semantically valid text traveling over legitimate vendor TLS endpoints. EDR has no detection primitive for 'this API conversation is C2-shaped'."
225
+ },
226
+ {
227
+ "framework": "nist-800-53",
228
+ "control_id": "SC-7",
229
+ "designed_for": "Boundary protection — perimeter egress filtering.",
230
+ "insufficient_because": "AI-API endpoints are required for developer productivity. Boundary control trivially permits them, defeating C2 detection at the network layer."
231
+ },
232
+ {
233
+ "framework": "nist-800-53",
234
+ "control_id": "AC-2",
235
+ "designed_for": "Account management — authorized identities and access.",
236
+ "insufficient_because": "The AI service account is authorized; the attacker's C2 uses the account's authorized identity. AC-2 audits show the account was authorized to access the AI API — true and unhelpful."
237
+ },
238
+ {
239
+ "framework": "iso-27001-2022",
240
+ "control_id": "A.8.16",
241
+ "designed_for": "Monitoring activities — anomaly detection and alerting.",
242
+ "insufficient_because": "Monitoring baselines were established for SaaS API traffic; AI-API traffic patterns differ (long sequences, high token counts) but pass as legitimate developer workflow."
243
+ },
244
+ {
245
+ "framework": "soc2",
246
+ "control_id": "CC7",
247
+ "designed_for": "System operations — anomaly and incident detection.",
248
+ "insufficient_because": "No defined baseline for AI-API egress; AI traffic classified as business-as-usual."
249
+ },
250
+ {
251
+ "framework": "eu-ai-act",
252
+ "control_id": "Art.15",
253
+ "designed_for": "High-risk AI system robustness and cybersecurity.",
254
+ "insufficient_because": "System boundary drawn around the model. AI API used as transport for non-AI-system C2 is out of scope of Art.15 even though the AI provider's infrastructure carries the traffic."
255
+ },
256
+ {
257
+ "framework": "soc2",
258
+ "control_id": "CC6",
259
+ "designed_for": "Logical and physical access controls.",
260
+ "insufficient_because": "Same as AC-2 — authorized service account, no access-control finding even when account is being abused as C2."
261
+ }
262
+ ]
263
+ },
264
+ "skill_preload": [
265
+ "ai-c2-detection",
266
+ "framework-gap-analysis",
267
+ "compliance-theater",
268
+ "global-grc",
269
+ "policy-exception-gen"
270
+ ]
271
+ },
272
+ "direct": {
273
+ "threat_context": "AI-as-C2 landscape mid-2026: SesameOp campaign (ATLAS AML.T0096) — the canonical pattern of adversaries repurposing AI agent APIs as covert C2 — has been replicated and expanded across multiple threat actor sets through Q1-Q2 2026. PROMPTFLUX (Mandiant attribution, late 2025) demonstrated polymorphic AI-API C2 with rotating encoding schemes per session. PROMPTSTEAL extended the pattern to RAG-pipeline poisoning where stored AI conversations carry exfiltrated content. The technical pattern: compromised host encodes commands or exfiltrated data as base64 (or homoglyphs, or natural-language-shaped payloads) inside semantically valid prompts to OpenAI / Anthropic / Google / Azure AI endpoints; attacker reads the relayed payload via the legitimate API. The AI API is transport — not the attacker's infrastructure. Detection at the network layer: nearly impossible without behavioral baselining specific to AI-API traffic. Detection at the host layer: requires monitoring the process that originates the API calls (rogue process talking to api.openai.com from an unexpected service account is the strongest signal). Companion attack: credential harvesting from dotfiles. Once userland code execution is achieved (via MCP supply-chain, prompt injection, or AI-API C2 delivered payload), attacker reads ~/.aws/credentials, ~/.config/gcloud, ~/.kube/config, ~/.netrc, ~/.docker/config.json, vendor dotfiles, npm tokens — the modern developer endpoint is a credential warehouse. Cleartext API keys in dotfiles are documented in ~70% of developer-endpoint forensic reviews. Compliance frameworks have not caught up: NIST SI-3/SC-7, ISO A.8.16, SOC 2 CC7 do not have AI-API baselines and treat the channel as business-as-usual.",
274
+ "rwep_threshold": {
275
+ "escalate": 75,
276
+ "monitor": 40,
277
+ "close": 25
278
+ },
279
+ "framework_lag_declaration": "NIST 800-53 SI-3/SC-7/AC-2, ISO 27001:2022 A.8.16, SOC 2 CC6/CC7, EU AI Act Art.15 are all structurally insufficient for AI-API C2. The shared failure: each control treats the AI API endpoint as a legitimate authorized SaaS, the service account using it as authorized, and the traffic over it as business-as-usual. The SesameOp pattern operates entirely inside that authorized envelope. Until frameworks add 'AI-API egress baseline + content inspection + bearer-token-to-process attribution' controls, anomaly-detection audit opinions provide zero signal about AI-as-C2 exposure. Companion gap: secrets-management controls (IA-5, A.8.5) focus on repository-committed keys and ignore the dotfile credential surface where most developer keys actually live. Lag = ~190 days behind the SesameOp pattern's first documentation; no framework body has issued draft language as of 2026-05-11.",
280
+ "skill_chain": [
281
+ {
282
+ "skill": "ai-c2-detection",
283
+ "purpose": "Inventory installed AI SDKs (anthropic, openai, google-generativeai, azure-ai), enumerate processes communicating with AI-API endpoints, baseline behavior, detect SesameOp / PROMPTFLUX behavioral signatures.",
284
+ "required": true
285
+ },
286
+ {
287
+ "skill": "framework-gap-analysis",
288
+ "purpose": "Map each detected exposure to the specific framework control that should have caught it and why it didn't.",
289
+ "required": true
290
+ },
291
+ {
292
+ "skill": "compliance-theater",
293
+ "purpose": "Run the four theater tests in govern.theater_fingerprints; emit verdict.",
294
+ "required": true
295
+ },
296
+ {
297
+ "skill": "global-grc",
298
+ "purpose": "Cross-walk findings to per-jurisdiction notification obligations including GDPR Art.33 (personal data exfil), EU AI Act Art.73 (serious incident), NIS2 Art.23, DORA Art.19.",
299
+ "skip_if": "jurisdiction_obligations.length == 0",
300
+ "required": false
301
+ },
302
+ {
303
+ "skill": "policy-exception-gen",
304
+ "purpose": "If AI-API egress cannot be gated within compliance window, generate defensible exception with compensating controls.",
305
+ "skip_if": "close.exception_generation.trigger_condition == false",
306
+ "required": false
307
+ }
308
+ ],
309
+ "token_budget": {
310
+ "estimated_total": 22000,
311
+ "breakdown": {
312
+ "govern": 2800,
313
+ "direct": 1600,
314
+ "look": 2600,
315
+ "detect": 3400,
316
+ "analyze": 4800,
317
+ "validate": 3900,
318
+ "close": 2900
319
+ }
320
+ }
321
+ },
322
+ "look": {
323
+ "artifacts": [
324
+ {
325
+ "id": "shell-rc-files",
326
+ "type": "config_file",
327
+ "source": "$HOME/.bashrc, $HOME/.bash_profile, $HOME/.zshrc, $HOME/.zprofile, $HOME/.profile, $HOME/.config/fish/config.fish, $HOME/.config/fish/conf.d/*",
328
+ "description": "Shell init files frequently contain exported API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY, AZURE_OPENAI_KEY).",
329
+ "required": true
330
+ },
331
+ {
332
+ "id": "dotfile-api-keys",
333
+ "type": "config_file",
334
+ "source": "$HOME/.openai, $HOME/.anthropic, $HOME/.config/anthropic, $HOME/.config/openai, $HOME/.gemini, $HOME/.config/google-genai, $HOME/.config/azure-openai, $HOME/.huggingface/token, $HOME/.cohere",
335
+ "description": "Vendor-specific token dotfiles. Cleartext API keys at user-home layer.",
336
+ "required": true
337
+ },
338
+ {
339
+ "id": "aws-credentials",
340
+ "type": "config_file",
341
+ "source": "$HOME/.aws/credentials, $HOME/.aws/config",
342
+ "description": "AWS access keys and SSO config — high-value harvest target.",
343
+ "required": true
344
+ },
345
+ {
346
+ "id": "gcp-credentials",
347
+ "type": "config_file",
348
+ "source": "$HOME/.config/gcloud/application_default_credentials.json, $HOME/.config/gcloud/credentials.db, $HOME/.config/gcloud/legacy_credentials/*/adc.json",
349
+ "description": "GCP application-default and account credentials.",
350
+ "required": true
351
+ },
352
+ {
353
+ "id": "kube-config",
354
+ "type": "config_file",
355
+ "source": "$HOME/.kube/config, $KUBECONFIG (if set)",
356
+ "description": "Kubernetes contexts including production cluster tokens.",
357
+ "required": true
358
+ },
359
+ {
360
+ "id": "docker-config",
361
+ "type": "config_file",
362
+ "source": "$HOME/.docker/config.json",
363
+ "description": "Container registry auth — frequently long-lived tokens.",
364
+ "required": false
365
+ },
366
+ {
367
+ "id": "npmrc-pyrc-cargo",
368
+ "type": "config_file",
369
+ "source": "$HOME/.npmrc, $HOME/.pypirc, $HOME/.cargo/credentials.toml, $HOME/.gem/credentials, $HOME/.ssh/config",
370
+ "description": "Package-registry tokens and SSH config (with possible IdentityFile leaking key paths).",
371
+ "required": false
372
+ },
373
+ {
374
+ "id": "netrc",
375
+ "type": "config_file",
376
+ "source": "$HOME/.netrc",
377
+ "description": "Generic per-host basic-auth credentials (curl, git, hg).",
378
+ "required": false
379
+ },
380
+ {
381
+ "id": "ai-sdk-inventory",
382
+ "type": "process_list",
383
+ "source": "pip list --format=json | grep -Ei 'anthropic|openai|google-generativeai|google-cloud-aiplatform|azure-ai|cohere|huggingface' AND npm ls -g --depth=0 --json | grep -Ei '@anthropic-ai|openai|@google/generative-ai|@azure/openai'",
384
+ "description": "Installed AI SDK packages — identifies which AI vendors are integrated.",
385
+ "required": false
386
+ },
387
+ {
388
+ "id": "ai-api-egress-baseline",
389
+ "type": "network_capture",
390
+ "source": "ss -tnp 2>/dev/null | grep -E '(api.openai.com|api.anthropic.com|generativelanguage.googleapis.com|.cognitiveservices.azure.com|.openai.azure.com)' AND lsof -i 2>/dev/null | grep -E '(443|https)' filtered to same domains",
391
+ "description": "Currently-established connections to AI-API endpoints. Identifies which processes own the connection.",
392
+ "required": false,
393
+ "air_gap_alternative": "If no network introspection available, mark behavioral signals inconclusive; rely on dotfile-credential indicators alone."
394
+ },
395
+ {
396
+ "id": "process-list",
397
+ "type": "process_list",
398
+ "source": "ps -ef OR ps -axu",
399
+ "description": "Process list — needed to attribute AI-API egress to a process and confirm whether it is expected.",
400
+ "required": true
401
+ },
402
+ {
403
+ "id": "assistant-config",
404
+ "type": "config_file",
405
+ "source": "$HOME/.cursor/*, $HOME/.claude/*, $HOME/.config/claude/*, $HOME/.codeium/*, $HOME/.gemini/*, $HOME/.config/Code/User/settings.json",
406
+ "description": "AI coding assistant configuration — includes per-assistant API keys and MCP server connections that may also speak to AI APIs.",
407
+ "required": false
408
+ },
409
+ {
410
+ "id": "egress-policy",
411
+ "type": "config_file",
412
+ "source": "Org's documented egress allowlist (firewall config, proxy config, DLP policy)",
413
+ "description": "Used to test theater fingerprint #1 (allowlist-with-ai-vendors-open).",
414
+ "required": false,
415
+ "air_gap_alternative": "If unavailable on the host, mark as inconclusive and surface as a 'cannot test allowlist theater' note."
416
+ }
417
+ ],
418
+ "collection_scope": {
419
+ "time_window": "current",
420
+ "asset_scope": "local_host_developer_or_ai_workload",
421
+ "depth": "deep",
422
+ "sampling": "single-host point-in-time inventory. Network-traffic baseline (for behavioral detection of beaconing) requires longer collection window (30d) at the boundary; this playbook's host phase captures the present state and references boundary-collected baseline if available."
423
+ },
424
+ "environment_assumptions": [
425
+ {
426
+ "assumption": "host is a developer endpoint, AI workload host, OR a host with at least one AI SDK installed",
427
+ "if_false": "Investigation may still apply if dotfile credentials are present but AI SDKs absent (credential exposure without AI-API C2 vector). Continue with credential-exposure branch only; mark AI-API C2 branch not-applicable."
428
+ },
429
+ {
430
+ "assumption": "agent has read access to $HOME and its dot-prefixed files",
431
+ "if_false": "Halt — credential exposure investigation cannot proceed without home-directory read access."
432
+ },
433
+ {
434
+ "assumption": "network introspection (ss / netstat / lsof) is available",
435
+ "if_false": "Behavioral AI-API C2 indicators downgrade to inconclusive; rely on dotfile-credential indicators and on AI SDK installation status."
436
+ }
437
+ ],
438
+ "fallback_if_unavailable": [
439
+ {
440
+ "artifact_id": "ai-api-egress-baseline",
441
+ "fallback_action": "use_compensating_artifact",
442
+ "confidence_impact": "medium"
443
+ },
444
+ {
445
+ "artifact_id": "egress-policy",
446
+ "fallback_action": "mark_inconclusive",
447
+ "confidence_impact": "medium"
448
+ },
449
+ {
450
+ "artifact_id": "ai-sdk-inventory",
451
+ "fallback_action": "use_compensating_artifact",
452
+ "confidence_impact": "low"
453
+ },
454
+ {
455
+ "artifact_id": "dotfile-api-keys",
456
+ "fallback_action": "escalate_to_human",
457
+ "confidence_impact": "high"
458
+ },
459
+ {
460
+ "artifact_id": "aws-credentials",
461
+ "fallback_action": "escalate_to_human",
462
+ "confidence_impact": "high"
463
+ }
464
+ ]
465
+ },
466
+ "detect": {
467
+ "indicators": [
468
+ {
469
+ "id": "cleartext-api-key-in-dotfile",
470
+ "type": "file_path",
471
+ "value": "Any of OPENAI_API_KEY=sk-*, ANTHROPIC_API_KEY=sk-ant-*, AZURE_OPENAI_KEY=*, GOOGLE_API_KEY=*, HUGGINGFACE_TOKEN=hf_* present as exported cleartext in shell rc or vendor dotfile",
472
+ "description": "Primary credential-exposure indicator. Userland code execution → key extraction in milliseconds.",
473
+ "confidence": "deterministic",
474
+ "deterministic": true,
475
+ "attack_ref": "T1552.001"
476
+ },
477
+ {
478
+ "id": "long-lived-aws-keys",
479
+ "type": "file_path",
480
+ "value": "~/.aws/credentials contains an aws_access_key_id NOT accompanied by an aws_session_token (i.e. IAM user long-lived key, not STS temporary)",
481
+ "description": "Long-lived AWS keys in dotfile — high-value target.",
482
+ "confidence": "deterministic",
483
+ "deterministic": true,
484
+ "attack_ref": "T1552.001"
485
+ },
486
+ {
487
+ "id": "gcp-service-account-json",
488
+ "type": "file_path",
489
+ "value": "~/.config/gcloud/application_default_credentials.json contains type='service_account' (rather than authorized_user)",
490
+ "description": "Service-account JSON key (long-lived) in user dotfile — known anti-pattern.",
491
+ "confidence": "deterministic",
492
+ "deterministic": true,
493
+ "attack_ref": "T1552.001"
494
+ },
495
+ {
496
+ "id": "kubeconfig-with-static-token",
497
+ "type": "file_path",
498
+ "value": "~/.kube/config contains a user with a static 'token:' field (not exec-based with short-lived rotation)",
499
+ "description": "Static kube token persists in dotfile.",
500
+ "confidence": "deterministic",
501
+ "deterministic": true,
502
+ "attack_ref": "T1552.001"
503
+ },
504
+ {
505
+ "id": "ai-api-egress-from-unexpected-process",
506
+ "type": "network_pattern",
507
+ "value": "ss/lsof shows an established connection to api.openai.com / api.anthropic.com / generativelanguage.googleapis.com / *.cognitiveservices.azure.com originating from a process that is NOT in the org's expected-AI-clients list (e.g. /tmp/* binary, non-IDE process, unexpected user account)",
508
+ "description": "Behavioral indicator of AI-API C2 — unexpected process speaking to AI vendor.",
509
+ "confidence": "high",
510
+ "deterministic": false,
511
+ "atlas_ref": "AML.T0096",
512
+ "attack_ref": "T1071"
513
+ },
514
+ {
515
+ "id": "ai-api-anomalous-volume",
516
+ "type": "behavioral_signal",
517
+ "value": "AI-API egress connection-count or aggregate bytes from this host exceeds the 95th-percentile baseline for similar hosts AND the originating process is not a known interactive AI workload",
518
+ "description": "Behavioral indicator — volume anomaly for AI-API traffic.",
519
+ "confidence": "high",
520
+ "deterministic": false,
521
+ "atlas_ref": "AML.T0096",
522
+ "attack_ref": "T1071"
523
+ },
524
+ {
525
+ "id": "ai-api-beaconing-cadence",
526
+ "type": "behavioral_signal",
527
+ "value": "Regular interval AI-API requests from the same originating process (sub-30s jitter window) matching SesameOp / PROMPTFLUX beaconing cadence",
528
+ "description": "Behavioral signature — beaconing-shaped AI-API traffic.",
529
+ "confidence": "high",
530
+ "deterministic": false,
531
+ "atlas_ref": "AML.T0096",
532
+ "attack_ref": "T1071"
533
+ },
534
+ {
535
+ "id": "base64-or-encoded-payload-in-prompts",
536
+ "type": "log_pattern",
537
+ "value": "AI-API request payloads (when accessible via local-proxy log) contain large base64 / hex / homoglyph-encoded blocks framed as user messages — SesameOp encoding signature",
538
+ "description": "Strong content-level signal of AI-API C2.",
539
+ "confidence": "high",
540
+ "deterministic": false,
541
+ "atlas_ref": "AML.T0096",
542
+ "attack_ref": "T1071"
543
+ }
544
+ ],
545
+ "false_positive_profile": [
546
+ {
547
+ "indicator_id": "ai-api-anomalous-volume",
548
+ "benign_pattern": "Developer using AI coding assistant heavily — high-volume legitimate workflow, especially during refactor or code-generation work.",
549
+ "distinguishing_test": "Cross-check the originating process: if it is a known IDE / AI assistant binary (cursor, code, claude, windsurf, gemini-cli) with the expected user identity, downgrade to medium. If it is an unfamiliar binary path or runs under a service account, retain high confidence."
550
+ },
551
+ {
552
+ "indicator_id": "ai-api-beaconing-cadence",
553
+ "benign_pattern": "Legitimate scheduled job using AI API on a cron (e.g. nightly summarization, scheduled embedding refresh).",
554
+ "distinguishing_test": "Check process tree for a cron / systemd-timer parent. If present and the binary path matches a known org-deployed job script, downgrade to medium. Bonus: confirm the job's API key bearer-token attribution matches the expected service account; if it matches an interactive-developer key instead, retain high confidence."
555
+ },
556
+ {
557
+ "indicator_id": "base64-or-encoded-payload-in-prompts",
558
+ "benign_pattern": "AI-assisted base64 / image / file processing — legitimate workflow includes encoded blobs as prompt input.",
559
+ "distinguishing_test": "Check whether the surrounding prompt text is semantically a tool-use request with the blob as input vs. a bare blob with no surrounding task description. The former is workflow; the latter matches SesameOp pattern."
560
+ }
561
+ ],
562
+ "minimum_signal": {
563
+ "detected": "Any combination of: (a) cleartext-api-key-in-dotfile=true AND ai-api-egress-from-unexpected-process=true, OR (b) ai-api-beaconing-cadence=true with no benign-pattern match, OR (c) base64-or-encoded-payload-in-prompts=true with no benign-pattern match. Each constitutes confirmed AI-API C2 or credential-exposure-with-immediate-exfil-vector.",
564
+ "inconclusive": "Cleartext API keys present in dotfiles but no network introspection available (cannot test AI-API egress). Cannot deny C2 — escalate to network-boundary baseline collection.",
565
+ "not_detected": "No cleartext API keys in any inventoried dotfile AND no AI-API egress from unexpected processes AND no anomalous volume / beaconing. Document as not-detected with a 'new dotfile credential or new unexpected process re-opens this' caveat."
566
+ }
567
+ },
568
+ "analyze": {
569
+ "rwep_inputs": [
570
+ {
571
+ "signal_id": "cleartext-api-key-in-dotfile",
572
+ "rwep_factor": "blast_radius",
573
+ "weight": 20,
574
+ "notes": "Each cleartext key is a separate exfil vector; tally to blast radius."
575
+ },
576
+ {
577
+ "signal_id": "long-lived-aws-keys",
578
+ "rwep_factor": "blast_radius",
579
+ "weight": 25,
580
+ "notes": "Long-lived AWS keys = cloud-account compromise on extraction."
581
+ },
582
+ {
583
+ "signal_id": "gcp-service-account-json",
584
+ "rwep_factor": "blast_radius",
585
+ "weight": 25,
586
+ "notes": "GCP service-account JSON = GCP account compromise on extraction."
587
+ },
588
+ {
589
+ "signal_id": "kubeconfig-with-static-token",
590
+ "rwep_factor": "blast_radius",
591
+ "weight": 20,
592
+ "notes": "Static kube token = cluster control on extraction."
593
+ },
594
+ {
595
+ "signal_id": "ai-api-egress-from-unexpected-process",
596
+ "rwep_factor": "active_exploitation",
597
+ "weight": 25,
598
+ "notes": "Direct match for SesameOp / PROMPTFLUX TTPs; active exploitation documented."
599
+ },
600
+ {
601
+ "signal_id": "ai-api-beaconing-cadence",
602
+ "rwep_factor": "ai_weaponization",
603
+ "weight": 10,
604
+ "notes": "AI-API C2 is, by definition, AI-assisted attack infrastructure."
605
+ },
606
+ {
607
+ "signal_id": "base64-or-encoded-payload-in-prompts",
608
+ "rwep_factor": "active_exploitation",
609
+ "weight": 20,
610
+ "notes": "Content-level SesameOp signature; high confidence active exploitation."
611
+ }
612
+ ],
613
+ "blast_radius_model": {
614
+ "scope_question": "If an attacker harvests this host's dotfile credentials AND uses AI-API egress as C2, what scope of compromise does this host realistically deliver?",
615
+ "scoring_rubric": [
616
+ {
617
+ "condition": "host has only AI API keys (no cloud / no kube), interactive-developer use only",
618
+ "blast_radius_score": 1,
619
+ "description": "AI service abuse + token-cost burn. Vendor abuse-team detection plausible."
620
+ },
621
+ {
622
+ "condition": "host has AI API keys + personal git tokens, no production access",
623
+ "blast_radius_score": 2,
624
+ "description": "Source-code theft via git tokens; commit-rewrite vector."
625
+ },
626
+ {
627
+ "condition": "host has AI API keys + non-prod AWS/GCP/kube credentials",
628
+ "blast_radius_score": 3,
629
+ "description": "Non-prod cloud read + IAM enumeration; staging data exfil."
630
+ },
631
+ {
632
+ "condition": "host has AI API keys + production cloud / kube admin credentials OR signing keys",
633
+ "blast_radius_score": 4,
634
+ "description": "Production tenancy + supply-chain-publishing capability + AI-API C2 covert channel."
635
+ },
636
+ {
637
+ "condition": "host has AI API keys + cross-account / cross-tenant administrative roles OR CI/CD bootstrap rights",
638
+ "blast_radius_score": 5,
639
+ "description": "Org-wide pivot. AI-API channel makes the lateral movement covert at the network layer."
640
+ }
641
+ ]
642
+ },
643
+ "compliance_theater_check": {
644
+ "claim": "Egress, anomaly-detection, and access-control programs are operating effectively per SC-7 / SI-3 / AC-2 / A.8.16 / CC6 / CC7 — unauthorized data egress is detected.",
645
+ "audit_evidence": "Egress allowlist documentation, anomaly-detection rules, access-review records, secrets-scanning program reports.",
646
+ "reality_test": "Run all of: (a) inventory dotfile credentials in $HOME; if any cleartext API key or long-lived cloud key found, the secrets-scanning program does not cover the developer endpoint; (b) inspect egress allowlist for AI-vendor endpoints — if api.openai.com / api.anthropic.com / generativelanguage.googleapis.com are wholesale-permitted with no per-process restriction / no content inspection / no rate baseline, the egress program is open at the AI-API boundary; (c) ask the SOC for an AI-API anomaly triaged in the last 30 days — if none, the anomaly-detection program has no AI baseline. Each failure constitutes a structurally-blind audit-passing control.",
647
+ "theater_verdict_if_gap": "Org demonstrates audit-clean egress / anomaly-detection / access-control / secrets-management posture that is fully exposed to SesameOp-class AI-API C2 + dotfile credential exfil. Either (a) move dotfile API keys to a credential broker (OS keychain, AWS SSO, GCP workload identity, kube exec-credential, age-bound short-lived tokens), (b) implement AI-API egress baseline with per-process bearer-token attribution + rate alerting + content inspection (where contractually permissible), (c) add the AI-API endpoint class to anomaly-detection with its own baseline distinct from SaaS API traffic, OR (d) generate a defensible policy exception with compensating controls (network segmentation, dedicated egress proxy with per-process attribution, AI-API rate quota per service account)."
648
+ },
649
+ "framework_gap_mapping": [
650
+ {
651
+ "finding_id": "ai-api-c2-or-credential-exposure-detected",
652
+ "framework": "nist-800-53",
653
+ "claimed_control": "SI-3 — Malicious Code Protection",
654
+ "actual_gap": "Signature-based AV/EDR has no primitive for 'AI-API conversation is C2-shaped'.",
655
+ "required_control": "Add SI-3 sub-control requiring AI-API egress behavioral baseline with per-process attribution, content-pattern detection (encoded blob in prompt), and beaconing cadence analysis."
656
+ },
657
+ {
658
+ "finding_id": "ai-api-c2-or-credential-exposure-detected",
659
+ "framework": "nist-800-53",
660
+ "claimed_control": "SC-7 — Boundary Protection",
661
+ "actual_gap": "Wholesale permission of AI-vendor endpoints for developer productivity defeats C2 detection at the boundary.",
662
+ "required_control": "Mandate per-process / per-service-account egress allowlist for AI-API endpoints with content inspection or rate baselining."
663
+ },
664
+ {
665
+ "finding_id": "ai-api-c2-or-credential-exposure-detected",
666
+ "framework": "nist-800-53",
667
+ "claimed_control": "AC-2 — Account Management",
668
+ "actual_gap": "Authorized service account being abused as C2 is not surfaced by AC-2.",
669
+ "required_control": "Bind AC-2 review to bearer-token usage anomaly — any token used at volume / cadence / content shape outside its expected workflow is a finding."
670
+ },
671
+ {
672
+ "finding_id": "ai-api-c2-or-credential-exposure-detected",
673
+ "framework": "nist-800-53",
674
+ "claimed_control": "IA-5 — Authenticator Management",
675
+ "actual_gap": "Dotfile cleartext API keys + long-lived cloud keys are persistently-stored authenticators that IA-5 does not require to be brokered.",
676
+ "required_control": "Mandate credential broker for any long-lived API key on a developer endpoint (OS keychain, SSO-issued short-lived tokens, workload identity)."
677
+ },
678
+ {
679
+ "finding_id": "ai-api-c2-or-credential-exposure-detected",
680
+ "framework": "iso-27001-2022",
681
+ "claimed_control": "A.8.16 — Monitoring activities",
682
+ "actual_gap": "No baseline for AI-API egress; classified as business-as-usual.",
683
+ "required_control": "Require AI-API-specific monitoring baseline with rate, cadence, and content-shape dimensions."
684
+ },
685
+ {
686
+ "finding_id": "ai-api-c2-or-credential-exposure-detected",
687
+ "framework": "soc2",
688
+ "claimed_control": "CC7 — System operations / anomaly detection",
689
+ "actual_gap": "No defined baseline for AI-API egress.",
690
+ "required_control": "Define an AI-API-specific anomaly baseline as a Trust Services Criteria sub-objective."
691
+ },
692
+ {
693
+ "finding_id": "ai-api-c2-or-credential-exposure-detected",
694
+ "framework": "eu-ai-act",
695
+ "claimed_control": "Art.15 — Accuracy, robustness and cybersecurity",
696
+ "actual_gap": "System boundary excludes AI-API-as-transport for non-AI-system C2.",
697
+ "required_control": "Extend Art.15 cybersecurity obligations to AI providers' API as transport, requiring providers to expose telemetry that enables customer-side anomaly detection (per-key rate, content statistics)."
698
+ }
699
+ ],
700
+ "escalation_criteria": [
701
+ {
702
+ "condition": "rwep >= 75 AND ai-api-egress-from-unexpected-process == true",
703
+ "action": "page_on_call"
704
+ },
705
+ {
706
+ "condition": "any credential indicator deterministic AND blast_radius_score >= 4",
707
+ "action": "page_on_call"
708
+ },
709
+ {
710
+ "condition": "ai-api-beaconing-cadence == true AND base64-or-encoded-payload-in-prompts == true",
711
+ "action": "raise_severity"
712
+ },
713
+ {
714
+ "condition": "blast_radius_score >= 4",
715
+ "action": "trigger_playbook",
716
+ "target_playbook": "sbom"
717
+ },
718
+ {
719
+ "condition": "compliance_theater_check.verdict == 'theater' AND jurisdiction_obligations contains 'EU'",
720
+ "action": "notify_legal"
721
+ },
722
+ {
723
+ "condition": "personal_data_exfil_suspected == true",
724
+ "action": "notify_legal"
725
+ }
726
+ ]
727
+ },
728
+ "validate": {
729
+ "remediation_paths": [
730
+ {
731
+ "id": "rotate-exposed-credentials-now",
732
+ "description": "Immediately rotate every API key and cloud credential found in dotfile inventory. Revoke at vendor side; verify revocation effective.",
733
+ "preconditions": [
734
+ "operator_authorized_for_key_rotation == true"
735
+ ],
736
+ "priority": 1,
737
+ "compensating_controls": [
738
+ "service_disruption_window_acknowledged",
739
+ "rotation_audit_trail"
740
+ ],
741
+ "estimated_time_hours": 2
742
+ },
743
+ {
744
+ "id": "isolate-and-investigate-c2",
745
+ "description": "If AI-API C2 indicators fired: isolate the host from network (preserving forensic state), capture process tree + memory if possible, dump current AI-API session content via local proxy.",
746
+ "preconditions": [
747
+ "ai_api_c2_signal == true",
748
+ "incident_response_authorized == true"
749
+ ],
750
+ "priority": 1,
751
+ "compensating_controls": [
752
+ "forensic_preservation",
753
+ "vendor_abuse_team_notification"
754
+ ],
755
+ "estimated_time_hours": 4
756
+ },
757
+ {
758
+ "id": "migrate-to-credential-broker",
759
+ "description": "Replace dotfile cleartext keys with OS keychain (macOS Keychain / Linux Secret Service / Windows DPAPI) or vendor-issued short-lived credential (AWS SSO, GCP gcloud auth login + workload identity, kube exec-credential).",
760
+ "preconditions": [
761
+ "broker_available_for_each_credential_class == true"
762
+ ],
763
+ "priority": 2,
764
+ "compensating_controls": [
765
+ "legacy_dotfile_still_present_until_keychain_validated",
766
+ "developer_workflow_regression_test"
767
+ ],
768
+ "estimated_time_hours": 6
769
+ },
770
+ {
771
+ "id": "deploy-egress-proxy-with-attribution",
772
+ "description": "Route all AI-API egress through a per-process-attributed proxy that logs (a) initiating process, (b) bearer token used, (c) request/response size + cadence + content-shape metrics. Build a per-service-account baseline and alert on deviation.",
773
+ "preconditions": [
774
+ "proxy_infrastructure_authorizable == true",
775
+ "tls_termination_acceptable_per_policy == true"
776
+ ],
777
+ "priority": 3,
778
+ "compensating_controls": [
779
+ "proxy_failure_mode_defined",
780
+ "developer_traffic_baseline_collection"
781
+ ],
782
+ "estimated_time_hours": 16
783
+ },
784
+ {
785
+ "id": "enforce-allowlisted-ai-clients",
786
+ "description": "Enforce a per-host allowlist of processes permitted to speak to AI-API endpoints (binary paths, signatures). Block all other processes from reaching AI-vendor domains.",
787
+ "preconditions": [
788
+ "host-level_firewall_or_endpoint_egress_control_available == true"
789
+ ],
790
+ "priority": 4,
791
+ "compensating_controls": [
792
+ "allowlist_change_management",
793
+ "monitoring_for_blocked_attempts"
794
+ ],
795
+ "estimated_time_hours": 4
796
+ },
797
+ {
798
+ "id": "policy-exception",
799
+ "description": "Where business-critical interactive use makes egress proxying or process allowlisting infeasible, generate a defensible policy exception with compensating controls (rate quota per service account, vendor-side abuse alerting integration, weekly dotfile re-audit).",
800
+ "preconditions": [
801
+ "remediation_paths[1..5] partially or fully blocked",
802
+ "ciso_acceptance_obtainable == true"
803
+ ],
804
+ "priority": 5,
805
+ "compensating_controls": [
806
+ "per_token_rate_quota_at_vendor",
807
+ "vendor_abuse_alerting_integration",
808
+ "weekly_dotfile_re-audit",
809
+ "endpoint_egress_anomaly_baseline_with_alerting"
810
+ ],
811
+ "estimated_time_hours": 8
812
+ }
813
+ ],
814
+ "validation_tests": [
815
+ {
816
+ "id": "no-cleartext-keys-remain",
817
+ "test": "Re-run dotfile inventory across all shell rc / vendor dotfiles / cloud config / kube / docker / package-registry paths. Fail if any cleartext API key or long-lived cloud credential remains.",
818
+ "expected_result": "Zero cleartext API keys; cloud credentials rotated to SSO/STS/workload-identity-issued short-lived.",
819
+ "test_type": "negative"
820
+ },
821
+ {
822
+ "id": "rotated-keys-revoked-at-vendor",
823
+ "test": "For each rotated key: attempt to use the old key against the vendor API. Confirm vendor rejects with 401 / 403.",
824
+ "expected_result": "Old keys return authentication errors; new keys (where issued) function.",
825
+ "test_type": "exploit_replay"
826
+ },
827
+ {
828
+ "id": "ai-api-egress-flows-through-proxy",
829
+ "test": "Re-establish a known AI-API request from a developer workflow. Inspect proxy logs and confirm the request was attributed to the originating process + bearer token.",
830
+ "expected_result": "Proxy log contains attribution record matching the test request.",
831
+ "test_type": "functional"
832
+ },
833
+ {
834
+ "id": "unexpected-process-blocked",
835
+ "test": "Run a deliberately-unauthorized binary (e.g. /tmp/test-curl) attempting to reach api.openai.com. Confirm host firewall / allowlist blocks the request.",
836
+ "expected_result": "Connection refused / DNS blocked / TLS handshake fails per policy.",
837
+ "test_type": "negative"
838
+ },
839
+ {
840
+ "id": "baseline-anomaly-fires",
841
+ "test": "Generate a synthetic AI-API beaconing pattern (e.g. 100 small identical requests at 10s intervals). Confirm the anomaly-detection baseline fires within target detection window.",
842
+ "expected_result": "Anomaly alert fires; SOC ticket created with attribution data.",
843
+ "test_type": "negative"
844
+ },
845
+ {
846
+ "id": "ai-workflow-regression",
847
+ "test": "Run the developer's standard AI-assisted workflow (open project, AI chat, code completion). Confirm legitimate workflows continue to function through the new credential broker / proxy / allowlist.",
848
+ "expected_result": "Standard AI workflows succeed.",
849
+ "test_type": "regression"
850
+ }
851
+ ],
852
+ "residual_risk_statement": {
853
+ "risk": "AI-API C2 attack surface remains because the legitimate channel cannot be closed. Detection is the residual layer. Behavioral baselines drift; attackers adapt encoding shape; new AI vendors enter the egress allowlist. Credential exposure recurs whenever a developer onboards a new tool that wants a cleartext key.",
854
+ "why_remains": "AI APIs are infrastructure-of-record for AI-assisted development. The org cannot block them. Detection requires sustained baselining and per-process attribution; both degrade without active maintenance.",
855
+ "acceptance_level": "ciso",
856
+ "compensating_controls_in_place": [
857
+ "dotfile_credential_periodic_re-audit",
858
+ "ai_api_egress_proxy_with_per-process_attribution",
859
+ "ai_api_behavioral_baseline_with_alerting",
860
+ "vendor_abuse_team_integration",
861
+ "credential_broker_default_for_new_keys"
862
+ ]
863
+ },
864
+ "evidence_requirements": [
865
+ {
866
+ "evidence_type": "scan_report",
867
+ "description": "Dotfile credential inventory snapshot pre- and post-remediation, showing zero cleartext keys remaining.",
868
+ "retention_period": "7_years",
869
+ "framework_satisfied": [
870
+ "nist-800-53-IA-5",
871
+ "iso-27001-2022-A.8.30",
872
+ "soc2-CC6",
873
+ "pci-dss-4-8.3"
874
+ ]
875
+ },
876
+ {
877
+ "evidence_type": "log_excerpt",
878
+ "description": "AI-API egress proxy logs showing per-process attribution for a sample of requests during remediation validation.",
879
+ "retention_period": "1_year",
880
+ "framework_satisfied": [
881
+ "nist-800-53-SC-7",
882
+ "soc2-CC7",
883
+ "iso-27001-2022-A.8.16"
884
+ ]
885
+ },
886
+ {
887
+ "evidence_type": "exploit_replay_negative",
888
+ "description": "Negative test results: old rotated keys rejected by vendor; unexpected-process egress blocked; synthetic beaconing pattern triggered baseline alert.",
889
+ "retention_period": "1_year",
890
+ "framework_satisfied": [
891
+ "soc2-CC7",
892
+ "nist-800-53-SI-3",
893
+ "iso-27001-2022-A.8.16"
894
+ ]
895
+ },
896
+ {
897
+ "evidence_type": "attestation",
898
+ "description": "Signed exceptd attestation file with evidence_hash, credential count at detection, credential count post-remediation, AI-API egress baseline established date, RWEP delta.",
899
+ "retention_period": "7_years",
900
+ "framework_satisfied": [
901
+ "nist-800-53-CA-7",
902
+ "iso-27001-2022-A.5.36",
903
+ "nis2-art21-2d",
904
+ "eu-ai-act-art15"
905
+ ]
906
+ }
907
+ ],
908
+ "regression_trigger": [
909
+ {
910
+ "condition": "new_ai_vendor_added_to_allowlist",
911
+ "interval": "on_event"
912
+ },
913
+ {
914
+ "condition": "new_cve_in_class == true",
915
+ "interval": "on_event"
916
+ },
917
+ {
918
+ "condition": "new_developer_endpoint_provisioned",
919
+ "interval": "on_event"
920
+ },
921
+ {
922
+ "condition": "monthly",
923
+ "interval": "30d"
924
+ }
925
+ ]
926
+ },
927
+ "close": {
928
+ "evidence_package": {
929
+ "bundle_format": "csaf-2.0",
930
+ "contents": [
931
+ "scan_report",
932
+ "log_excerpt",
933
+ "exploit_replay_negative",
934
+ "attestation",
935
+ "framework_gap_mapping",
936
+ "compliance_theater_verdict",
937
+ "residual_risk_statement"
938
+ ],
939
+ "destination": "local_only",
940
+ "signed": true
941
+ },
942
+ "learning_loop": {
943
+ "enabled": true,
944
+ "lesson_template": {
945
+ "attack_vector": "AI API as covert C2 (SesameOp / PROMPTFLUX / PROMPTSTEAL) — adversary encodes commands/exfil in semantically valid prompts over legitimate vendor TLS endpoints, plus harvest of dotfile API keys + long-lived cloud credentials.",
946
+ "control_gap": "Egress allowlist trivially permits AI vendors. Anomaly detection has no AI-API baseline. Access control validates the authorized service account being abused. Secrets scanning covers repos, not developer-endpoint dotfiles.",
947
+ "framework_gap": "NIST 800-53 SI-3/SC-7/AC-2/IA-5, ISO 27001:2022 A.8.16, SOC 2 CC6/CC7, EU AI Act Art.15 all permit clean audits over a fully-exposed AI-API C2 + dotfile credential surface. Lag = ~190 days behind SesameOp's first documentation; no framework body has issued draft language as of 2026-05-11.",
948
+ "new_control_requirement": "Add an AI-API governance control class spanning: (a) per-process attribution of AI-API egress via dedicated proxy, (b) bearer-token-to-process binding, (c) AI-API behavioral baseline (rate, cadence, content-shape) with alerting, (d) credential-broker mandate for any long-lived API/cloud key on a developer endpoint, (e) provider-side telemetry sharing obligation for AI vendors (rate per key, content statistics) to enable customer-side detection."
949
+ },
950
+ "feeds_back_to_skills": [
951
+ "ai-c2-detection",
952
+ "framework-gap-analysis",
953
+ "compliance-theater",
954
+ "global-grc",
955
+ "zeroday-gap-learn"
956
+ ]
957
+ },
958
+ "notification_actions": [
959
+ {
960
+ "obligation_ref": "EU/NIS2 Art.23 24h",
961
+ "deadline": "computed_at_runtime",
962
+ "recipient": "internal_legal",
963
+ "evidence_attached": [
964
+ "affected_host_inventory",
965
+ "ai_api_endpoint_beaconing_evidence",
966
+ "credential_exposure_scope",
967
+ "interim_isolation_record"
968
+ ],
969
+ "draft_notification": "Initial NIS2 Art.23 24-hour early-warning notification: AI-API C2 + credential exposure detected on ${affected_host_count} host(s). Behavioral indicators: ${behavioral_indicators}. Credential exposure: ${cred_summary}. Interim isolation: ${interim_isolation_status}. Full incident assessment to follow within 72 hours per Art.23(4)."
970
+ },
971
+ {
972
+ "obligation_ref": "EU/NIS2 Art.23 72h",
973
+ "deadline": "computed_at_runtime",
974
+ "recipient": "regulator_email",
975
+ "evidence_attached": [
976
+ "full_incident_assessment",
977
+ "credential_rotation_record",
978
+ "remediation_plan"
979
+ ],
980
+ "draft_notification": "NIS2 Art.23 incident notification (72-hour): Full assessment of AI-API C2 / credential-exposure incident. Affected systems: ${affected_systems}. Credentials rotated: ${rotated_count}. Remediation plan: dotfile credential migration to broker, AI-API egress proxy deployment, behavioral baseline establishment. ETA: ${remediation_eta}."
981
+ },
982
+ {
983
+ "obligation_ref": "EU/DORA Art.19 4h",
984
+ "deadline": "computed_at_runtime",
985
+ "recipient": "internal_legal",
986
+ "evidence_attached": [
987
+ "initial_notification",
988
+ "ict_third_party_dependencies",
989
+ "financial_data_exposure_scope"
990
+ ],
991
+ "draft_notification": "DORA Art.19 initial notification: Major ICT-related incident — AI-API C2 / credential exposure on ${affected_host_count} host(s) within financial-entity scope. AI vendor ICT dependencies: ${ict_dependencies}. Financial-data exposure scope: ${financial_data_scope}. Full classification + impact assessment to follow within statutory windows."
992
+ },
993
+ {
994
+ "obligation_ref": "EU/EU AI Act Art.73 360h",
995
+ "deadline": "computed_at_runtime",
996
+ "recipient": "regulator_email",
997
+ "evidence_attached": [
998
+ "serious_incident_assessment",
999
+ "ai_system_misuse_evidence",
1000
+ "tool_provenance_audit"
1001
+ ],
1002
+ "draft_notification": "EU AI Act Art.73 serious-incident notification: AI API misused as covert C2 channel against ${affected_ai_system}. Provider: ${ai_provider}. Evidence of misuse: ${behavioral_evidence}. Tool provenance audit: ${tool_provenance_summary}."
1003
+ },
1004
+ {
1005
+ "obligation_ref": "EU/GDPR Art.33 72h",
1006
+ "deadline": "computed_at_runtime",
1007
+ "recipient": "internal_legal",
1008
+ "evidence_attached": [
1009
+ "personal_data_scope_assessment",
1010
+ "high_risk_to_data_subjects_determination",
1011
+ "containment_measures"
1012
+ ],
1013
+ "draft_notification": "GDPR Art.33 supervisory authority notification: Personal data breach via AI-API C2 channel and/or credential exfil. Affected data categories: ${data_categories}. Approximate number of data subjects affected: ${affected_count}. High-risk determination per Art.34: ${high_risk_determination}. Containment measures: ${containment_summary}."
1014
+ },
1015
+ {
1016
+ "obligation_ref": "AU/APRA CPS 234 72h",
1017
+ "deadline": "computed_at_runtime",
1018
+ "recipient": "regulator_email",
1019
+ "evidence_attached": [
1020
+ "materiality_assessment",
1021
+ "remediation_completed_evidence"
1022
+ ],
1023
+ "draft_notification": "APRA CPS 234 notification: Material information security incident — AI-API C2 / credential exposure on ${affected_host_count} host(s). Materiality: ${materiality_justification}. Remediation summary: ${remediation_summary}."
1024
+ }
1025
+ ],
1026
+ "exception_generation": {
1027
+ "trigger_condition": "remediation_blocked == true OR (per-process_attribution_proxy_infeasible == true AND business_critical_AI_workflow == true)",
1028
+ "exception_template": {
1029
+ "scope": "AI-API egress for asset(s) ${asset_list} cannot be routed through a per-process-attributed proxy in this remediation cycle, OR dotfile credential migration is blocked by vendor SDK constraints. Remediation paths 3-5 partially blocked.",
1030
+ "duration": "30d",
1031
+ "compensating_controls": [
1032
+ "per_token_rate_quota_enforced_at_vendor_side",
1033
+ "vendor_abuse_alerting_subscription",
1034
+ "weekly_dotfile_credential_re-audit_with_diff_alerting",
1035
+ "endpoint_egress_anomaly_baseline_with_per-host_alerting",
1036
+ "ai_api_destination_dns_logging_with_cadence_analysis",
1037
+ "isolation_capability_pre-tested_with_runbook"
1038
+ ],
1039
+ "risk_acceptance_owner": "ciso",
1040
+ "auditor_ready_language": "Pursuant to ${framework_id} ${control_id} (System Operations / Anomaly Detection / Boundary Protection / Authenticator Management), the organization documents a time-bound risk acceptance for AI-API egress on asset(s) ${asset_list} that cannot be brought under per-process-attributed proxy control within the current remediation cycle. The accepted threat class is AI-as-C2 (SesameOp pattern / ATLAS AML.T0096) and dotfile credential exfiltration. The organization accepts that current framework controls (NIST 800-53 SI-3/SC-7/AC-2/IA-5, ISO 27001:2022 A.8.16, SOC 2 CC6/CC7, EU AI Act Art.15) treat AI-vendor endpoints as authorized SaaS and AI service accounts as legitimately authorized identities, that this structural blind spot is documented in ${exceptd_framework_gap_mapping_ref}, and that the organization's compensating controls during the exception window are: ${compensating_controls}. Detection coverage: AI-API destination DNS logging with cadence analysis, endpoint egress anomaly baseline, weekly dotfile re-audit. Risk accepted by ${ciso_name} on ${acceptance_date}. Time-bound until ${duration_expiry} (proxy infrastructure ready, vendor SDK supports brokered credentials, OR ${default_30d_expiry}, whichever is first). Re-evaluation triggers: new SesameOp variant published, new AI vendor added to scope, dotfile credential count above zero in weekly audit, OR scheduled expiry."
1041
+ }
1042
+ },
1043
+ "regression_schedule": {
1044
+ "next_run": "computed_at_runtime",
1045
+ "trigger": "both",
1046
+ "notify_on_skip": true
1047
+ }
1048
+ }
1049
+ },
1050
+ "directives": [
1051
+ {
1052
+ "id": "all-ai-api-and-credential-exposure",
1053
+ "title": "Full AI-API C2 + dotfile credential exposure audit",
1054
+ "applies_to": {
1055
+ "always": true
1056
+ }
1057
+ },
1058
+ {
1059
+ "id": "sesameop-aml-t0096",
1060
+ "title": "ATLAS AML.T0096 — AI as C2 (SesameOp / PROMPTFLUX / PROMPTSTEAL)",
1061
+ "applies_to": {
1062
+ "atlas_ttp": "AML.T0096"
1063
+ }
1064
+ },
1065
+ {
1066
+ "id": "t1552-001-credentials-in-files",
1067
+ "title": "T1552.001 — Unsecured Credentials: Credentials in Files",
1068
+ "applies_to": {
1069
+ "attack_technique": "T1552.001"
1070
+ }
1071
+ }
1072
+ ]
1073
+ }