Adversarial Context Demo
QuickstartPilotWebsiteConsoleRepo

K² Adversarial Context Demo: Multimodal Threat Intelligence Case Study

K² ships scoped threat context to your adversarial generator.

Adversarial generators need scoped, current, traceable context. K² is the knowledge layer that supplies it. This case study shows how an existing generator can retrieve threat patterns, policy boundaries, target-system context, and past-finding precedent with citations on every fact and lineage on every generated test plan.

Try the demo in 10 minutesRun a pilot on your stack

K² stays under the test generator. Your red-team platform, scorer, guardrails, and drift detection remain in place.

Context path
Role-separated corporaThreats, policy, target facts, and findings keep their roles.
Named agentsEach worker retrieves only the evidence it owns.
MCP boundaryThe external generator receives a cited plan before it acts.
Architecture first

K² connects adversarial generators to scoped, cited threat context.

The topology mirrors the sibling context demo: role-separated corpora, named agents, Knowledge Feed, Pipeline, MCP boundary, and the customer's existing tool on the right side of the diagram.

Customer knowledgeThreats, policy, target facts, findings
K² platformCollections, Agents, Feed, Pipeline
MCP serverCited evaluation plan JSON
Existing generatorPyRIT, NeMo, internal, or vendor
Customer stackExecution, scoring, reviewer, GRC
Role-separated adversarial context architecture

K² keeps retrieved facts role-aware, composes a plan through bounded agents, and hands that plan to an existing red-team tool over MCP.

K² adversarial context architectureCustomer corporaThreat patternsPolicy scopeTarget contextPast findingsNamed K² agentsThreat AgentPolicy AgentTarget AgentStrategistPipeline + MCPPipeline SpecMCP serverExisting red-team toolAdversarial generatorPyRIT, NeMo, internalScorer + reviewerCustomer ownedKnowledge Feed: public threats and resurfaced regressions update scoped corpora
K² is the knowledge layer underneath adversarial testing

The page is intentionally complementary. AI security platforms keep the adversarial outcome; K² supplies the scoped context that makes their generation step easier to review.

What this demo claims

  • K² makes adversarial test generation more scoped, current, and traceable by improving pre-generation context.
  • Every candidate test seed can trace back to the threat pattern, policy clause, and target fact that justified it.
  • Threat intelligence stays fresh through Knowledge Feeds without rewriting the customer generator.

What this demo does not claim

  • K² does not score adversarial outcomes.
  • K² does not enforce runtime guardrails.
  • K² does not detect production drift on its own.
  • K² does not replace an eval framework, red-team platform, or AI security product.
  • K² does not produce compliance attestation.
The core insight: adversarial facts have roles

Generators perform better when they know whether a fact is a threat pattern, policy boundary, target-system fact, or past finding. K² preserves that role through collections, filters, agents, and citations.

Threat patterns propose riskPublic techniques, modalities, model classes, and origin citations.
Policy scope bounds the planEnvironment rules, severity definitions, and review gates.
Target facts create relevanceAccepted modalities, tools, prompts, model version, and surface.
Past findings carry memoryPrior success, mitigation, resurfacing, and regression status.
What K² should answer before generation

Before the red-team tool generates a single adversarial input, K² should answer questions like these with citations from the customer's threat, policy, target, and findings corpora.

Ask K²Which threat patterns apply to a vision-capable chat assistant on text-plus-image inputs?
Ask K²Which severity band does each pattern carry under our policy?
Ask K²Which patterns have already been mitigated for this target?
Ask K²Which past findings are due for regression-style re-testing?
Ask K²Which proposed seeds would step outside the agreed scope?
K² platform value map

Each card maps one K² primitive to the adversarial-context value it delivers.

CollectionsK² collections keep threat patterns, policy scope, target-system facts, and past findings separately indexed so their role survives retrieval.

Separate roles stay queryable

Threats, policy, target context, and findings are indexed as different corpora instead of one prompt pile.

  • Demo corpora: adv-threats, adv-policy, adv-target, adv-findings.
  • Reviewers can see why each fact was retrieved.
Metadata filtersMetadata filters constrain retrieval by modality, target model class, severity, environment, mitigation status, and target id before generation.

Scope before generation

Modality, model class, severity, environment, and mitigation filters narrow retrieval before the generator sees context.

  • Example: text plus image, vlm, staging, high severity.
  • Less irrelevant context reaches the prompt.
Hybrid searchHybrid search combines semantic retrieval with exact matching so attack-family names, paper citations, tags, and identifiers are preserved.

Semantic plus exact match

K² can match attack-family language while preserving exact tags, benchmark names, and citation identifiers.

  • Useful for OWASP categories and paper-derived technique names.
  • Prevents taxonomy terms from being washed out.
AgentsK² Agents are bounded retrieval and synthesis workers. This demo uses threat, policy, target, and strategist agents with explicit corpus access.

Bounded context workers

Threat, policy, target, and strategist agents each answer one part of the plan with explicit corpus access.

  • The strategist consumes cited upstream outputs.
  • Adversarial input generation remains external.
Knowledge FeedA Knowledge Feed promotes new public threat intelligence and resurfaced findings into scoped corpora with provenance.

Freshness without rework

New public threats and resurfaced regressions promote into scoped corpora so future plans include them automatically.

  • Public threat intel lands in adv-threats.
  • Regression watchlist tags keep old failures visible.
Pipeline + MCPA Pipeline declares how corpora, agents, feeds, subscriptions, and the MCP boundary connect so the topology is auditable.

Auditable handoff

A declared topology exposes one MCP endpoint that hands a cited evaluation plan to the customer tool.

  • Tool contract: get_evaluation_plan(...).
  • Downstream scorer and reviewer stay in place.
Two ways to act on the demo

Developers need a short reproducible setup. Enterprise buyers need a controlled pilot against their current red-team workflow. The same context layer supports both paths.

Developer quickstartTry the demo in 10 minutes

Load the public corpora bundle, connect the MCP server, and inspect one cited evaluation plan.

Enterprise pilotRun a pilot on your stack

Freeze 10 to 20 plans, compare context fidelity, and keep your existing scorer unchanged.

Jump to the boundary proof

Inspect how the plan line, citation panel, and benchmark framing keep K² below the adversarial outcome.