Attack catalog

Sectum AI ships eleven cross-tenant probe classes. Each runs against a defined surface from a synthetic tenant's session and either confirms the tenant boundary holds or emits a finding tied to a planted canary marker. Below is the one-page index; click into the per-class pages for technique, method, mappings, and reproducible example.

Detection is layered: exact canary scan (zero false positives) → semantic similarity → calibrated LLM judge. A confirmed finding is always traceable to a specific marker the ground-truth manifest records. See the threat model for how this layering produces the zero-false-positive guarantee.

The eleven classes

Class 1 — Direct tenant boundary fetch

Negative-authorization test. From tenant Y's session, attempt to fetch resources / IDs owned by tenant X (BOLA-style ID enumeration plus known canary doc IDs from the manifest). Any HARD_CANARY from tenant X in tenant Y's response is a critical leak.

Surfaces: API, vector DB. OWASP: LLM08:2025. Status: table-stakes probe; the value-add is manifest-grounded zero-FP detection across every surface.

Class 2 — Organic entity-bleed RAG (flagship)

The Retrieval Pivot reproduction: 95.4% benign-query cross-tenant leakage when an embedding model strong enough to surface shared organic entities (shared people, vendors, compliance terms, monetary amounts, dates) sees a shared vector index. No prompt injection; the queries are benign. Headline metric: Retrieval-Pivot Rate (RPR) — the fraction of benign queries that surfaced any foreign marker.

Surfaces: vector DB, RAG pipeline, API. OWASP: LLM08:2025. Status: the public killer demo. Supports sweeping across embedding models to reproduce the "stronger embeddings leak more" effect.

Class 3 — Adversarial RAG poisoning

Tenant Y plants content into the shared corpus that, when ingested, biases retrieval to surface tenant X data. Measures the marker-bleed delta versus the un-poisoned baseline.

Surfaces: vector DB, ingestion pipeline. OWASP: LLM08:2025; data poisoning.

Class 4 — Semantic-cache contamination

Prime a semantic / prompt cache as tenant X with a query whose answer contains a HARD_CANARY; issue a semantically near query as tenant Y; inspect the response. Also measures the cache-key tenancy — does the key incorporate tenant scope?

Surfaces: cache, API. OWASP: LLM08:2025.

Class 5 — KV-cache timing side channel

Statistical timing probe. Measures TTFT / latency differentials for prompts that do versus do not share a prefix with another tenant's recent prompt. Statistically significant distinguishability above noise floor → side-channel finding (severity scaled by signal strength).

Surfaces: inference endpoint. OWASP: LLM08:2025 (side-channel extension). Notes: implemented as a careful statistical test with control distribution, effect size + p-value. Findings report confidence intervals rather than overclaiming.

Class 6 — Embedding inversion across tenants

If embeddings are reachable cross-tenant (often via a shared index), attempt approximate inversion / nearest-source reconstruction of ENTITY_CANARY content from foreign tenants.

Surfaces: vector DB. OWASP: LLM08:2025.

Class 7 — Cross-tenant agent tool-call hijacking (incl. MCP)

From tenant Y's agent session, induce tool calls / MCP requests that would, if tenant context were lost, act with tenant X's authority. Includes the Asana-class token-passthrough pattern: confused-deputy probes and token-passthrough probes against the MCP server.

Surfaces: agent framework, MCP. OWASP: LLM08:2025; agentic tool abuse. Status: the spec's "30 MCP CVEs in 60 days" trend targeted directly.

Class 8 — Persistent memory contamination (SpAIware-class)

Write a HARD_CANARY into tenant X's long-term / agent memory; drive tenant Y sessions that would retrieve memory; inspect for the canary surfacing.

Surfaces: memory store, agent framework.

Class 9 — LoRA / adapter cross-tenant influence

For per-tenant fine-tunes / adapters: train tenant X's adapter on a corpus containing a memorizable HARD_CANARY phrase; query tenant Y; test for the memorized phrase surfacing. Also asserts routing correctness (the adapter actually loaded matches the active tenant).

Surfaces: model / adapter layer.

Class 10 — IKEA-style implicit benign extraction

Reproduces the Silent Leaks result: a sequence of benign tenant-Y queries that incrementally reconstruct tenant X knowledge. Measures extraction efficiency against a reconstruction threshold.

Surfaces: RAG, API.

Class 11 — GDPR Article 17 erasure verification

Pre-erasure, confirm a target tenant's HARD_CANARY markers are present across all configured surfaces. Trigger / await the customer's erasure flow. Post-erasure, re-scan every surface for any residual marker. Per-surface verdicts — ERASED / RESIDUAL DATA (counts itemized) / NO BASELINE — land in the attestation pack mapped to GDPR Art. 17 / 32 and EU AI Act Art. 15.

Surfaces: all configured AI surfaces (the standard scope is vector DB, prompt / completion logs, fine-tunes, eval sets, caches, agent memory, search indexes, tracing pipelines). Output: the Erasure Attestation engagement deliverable.

Class 11 detail →

Mappings at a glance

Each finding carries owasp_llm, atlas[] (MITRE ATLAS technique IDs), and nist[] (NIST AI RMF) fields. The full per-control table is at /docs/compliance-mappings/.

Adapter coverage

Each probe declares the adapter capabilities it requires. The OSS ships live adapters for: pgvector, Chroma, Weaviate, Pinecone (vector); Langfuse, LangSmith (observability); Redis (cache); LangGraph and a generic HTTP agent (agent framework); a generic MCP client. Plus an in-memory fake for every family so contract tests run hermetically.