K9X (Beta)
k9x.ai
SATAN
Security  ·  Analysis  ·  Tool  for  Agentic  ·  Networks
not connected
SATAN
Attacker
ROUTER
Ingress Gate
ORCHESTRATOR
Egress Gate
SQUAD
Agent Flow
AGENTS
Execution
LLM Setup
Configure the LLM provider that Satan's target agents will use. Connect to Ollama, LM Studio, or any OpenAI-compatible endpoint.

Provider & Connection

Governance

GuardianGovernance wraps every agent's pre_process and post_process hooks with a live granite4.1-guardian:8b safety call — screening inputs before the LLM and outputs after. Requires Ollama to be connected with the guardian model pulled.
ShieldGovernance (k9_aif_abb.k9_security.vulnerability) is a framework class, not Satan-local — it wires the same VulnerabilityChain/BaseVulnerabilityCheck contracts Router/Orchestrator already use, but at the agent pre/post hook level instead. Deterministic, zero LLM cost, config-driven via security.shield in config.yaml — a second valid architectural point for the same ABB, proving the pattern isn't tied to one wiring location.

Document Extraction

Runs before the Shield checks. Extracted fields feed FieldAnomalyCheck — catches authority-override patterns that syntax-based injection checks miss. In production K9-AIF this step runs as a dedicated Squad via Kafka (non-blocking).
Docling OCR is optional but recommended for a full scan of the document — naive regex only reads plain key:value lines, so anomalies hidden inside a corrupted, malformed, or unusually structured file (a real risk on a public instance anyone can upload to) can slip past extraction entirely. If you'd rather not upload documents to this shared instance at all, run Satan yourself: pip install k9x-satan.

Current Status

Provider
Model
Base URL
Connection
Chain Execution Log
Document Analysis  — 
0
Recent Attacks
0
Blocked
0
Flagged
0
Findings

Attack Outcomes (aggregated from all runs)

Penetration Depth (aggregated from all runs)

Attack History

No attacks fired yet. Select a document and click Fire.

The Framework Is the Defence

K9-AIF Framework (k9x.ai) treats security as a framework capability, not an application concern. Every solution built on the framework automatically inherits a runtime security chain that validates inputs before they reach the intelligence layer.

Out of the box, Shield provides architectural handlers including InputSizeCheck, PromptInjectionCheck, SemanticDriftCheck, PIIBoundaryCheck, ToolArgumentCheck, ExecutionGuardCheck, and HardcodedCredentialCheck.

These handlers address the primary attack vectors identified by Zscaler ThreatLabz and can be extended as new threats emerge.

K9X Satan exists for one reason: prove whether that architecture actually holds.

Threat Intelligence — Zscaler ThreatLabz

Zscaler ThreatLabz maps four distinct vectors in the agentic AI threat landscape. K9X Shield was designed to address each one architecturally — not with signatures, but with an extensible chain where each vector maps to one handler.

Zscaler ThreatLabz — Four Vectors
Indirect Prompt Injection — hidden instructions in documents & tool responses
Goal Hijacking & Privilege Escalation — agent forced beyond its authorised scope
Memory Poisoning — persistent memory contaminated across sessions
Shadow AI & Tool Abuse — unapproved tools injecting attacker-controlled content
K9X Shield — One Vector, One Handler
PromptInjectionCheck — IPI in documents & payloads
SemanticDriftCheck — goal hijacking, identity override, loop traps
PIIBoundaryCheck — cross-boundary data exfiltration
ToolArgumentCheck — poisoned tool call arguments
ExecutionGuardCheck — destructive execution, privilege escalation

Unlike a human reviewer, an LLM has no inherent notion of trusted versus attacker-controlled content. It follows instructions regardless of their origin — unless architectural safeguards intervene. The payload walked through the front door as a document. That is what Satan tests.

Complete Check Inventory — Component × Threat Class

Every handler currently wired into the target pipeline's two VulnerabilityChain gates, which component owns it, and which named attack in this harness proves it holds. 13 checks total — 7 framework OOB, 6 Satan-local — plus Guardian as a cross-cutting semantic layer that wraps every agent regardless of chain position.

# Check Stage Component Owner Threat Class Proven By
1RequestFrequencyCheckIngressRouterSatan SBBUnbounded Consumption — OWASP LLM10request_flood
2InputSizeCheckIngressRouterFramework OOBToken-flood / oversized payload — OWASP LLM10payload_flood
3PromptInjectionCheckIngressRouterFramework OOBIndirect Prompt Injection — Zscaler #1 · OWASP LLM01prompt_injection_document, search_poisoning
4FieldAnomalyCheckIngressRouterSatan SBBAuthority-override social engineering — Zscaler #1 extensionprompt_injection_document
5MemoryPoisoningCheckIngressRouterSatan SBBMemory Poisoning — Zscaler #3 · OWASP LLM04memory_poisoning
6SemanticDriftCheckEgressOrchestratorFramework OOBGoal Hijacking & Privilege Escalation — Zscaler #2 · OWASP LLM06semantic_drift
7ExecutionGuardCheckEgressOrchestratorFramework OOBDestructive execution / privilege escalation — Zscaler #2 · OWASP LLM06execution_bypass
8PIIBoundaryCheckEgressOrchestratorFramework OOBSensitive Info Disclosure — OWASP LLM02pii_exfiltration
9ToolArgumentCheckEgressOrchestratorFramework OOBTool Abuse — poisoned arguments — Zscaler #4 · OWASP LLM05tool_argument_poison
10HardcodedCredentialCheckEgressOrchestratorFramework OOBSupply chain / secret leakage — OWASP LLM03hardcoded_credential
11ToolAuthorizationCheckEgressOrchestratorSatan SBBShadow AI — unapproved tool/backend — Zscaler #4shadow_tool
12SystemPromptLeakageCheckEgressOrchestratorSatan SBBSystem Prompt Leakage — OWASP LLM07system_prompt_leakage
13OutputSanitizationCheckEgressOrchestratorSatan SBBImproper Output Handling — OWASP LLM05output_sanitization
GuardianGovernancePre/Post — every agentAgentSatan SBBSemantic evasion of all 13 checks above (paraphrase, encoding, indirection) — cross-cutting, requires granite4.1-guardian:8bany attack, with Governance = GuardianGovernance

Out of scope by design — not runtime-checkable at the payload level: training-data/model poisoning (OWASP LLM04's non-session-state half), vector/embedding attacks (OWASP LLM08 — no RAG in this target), and misinformation/hallucination (OWASP LLM09 — a quality concern, not a security boundary).

Open-Closed Security — One New Threat, One New Handler

The Chain of Vulnerability Tests applies the GoF Chain of Responsibility pattern to security. Each handler inspects the payload for one class of threat. A new Zscaler ThreatLabz finding means one new handler. Nothing else changes.

ORCHESTRATOR appears twice below — it's the same object both times. It dispatches to Squad first, then evaluates the returned response later. The second box is not a separate "egress gate" component — it's the same Orchestrator, invoked a second time on the way out.

IN
SATAN
Crafted payload
BaseAttack SBB
ROUTER
Pre-Agent Shield
RequestFrequencyCheck
InputSizeCheck
PromptInjectionCheck
FieldAnomalyCheck
MemoryPoisoningCheck
🛑 BLOCKED ✓
ORCHESTRATOR
① dispatches work
execute_squads([DocumentProcessingSquad])
SQUAD
DocumentProcessingSquad
flow: ExtractionAgent → AuditAgent
AGENT
pre_process()
Guardian/Shield screens input
LLM / TOOLS
DocumentExtractionAgent
AuditAgent
↓ response path ↓
OUT
AGENT
post_process()
Guardian/Shield screens output
SQUAD
returns
Result bubbles back to Orchestrator
ORCHESTRATOR
② evaluates returned result
egress VulnerabilityChain:
SemanticDriftCheck · ExecutionGuardCheck
PIIBoundaryCheck · ToolArgumentCheck
HardcodedCredentialCheck · ToolAuthorizationCheck
SystemPromptLeakageCheck · OutputSanitizationCheck
🛑 BLOCKED ✓
OUTPUT
⚠ FINDING
Both gates passed

ORCHESTRATOR and AGENT each appear once in IN and once in OUT — same objects both times. ORCHESTRATOR dispatches to Squad on the way in, then evaluates the returned result on the way out. AGENT screens input before calling the LLM, then screens its own output before returning it.

PRE-AGENT — Router Shield
Pattern-based. Runs on the raw document before the LLM touches it. Fast, deterministic. Blocks known attack shapes (injection markers, override codes, anomalous fields). Cannot block semantic attacks that look legitimate.
POST-AGENT — Orchestrator Gate
Semantic LLM-based. Runs on the agent's output before it leaves the pipeline. Guardian evaluates what the agent is about to return — catches PII leakage, policy bypass, semantic drift that evaded the pre-gate.

Shared Responsibility — What the Framework Handles, What the SBB Owns

The diagram above is Satan's own target pipeline. A real solution built on K9-AIF (k9x.ai) — say, an insurance claims processor — looks the same from the outside:

Incoming claim document → Router → Orchestrator → Squad → LLM

The claims team writes ClaimsRouter(BaseRouter), ClaimsOrchestrator(BaseOrchestrator), a triage squad, and agents that call llm_invoke() — ordinary business logic. They never write a line of security code. This is a shared responsibility model: the framework and the solution team each own a different half of what makes the system secure.

🛡 Framework (ABB) — inherited automatically

Router ingress VulnerabilityChainpattern checks pre-LLM
Orchestrator egress VulnerabilityChainpattern checks on response
Agent pre_process() / post_process()Guardian/Shield governance hooks
Zero Trust execution guardopt-in, framework-enforced
_policy.locked enforcementSBB cannot override enterprise policy
publish_event() audit trailevery check result, every verdict

⚔ SBB (solution team) — written per solution

Router/Orchestrator/Squad/Agent classesdomain-specific, extend the ABBs
Agent role, goal, instructionsagent YAML — what the LLM is asked to do
Domain-specific checksoptional — e.g. FieldAnomalyCheck-style
Governance provider selectionnoop / guardian / shield, per config.yaml
Squad flow — agent sequencewhich agents run, in what order

Nothing in the left column is something the claims team opted into — it's inherited the moment their classes extend BaseRouter/BaseOrchestrator/BaseAgent, the same way logging or the event bus is. Satan attacks the exact same pattern a real solution would use — that's what makes a contained attack here evidence for a real solution, not just proof about a demo.

Does the ABB's OOB set cover everything? No — and this repo is the proof, not a hedge. The framework ships 7 OOB checks, and they're deliberately generic: oversized payload, generic injection phrases, generic PII patterns. They can't know that FieldAnomalyCheck's red-flag terms ("COO authorization code", "EXEC-OVERRIDE") only make sense for insurance-claims-shaped documents — a healthcare or defense-procurement solution needs different domain terms entirely. And five of the six Satan-local checks — MemoryPoisoningCheck, ToolAuthorizationCheck, SystemPromptLeakageCheck, OutputSanitizationCheck, RequestFrequencyCheck — didn't exist anywhere in the framework's OOB set until Satan needed them. The ABB gives every solution a strong, reusable baseline. The SBB still has to review whether that baseline covers its actual domain and threat surface, and add what's missing — the same way Satan did.

The Hardening Loop

Satan and Shield grow together. Every EVASION finding closes a gap in the framework — making it stronger for every solution built on K9-AIF.

Satan fires attack
  → Shield misses it        EVASION — gap found
  → new Check added to framework ABB
  → Satan fires again
  → Shield blocks it        BLOCKED — framework hardened
  → next attack class probes the next gap
  → repeat

The chain is open-ended by design. Zscaler's four vectors are not a ceiling — they are the current known surface. As agentic systems become more capable and more autonomous, the attack surface expands. Each new vector is one new handler. The chain does not need to be rewritten. It just needs one more link.

ABB / SBB — Framework Owns the Contracts

⚔ K9x Satan — SBBs (Attack)

PromptInjectionAttackdocument body
SearchPoisoningAttacktool response
PayloadFloodAttacktoken exhaustion
PIIExfiltrationAttackdata extraction
SemanticDriftAttackrole reframing
HtmlCommentAttacksteganographic

🛡 K9X Shield — ABBs (Defence)

PromptInjectionCheckingress
PromptInjectionCheckegress
InputSizeCheckingress
PIIBoundaryCheckegress
SemanticDriftCheckegress
HtmlCommentInjectionCheckingress — pending

ABBs live in the framework. SBBs live in Satan. Every attack SBB extends BaseAttack. Every defence check extends BaseVulnerabilityCheck. The contracts belong to the framework — not to any one solution.

Check Execution — Sequence & Ownership

Every payload traverses four phases in strict order. A block at any phase terminates execution — downstream phases never run.

PHASE 0 — PRE-SHIELD · DoclingExtractor
naive_extract() — regex key:value scan (always runs)
_docling_endpoint() — OCR via /v1/convert/file (if enabled)
→ populates extracted_fields for FieldAnomalyCheck
PHASE 1 — ROUTER INGRESS SHIELD · VulnerabilityChain
RequestFrequencyCheck · per-session request count vs. rolling window
catches: resource-exhaustion request floods (Satan SBB — CacheFactory-backed)
🛑 BLOCK
InputSizeCheck · payload byte length > limit
catches: Token Flood Attack (💣 Oversized Payload)
🛑 BLOCK
PromptInjectionCheck · pattern scan on raw text
catches: SYSTEM OVERRIDE · ignore all instructions · admin mode · roleplay jailbreak
🛑 BLOCK
FieldAnomalyCheck · scans extracted_fields + raw text
catches: EXEC-OVERRIDE codes · Priority: CRITICAL · COO auth · supersedes directives
🛑 BLOCK
MemoryPoisoningCheck · session fact fingerprint vs. CacheFactory record
catches: fabricated/contradicted "as previously approved" session memory claims
🛑 BLOCK
PHASE 2 — INTELLIGENCE · DocumentProcessingSquad
DocumentExtractionAgent
Guardian pre_process() 🛑 BLOCK if unsafe input
Agent execute() → LLM
Guardian post_process() 🛑 REDACT if PII/unsafe
AuditAgent
Guardian pre_process() 🛑 BLOCK if unsafe input
Agent execute() → LLM
Guardian post_process() 🛑 REDACT if PII/unsafe
Guardian hooks fire only when Governance = GuardianGovernance (Setup → Governance). Default is NoopGovernance — hooks are present but pass through.
PHASE 3 — ORCHESTRATOR EGRESS GATE · VulnerabilityChain
SemanticDriftCheck · evaluates agent reasoning against original goal
catches: role reframing · goal hijacking · identity override
🛑 BLOCK
ExecutionGuardCheck · validates response schema & scope
catches: destructive actions · privilege escalation · schema violations
🛑 BLOCK
⚠ OUTPUT All phases passed — response exits pipeline. FINDING if evil payload; COMPLETED if clean.

ABB / SBB Class Hierarchy

PlantUML source at diagrams/shield_class_small.puml (checks grouped into two boxes to keep this readable — the un-grouped version with each check as its own class is diagrams/shield_class.puml). Run ./diagrams/generate.sh to render PNG.

PNG not generated yet — run ./diagrams/generate.sh then reload

Target Pipeline — SBB Hierarchy

── PRE-AGENT ────────────────────────────────────────
DoclingExtractor              SBB utility
  naive regex | Docling OCR (optional)
  → populates extracted_fields

DocumentRouter                extends BaseRouter         (K9-AIF ABB)
  [PRE-AGENT Shield — VulnerabilityChain]
    InputSizeCheck            extends BaseVulnerabilityCheck
    PromptInjectionCheck      extends BaseVulnerabilityCheck
    FieldAnomalyCheck         extends BaseVulnerabilityCheck
      → BLOCKED here if any check fires

── INTELLIGENCE ─────────────────────────────────────
DocumentOrchestrator          extends BaseOrchestrator    (K9-AIF ABB)
  DocumentProcessingSquad     extends BaseSquad           (K9-AIF ABB)
    DocumentExtractionAgent   extends BaseAgent           (K9-AIF ABB)
    AuditAgent                extends BaseAgent           (K9-AIF ABB)

── POST-AGENT ───────────────────────────────────────
  [POST-AGENT Gate — Orchestrator Egress]
    Guardian Governance       semantic LLM evaluation
    SemanticDriftCheck        extends BaseVulnerabilityCheck
    ExecutionGuardCheck       extends BaseVulnerabilityCheck
      → BLOCKED here if response violates policy

── OUTPUT ───────────────────────────────────────────
  ⚠ FINDING — both gates passed — response exited pipeline
The Big Picture

K9-AIF is an open-source, architecture-first framework for building governed, modular agentic AI systems — k9x.ai.

K9x is the ecosystem of products built on that framework: Studio (visual drag-and-drop solution builder), Continuum (the catalog of reusable architectural assets — TOGAF's Enterprise Continuum applied to K9-AIF), HIL (human-in-the-loop case management), and SATAN — this tool.

K9X Shield isn't a separate product — it's the security and vulnerability-checking component built into the framework itself: the Router/Orchestrator check chains, governance hooks, and Chain-of-Responsibility pattern that every solution built on K9-AIF inherits, whether it knows it or not.

K9X Satan is the tool that tests the framework — specifically, it fires structured adversarial attacks at a live K9-AIF pipeline to prove K9X Shield actually contains them, rather than just asserting that it does.

RUN IT YOURSELF
pip install k9x-satan
k9x-satan          # foreground, opens the dashboard at localhost:6660
k9x-satan --bg     # or run it in the background

Own instance, own K9-AIF pipeline, own LLM endpoint — nothing sent to this shared deployment. pypi.org/project/k9x-satan

Why the Name "SATAN"?

The name K9X Satan is inspired by the pioneering SATAN (Security Administrator Tool for Analyzing Networks), released in 1995 by security researchers Dan Farmer and Wietse Venema.

The original SATAN was one of the first widely recognized network vulnerability assessment tools. Rather than exploiting systems, its purpose was to help administrators identify weaknesses before attackers did.

K9X Satan follows the same philosophy for the era of agentic AI. Instead of scanning networks, it executes carefully crafted adversarial attacks against K9X Shield to validate that architectural security controls detect and intercept malicious inputs before they reach the intelligence layer.

The goal is not to break applications — it is to continuously strengthen the framework that protects them.

The original SATAN shipped with repent.pl — run it and SATAN became SATAN. K9X Satan carries the tradition. Find the REPENT button in the sidebar.
How Satan Works
The Philosophy

K9X Satan is an adversarial testing platform for K9X Shield.

Rather than generating random inputs, Satan executes carefully crafted attacks that target known classes of agentic AI vulnerabilities. Each attack is designed to validate that the framework's architectural security controls detect and intercept malicious payloads before they reach the intelligence layer.

The objective is not to demonstrate successful attacks — it's to prove that the framework's defensive architecture holds under real-world adversarial conditions.

Defense in Depth — Guardian Complements Shield, Never Replaces It

K9X Shield applies deterministic, policy-driven checks at Router ingress and Orchestrator egress — 13 handlers, explainable, zero LLM cost, evaluated the same way every time. IBM Guardian provides an optional semantic assessment layer for attacks that survive literal pattern matching — paraphrase, encoding, or wording changes that no regex list can enumerate in advance.

Regex and rule-based checks catch known, explicit patterns and give predictable, auditable enforcement. Guardian trades that predictability for broader semantic coverage — it can recognise paraphrased prompt injection, subtle goal hijacking, and disguised privilege escalation that never matches a literal rule. Neither layer is a superset of the other; each catches what the other structurally cannot.

Pull the model before enabling Guardian:

ollama pull granite4.1-guardian:8b

Enable it in Setup → Governance — three providers are available: NoopGovernance (passthrough, dev default), GuardianGovernance (semantic, this section), and ShieldGovernance (a second deterministic wiring point — the same VulnerabilityChain contract, reused at the agent pre/post hook instead of Router/Orchestrator). The chain log shows Guardian's pre/post verdict on every agent run.

Router/Orchestrator Shield catches known pattern attacks (injection markers, override codes, poisoned tool arguments) — zero LLM cost, deterministic. Guardian catches semantic attacks that evaded the pattern layer — up to two LLM calls per agent, one on each side of the agent's own LLM call: pre_process() screens the incoming request for prompt injection, goal hijacking, PII exfiltration attempts, jailbreaks, and social engineering framing — blocking before the agent ever calls its LLM; post_process() screens the agent's own output for whether it actually leaked PII, complied with a malicious instruction, or contains anything that should have been redacted — after the LLM has already responded. Shield holds with Guardian disabled entirely. Guardian only ever adds coverage on top — it is never the only thing standing between a payload and the agent.
Guardian unavailability is a policy decision, never a silent pass. A timeout, HTTP error, or unreachable Ollama endpoint produces an explicit UNAVAILABLE verdict — it is never mapped to "SAFE" by default. governance.on_guardian_unavailable in config.yaml decides what happens next: fail_closed (default — blocks/redacts, matching "should not be penetrable"), fail_open (documented risk — lets the payload through unscreened), or inconclusive (flags for review without blocking).
Prove what Guardian adds, don't just assert it. python -m k9x_satan.runner.satan_runner --target <url> --suite full --compare-governance fires every attack twice — deterministic-only, then deterministic + Guardian — and reports which findings Guardian closed. A regression (Guardian making a previously-contained attack pass) is flagged as a bug, not a result.
Attack Corpus

Satan includes a curated corpus of attack documents representing common agentic AI threat patterns. Each payload targets a specific vulnerability class implemented by K9X Shield.

  • Prompt Injection — Claim Form with a "SYSTEM OVERRIDE" body
  • HTML Comment Injection — hidden instruction inside a policy document
  • Roleplay Jailbreak — "Pretend you are DAN" framing
  • Social Engineering — fake executive directive with an "override code"
  • PII Exfiltration — compliance-audit framing requesting SSN/account numbers
  • Oversized Payload — token flood attack
  • Clean Control Document

The Clean Control document serves as a baseline and should always traverse the complete pipeline without being blocked.

Understanding the Pipeline

Every document follows the same three-layer defence path. Each layer has a different detection strategy and a different threat class it can stop.

LAYER 1 — ROUTER SHIELD (ingress)
Pattern-based. Zero latency. Deterministic.

Runs a chain of vulnerability checks before the LLM ever sees the document. Each handler looks for a known attack shape — a structural fingerprint.

✓ blocks  Oversized payloads — token flood attacks
✓ blocks  Prompt injection — SYSTEM OVERRIDE, ignore all instructions
✓ blocks  Field anomalies — EXEC-OVERRIDE codes, Priority: CRITICAL directives
~ passes  Semantic attacks — compliance framing, regulatory impersonation

The Router Shield cannot stop what it does not recognise. An attack written to look like a legitimate audit request has no injection markers, no override codes, no anomalous fields. It passes because it looks clean.

LAYER 2 — GUARDIAN GOVERNANCE (agent pre/post — optional)
Semantic LLM-based. Wraps every agent's execution, not just the boundary.

Guardian screens the payload immediately before each agent invokes the LLM (pre_process) and the agent's draft output immediately after (post_process) — inside the Squad, between Layer 1 and Layer 3. Defense in depth, not a replacement: Shield holds with Guardian disabled entirely; Guardian only adds coverage on attacks that survive the pattern layer.

✓ blocks  Paraphrased/encoded injection that evades literal PromptInjectionCheck patterns
✓ blocks  Agent responses containing PII, SSNs, account numbers
✓ blocks  Responses that bypass policy — claim approvals without validation
~ policy  Guardian unavailable — fail_closed (default) blocks, fail_open passes, inconclusive flags. Never silently "SAFE".

Enable Guardian in Setup → Governance. Disabled by default (NoopGovernance) — Layers 1 and 3 hold regardless.

LAYER 3 — ORCHESTRATOR EGRESS SHIELD (deterministic, always active)
Pattern-based. Evaluates the squad's combined output before it exits the pipeline.

Runs after the squad completes — 8 handlers covering goal hijacking, destructive execution, PII boundary, poisoned tool arguments, leaked credentials, unapproved tools, leaked system prompts, and output markup injection. Always active, independent of Guardian.

✓ blocks  Goal hijacking / role reframing that reached the squad
✓ blocks  PII, secrets, poisoned tool arguments, unapproved tools surfacing in the response
~ passes  Semantic attacks with no literal pattern match — Guardian is the layer that catches these
WHY FINDING IS NOT ALWAYS A FAILURE

A FINDING that reaches the agent layer with Guardian disabled confirms that the attack evaded Layer 1 pattern detection — which is the expected result for semantic attacks. That is not a framework failure; it is the gap Guardian is designed to close. A true framework failure is when Guardian is enabled and an attack still produces harmful output.

If any handler blocks the request, processing immediately terminates and downstream components are never invoked.

Understanding the Results
Red

An attack document is being executed. A red stop indicator (🛑) identifies the architectural layer where the payload was intercepted.

Green

The document completed successfully without any security violations.

BLOCKED The Shield prevented the payload from reaching the intelligence layer.
COMPLETED The payload successfully traversed the complete execution pipeline.
Upload Your Own Payload

The upload panel allows you to test your own documents against K9X Shield.

Supported formats include:

  • TXT
  • PDF (text layer)
  • DOCX
  • Markdown

Uploaded documents are converted into raw text and processed through the same runtime security chain used by every K9-AIF application.

Framework Extensibility

K9X Shield follows an open architecture.

Each security handler implements a common framework contract, allowing organizations to introduce new detection capabilities without modifying the core runtime.

New handlers can be added to the vulnerability chain and automatically participate in request validation.