docs/analysis-pipeline

Pipeline Stages

The analysis pipeline consists of 4 main stages that run in parallel where possible to maximize performance.

Stage 1a: YARA Static Analysis

RULES
13
TYPE
PATTERN

Fast pattern-based detection using 13 compiled YARA rules targeting AI-specific attacks. Runs on each file in parallel with file_path tagging for multi-file skills.

Key Detection Rules

  • prompt_injection_generic
  • coercive_injection_generic
  • credential_harvesting_generic
  • command_injection_generic
  • code_execution_generic
  • sql_injection_generic
  • tool_chaining_abuse_generic
  • autonomy_abuse_generic
  • capability_inflation_generic
  • system_manipulation_generic
  • script_injection_generic
  • indirect_prompt_injection_generic
  • prompt_injection_unicode_steganography

Stage 1b: LLM Semantic Analysis

TECHNOLOGY
LLM
TYPE
SEMANTIC

Understands code intent and detects sophisticated attacks that evade pattern matching. Uses large language models with structured output enforcement and random delimiters to prevent prompt injection.

What It Catches

  • Novel attack patterns not covered by YARA rules
  • Obfuscated threats (hex encoding, XOR, advanced patterns)
  • Context-dependent vulnerabilities requiring code flow understanding
  • Social engineering and deceptive patterns

Stage 2a: Meta-Analysis (False Positive Filtering)

HIGHEST AUTHORITY

Meta-analysis has the highest authority to override YARA/LLM findings. Findings marked as false positives are excluded from trust score calculation.

Second-pass LLM review to validate findings and remove false positives. Only runs when findings exist from Stage 1.

Key Functions

  • 1.
    Reviews all findings against full code context
  • 2.
    Marks false positives with meta_false_positive: true
  • 3.
    Prioritizes findings by real-world exploitability
  • 4.
    Correlates related findings (e.g., credential read + network send)
  • 5.
    Generates actionable remediation recommendations

Stage 2b: Sandbox Execution(coming soon)

Dynamic analysis observing actual runtime behavior in an isolated Docker container. Detects threats that only appear during execution.

Monitors

  • → System calls (fork, execve)
  • → Network attempts
  • → File access (credentials)
  • → Honeypot triggers

Honeypots

  • ~/.ssh/id_rsa
  • ~/.aws/credentials
  • ~/.env
  • ~/.bash_history