Purple Firefish AI Pentesting Platform Overview
Purple Firefish is a local-first AI security gateway with a built-in, authorized AI pentesting workspace. It helps you test AI apps, RAG systems, agents, tool brokers, and local model runtimes with safe synthetic campaigns, then turn the results into redacted evidence, findings, and reports.
The simple version:
Firefish lets you prove how your AI system behaves under realistic AI attack pressure without using real secrets, unsafe payloads, or unapproved targets.
Authorized AI pentest platform means Firefish is scoped, local-first, synthetic by default, and built around evidence you can review without exposing raw secrets or unsafe payloads.
Can I Use It Now?
Yes. In the Docker review build, Security Workbench is enabled and ready to explore from the operator app.
Use it today for:
- Viewing the current module library.
- Reviewing safe local sample engagements, targets, runs, findings, and evidence.
- Building dry-run campaign plans.
- Inspecting OWASP LLM Top 10 and MITRE ATLAS coverage.
- Exporting redacted JSON and Markdown-style report content through the platform APIs.
- Testing deterministic local lab targets that do not call the network.
The feature remains behind FIREFISH_PENTEST_ENABLED so production deployments can keep it hidden until the operator chooses to enable it.
What Firefish Tests
Firefish focuses on AI-specific trust-boundary failures:
- Direct prompt injection.
- Jailbreak and policy bypass smoke checks.
- Indirect/RAG prompt injection.
- Citation and source confusion.
- System prompt leakage.
- Synthetic secret leakage.
- Tool hijacking and excessive agency.
- Unsafe model output handling.
- Bounded resource-consumption probes.
- Local gateway and runtime capability discovery.
The tests use simulator-safe placeholders and synthetic canaries such as FIREFISH_CANARY_SECRET_001. They are designed for defensive validation, not for harmful exploitation.
How Security Workbench Works
Firefish organizes testing into practical security objects:
- Engagements define the authorized scope.
- Targets describe the AI asset being tested.
- Modules are individual security checks.
- Campaigns group modules into repeatable test plans.
- Runs capture one execution of a campaign or module.
- Findings normalize risk, severity, and remediation.
- Evidence stores redacted traces, hashes, canary IDs, and safe summaries.
- Reports summarize coverage and outcomes for review.
- Audit events preserve who planned, ran, reviewed, and exported results.
Available Module Families
The current module library includes:
- Reconnaissance: target fingerprinting, capability probing, policy surface review, tool inventory, and RAG surface review.
- Prompt injection: direct instruction override, role confusion, synthetic canary exfiltration, and obfuscated instruction checks.
- Jailbreak smoke checks: policy-boundary and multi-turn escalation checks using safe placeholders.
- RAG testing: indirect injection, context poisoning canaries, source confusion, document conflict checks, embedding boundary checks, and citation integrity checks.
- Agent and tool governance: tool hijack simulation, excessive agency checks, unapproved external send, destructive action guardrails, argument injection, and tool-result injection checks.
- Data exposure: system prompt leakage canaries, synthetic secret recall, and training-data echo smoke checks.
- Output handling: unsafe markdown/HTML and code-execution sink smoke checks.
- Resource consumption: long-context and recursive-tool-loop bounded probes.
- Benchmark smoke tests: quick local regression checks.
Safe Local Lab Targets
Firefish ships deterministic fake targets for demos and tests:
- vulnerable_chatbot
- protected_firefish_gateway
- vulnerable_rag_corpus
- protected_rag_corpus
- vulnerable_tool_agent
- protected_tool_agent
These fixtures do not start services or call the internet. They produce repeatable protected/vulnerable outcomes so you can see how Firefish handles findings without touching real infrastructure.
Safety Model
Firefish pentesting is safe by default:
- Authorization scope is required for campaign execution.
- Dry-run is the default run mode.
- Public internet targets are blocked unless explicitly allowlisted.
- Rate limits and request budgets are enforced.
- Synthetic canaries are used instead of real secrets.
- Destructive tool actions are simulated, not executed.
- Raw evidence export is disabled by default.
- Reports and UI views use redacted evidence and hashes.
- Hosted model providers are not required.
What You See In The App
Open the operator app and select Security Workbench. The page shows:
- Engagement selector.
- Target profiles.
- Module library summary.
- Campaign builder.
- Findings by severity.
- OWASP and MITRE coverage.
- Firefish protection effectiveness.
- Recent evidence timeline.
- Report preview and export actions.
Core Workflow
sequenceDiagram
participant Operator
participant UI as Firefish Cockpit
participant Safety as Safety Gate
participant Module as Module Runner
participant Target as Authorized Target
participant Evidence as Evidence Store
participant Report as Report Builder
Operator->>UI: Choose engagement and target
Operator->>UI: Select modules and limits
UI->>Safety: Validate scope, run mode, and allowlist
Safety-->>UI: Approved dry-run plan
UI->>Module: Run bounded campaign
Module->>Target: Send safe synthetic test
Target-->>Module: Redacted behavior summary
Module->>Evidence: Store hashes, canaries, and traces
Evidence->>Report: Build findings and coverage summary
Report-->>UI: Show redacted report
Reports And Coverage
Firefish reports include:
- Executive summary.
- Scope and authorization.
- Target inventory.
- Campaigns run.
- Findings by severity.
- OWASP LLM Top 10 coverage.
- MITRE ATLAS coverage.
- Firefish protection outcome.
- Evidence timeline.
- Remediation plan.
- Module versions and payload IDs.
Raw prompts, secrets, credentials, full tool payloads, and unsafe sample text are not shown in normal report views.
