Skip to main content

AI Agent Security Testing — discovers dangerous tool chain compositions via knowledge graph analysis

Project description

ZIRAN: your AI agent — with tools, memory, and permissions — flows through the ZIRAN pipeline (discover, map, analyze, attack, report) and out into a ranked list of findings. The top finding 'read_file → http_request' is highlighted as a critical data-exfiltration tool chain. Keywords: AI agent security, agent red team, tool chain analysis, knowledge graph, MCP, A2A, LangChain, CrewAI, prompt injection, side-effect detection, multi-phase campaigns.

Find vulnerabilities in your AI agents.

Star us ❤️ → Star ZIRAN on GitHub — open-source AI agent security scanner with tool chain discovery, side-effect detection, and adaptive multi-phase campaigns  ·  📚 Docs  ·  🧪 Examples  ·  📦 PyPI  ·  🐛 Issues

ZIRAN finds vulnerabilities in AI agents — not just LLMs, but agents with tools, memory, and multi-step reasoning. It models your agent as a graph of capabilities and tests what happens when they combine — surfacing dangerous tool chains, execution-level side effects, and multi-phase exploits that single-prompt scanners miss.

Graph-based · tool-chain discovery  ·  Execution-aware · side-effect detection  ·  Adaptive · 8-phase campaigns

CI Tests PyPI Downloads License Python 3.11+ Stars

Install  ·  Quick Start  ·  Web UI  ·  Examples  ·  Docs

ZIRAN Dashboard — web UI showing campaign results, attack library, and knowledge graph


Benchmarks

639 attack vectors · 11 categories · 100% OWASP LLM Top 10 · 72/86 MITRE ATLAS techniques · 20 benchmarks analyzed

Benchmark Coverage
OWASP LLM Top 10 10/10 categories (strong or comprehensive)
MITRE ATLAS (Oct 2025) 72/86 techniques, 14/14 agent-specific
AgentHarm (ICLR 2025) 100% harm categories
JailbreakBench (NeurIPS 2024) 100% categories, 175 vectors
Agent Security Bench 100% vectors (639/400)
HarmBench (ICML 2024) 55.6% tactics, 175 jailbreak vectors
R-Judge 100% risk types
ALERT 100% micro categories (32/32)
TensorTrust / WildJailbreak / ToolEmu / CyberSecEval Representative pattern families
LLMail-Inject / RAG Poisoning Retrieval-ranked vectors across 4 document framings

Full results: benchmarks/ · docs


Why ZIRAN?

Most security tools test prompts and tools in isolation. But agent vulnerabilities emerge from how tools interact -- an agent with read_file and http_request has a data exfiltration path, even though neither tool is dangerous alone. Testing each tool individually misses this entirely.

ZIRAN models your agent as a graph of capabilities and tests what happens when they combine.

Capability ZIRAN Promptfoo Invariant (Snyk) Garak PyRIT Inspect AI
Tool chain discovery (graph-based) Yes -- Policy-based -- -- --
Side-effect detection (execution-level) Yes -- Trace-based -- -- Sandbox
Multi-phase campaigns w/ graph feedback Yes Turn-level Flow analysis -- Composable Multi-turn
Autonomous pentesting agent Yes -- -- -- -- --
Multi-agent coordination Yes -- -- -- -- --
Knowledge graph tracking Yes -- Policy lang. -- -- --
Agent-aware (tools + memory) Yes Partial Yes -- -- Partial
A2A protocol support Yes -- -- -- -- --
MCP protocol support Yes Partial Yes -- -- --
Encoding/obfuscation attacks Yes (8) Yes (12+) -- -- -- --
Industry compliance plugins -- Yes (46) -- -- -- --
Streaming (SSE/WebSocket) Yes -- -- -- -- --
CI/CD quality gate Yes Yes -- -- -- --
Open source Apache-2.0 MIT Partial Apache-2.0 MIT MIT

What these capabilities catch:

Tool-chain discovery — graph beats list

Side-by-side comparison: a list-based scanner sees four individually-safe tools (read_file, http_request, sql_query, exec_code) and reports no findings, while ZIRAN walks the capability graph and surfaces dangerous transitive compositions — read_file→http_request as critical data exfiltration, sql_query→exec_code as high-severity SQL-to-RCE.

Individual tools pass security review in isolation, but their compositions create vulnerabilities. Graph-based analysis finds transitive attack paths — read_file → http_request for data exfiltration, sql_query → exec_code for SQL-to-RCE — that list-based testing misses entirely.

Side-effect detection — chat is not the truth

Two stacked layers: on the surface, the agent replies 'I can't do that — request refused' to 'Delete user 42' and a chat-only scanner marks it safe; on the execution layer below, ZIRAN intercepts the actual tool call delete_user(id=42) firing silently and flags it as critical.

Agents can refuse a request in their text response while still executing the dangerous tool call underneath. ZIRAN intercepts at the execution layer and flags these silent failures — chat-only scanners mark them as safe.

Adaptive 8-phase campaigns — the graph drives the next move

A live knowledge graph grows phase by phase: Reconnaissance discovers 3 capabilities, Capability Map adds 3 tools, Vulnerability Discovery surfaces a critical read_file→http_request chain, Exploit Setup attaches an attack node. Trust Building is skipped (no auth surface) and Persistence is skipped (ephemeral target) because the graph state makes them irrelevant. The right panel narrates how each new graph state picks the next phase.

A live knowledge graph grows as the scan progresses, and the graph picks the next phase — not a fixed sequence. A critical chain found mid-campaign immediately routes to Exploit Setup, while phases like Trust Building or Persistence are skipped when graph state shows they would not yield results. Three strategies control this: fixed (sequential, reproducible for CI), adaptive (rule-based reordering), and llm-adaptive (LLM examines the graph after each phase to plan).

And…

  • Multi-Agent Coordination -- In multi-agent systems, an agent may trust messages from peers without validation. Testing cross-agent trust boundaries reveals lateral movement paths.
  • A2A + MCP Protocols -- Tests Agent-to-Agent and MCP agents through their native protocols, exercising the actual attack surface rather than a simplified proxy.
  • Framework Agnostic -- LangChain, CrewAI, Bedrock, MCP, browser UIs, remote HTTPS agents, or custom adapters.

What ZIRAN Is / What ZIRAN Is Not

ZIRAN is an agent security scanner that discovers dangerous tool compositions via graph analysis, detects execution-level side effects, and runs multi-phase campaigns that model real attacker behavior.

ZIRAN is not:

  • An LLM safety/alignment tool -- for prompt injection breadth, jailbreak templates, and compliance testing, use Promptfoo or Garak
  • A runtime guardrail -- for real-time input/output protection, use NeMo Guardrails, Lakera Guard, or LLM Guard
  • A general-purpose eval framework -- for model evaluation and benchmarking, use Inspect AI or Deepeval

Works With

ZIRAN is complementary to other tools in the AI security ecosystem:

Pre-deploy testing:

  • Promptfoo for attack breadth (encoding strategies, jailbreak templates, compliance plugins) + ZIRAN for agent depth (tool chains, side-effects, campaigns)
  • Garak for LLM-layer vulnerability scanning + ZIRAN for agent-layer tool chain analysis

Runtime governance:

  • NeMo Guardrails / Lakera for runtime input/output protection + ZIRAN for pre-deployment testing
  • Invariant (Snyk) for runtime policy enforcement + ZIRAN for pre-deploy tool chain analysis

Observability:

  • Langfuse for production trace analytics + ZIRAN analyze-traces for security evaluation of production behavior
  • LangSmith for debugging and eval + ZIRAN for security-focused campaign testing

See the Agent Security Landscape for a full mapping of tools across pre-deploy, runtime, and observability layers.


Install

pip install ziran

# with framework adapters
pip install ziran[langchain]    # LangChain support
pip install ziran[crewai]       # CrewAI support
pip install ziran[a2a]          # A2A protocol support
pip install ziran[streaming]    # SSE/WebSocket streaming
pip install ziran[pentest]      # autonomous pentesting agent
pip install ziran[otel]         # OpenTelemetry tracing
pip install ziran[ui]            # web dashboard
pip install ziran[all]          # everything

Web UI

ZIRAN includes a built-in web dashboard for visual security analysis. Install the UI extra and start:

pip install ziran[ui]
ziran ui
# Dashboard: http://127.0.0.1:8484

Or with Docker:

docker compose up
# Dashboard: http://localhost:8484

Attack Library -- 639 vectors across 11 categories

Attack Library

Scan Configuration

New Run


Quick Start

CLI

# scan a LangChain agent (in-process)
ziran scan --framework langchain --agent-path my_agent.py

# scan a remote agent over HTTPS
ziran scan --target target.yaml

# adaptive campaign with LLM-driven strategy
ziran scan --target target.yaml --strategy llm-adaptive

# stream responses in real-time
ziran scan --target target.yaml --streaming

# scan with encoding bypass variants (Base64 + ROT13)
ziran scan --target target.yaml --encoding base64 --encoding rot13

# scan with OpenTelemetry tracing
ziran scan --target target.yaml --otel

# scan a multi-agent system
ziran multi-agent-scan --target target.yaml

# discover capabilities of a remote agent
ziran discover --target target.yaml

# autonomous pentesting agent
ziran pentest --target target.yaml

# interactive red-team mode
ziran pentest --target target.yaml --interactive

# view the interactive HTML report
open reports/campaign_*_report.html

Python API

import asyncio
from ziran.application.agent_scanner.scanner import AgentScanner
from ziran.application.attacks.library import AttackLibrary
from ziran.infrastructure.adapters.langchain_adapter import LangChainAdapter

adapter = LangChainAdapter(agent=your_agent)
scanner = AgentScanner(adapter=adapter, attack_library=AttackLibrary())

result = asyncio.run(scanner.run_campaign())
print(f"Vulnerabilities found: {result.total_vulnerabilities}")
print(f"Dangerous tool chains: {len(result.dangerous_tool_chains)}")

See examples/ for 22 runnable demos -- from static analysis to autonomous pentesting.


Remote Agent Scanning

ZIRAN can test any published agent over HTTPS -- no source code or in-process access required. Define your target in a YAML file:

# target.yaml
name: my-agent
url: https://agent.example.com
protocol: auto  # auto | rest | openai | mcp | a2a

auth:
  type: bearer
  token_env: AGENT_API_KEY

tls:
  verify: true

Supported protocols:

Protocol Use Case Auto-detected via
REST Generic HTTP endpoints Fallback default
OpenAI-compatible Chat completions API (/v1/chat/completions) Path probing
MCP Model Context Protocol agents (JSON-RPC 2.0) JSON-RPC response
A2A Google Agent-to-Agent protocol /.well-known/agent.json
# auto-detect protocol and scan
ziran scan --target target.yaml

# force a specific protocol
ziran scan --target target.yaml --protocol openai

# A2A agent with Agent Card discovery
ziran scan --target a2a_target.yaml --protocol a2a

See examples/15-remote-agent-scan/ for ready-to-use target configurations.


What ZIRAN Finds

Prompt-level -- injection, system prompt extraction, memory poisoning, chain-of-thought manipulation.

Tool-level -- tool manipulation, privilege escalation, data exfiltration chains.

Tool chains -- automatic graph analysis of dangerous tool compositions:

+----------+---------------------+-----------------------------+--------------------------------------+
| Risk     | Type                | Tools                       | Description                          |
+----------+---------------------+-----------------------------+--------------------------------------+
| critical | data_exfiltration   | read_file -> http_request   | File contents sent to external server|
| critical | sql_to_rce          | sql_query -> execute_code   | SQL results executed as code         |
| high     | pii_leakage         | get_user_info -> external_api| User PII sent to third-party API    |
+----------+---------------------+-----------------------------+--------------------------------------+

How It Works

ZIRAN pipeline diagram: your agent (with tools, memory, and permissions) connects through an adapter layer into the ZIRAN pipeline — DISCOVER probes capabilities, MAP builds a NetworkX MultiDiGraph, ANALYZE walks the graph for dangerous chains across 30+ patterns, ATTACK runs multi-phase exploits informed by the graph, and REPORT emits scored findings. Outputs land in three formats: HTML interactive graph, Markdown CI/CD tables, and JSON for programmatic consumption.

Five sequential stages: DISCOVER probes tools, permissions, and data access; MAP builds a NetworkX MultiDiGraph of capabilities; ANALYZE walks the graph against 30+ dangerous-chain patterns; ATTACK runs multi-phase exploits informed by the graph; REPORT emits scored findings with remediation guidance.

Campaign phases

The ATTACK stage runs an 8-phase campaign — reconnaissance, trust building, capability mapping, vulnerability discovery, exploitation setup, execution, persistence, exfiltration. Phases are not linear: the live knowledge graph drives execution order, so a discovery during exploitation may trigger a return to reconnaissance, and revealed tools cause capability mapping to re-run with updated context. (See Adaptive 8-phase campaigns above for an animated walk-through, including how Trust Building and Persistence are skipped when graph state makes them irrelevant.)

Three strategies control this:

  • fixed -- Sequential execution through all 8 phases (reproducible, good for CI)
  • adaptive -- Rule-based reordering: skips phases that won't yield results given current graph state, revisits phases when new capabilities are discovered
  • llm-adaptive -- LLM-driven planning: an LLM examines the knowledge graph after each phase and decides what to do next

See adaptive campaigns docs.


Reports

Three output formats, generated automatically:

  • HTML -- Interactive knowledge graph with attack path highlighting
  • Markdown -- CI/CD-friendly summary tables
  • JSON -- Machine-parseable for programmatic consumption

Mock-up of a ZIRAN HTML campaign report — header with target metadata, severity counters (3 critical, 7 high, 12 medium, 28 low), a findings table listing the top tool-chain vulnerabilities (data exfiltration, SQL-to-RCE, PII leakage, prompt injection, multi-agent trust boundary), and a live knowledge graph with the critical attack paths highlighted.


CI/CD Integration

Use ZIRAN as a quality gate in your pipeline. Templates are available for five CI systems:

CI System Template SARIF Integration
GitHub Actions ziran-scan.yml GitHub Security tab
GitLab CI gitlab-ci.yml GitLab Security Dashboard
Jenkins Jenkinsfile Warnings Next Generation Plugin
CircleCI circleci-config.yml Build artifacts
Azure Pipelines azure-pipelines.yml PublishBuildArtifacts

GitHub Actions (official action)

# .github/workflows/security.yml
- uses: taoq-ai/ziran@v0
  with:
    command: ci
    result-file: scan_results.json
    severity-threshold: medium
    sarif-output: results.sarif

GitLab CI

ziran-security-scan:
  stage: test
  image: python:3.12-slim
  before_script:
    - pip install ziran
  script:
    - ziran ci --result-file scan_results.json --severity-threshold medium --output sarif --sarif-file gl-sast-report.json
  artifacts:
    reports:
      sast: gl-sast-report.json

Outputs: status (passed/failed), trust-score, total-findings, critical-findings, sarif-file.

See CI integrations docs for Jenkins, CircleCI, and Azure Pipelines examples, or browse the template directory.


Development

git clone https://github.com/taoq-ai/ziran.git && cd ziran
uv sync --group dev

uv run ruff check .            # lint
uv run mypy ziran/             # type-check
uv run pytest --cov=ziran      # test

Contributing

See CONTRIBUTING.md. Ways to help:


Citation

If you use ZIRAN in academic work, please cite:

@software{ziran2026,
  title     = {ZIRAN: AI Agent Security Testing},
  author    = {{TaoQ AI} and Lage Perdigao, Leone},
  year      = {2026},
  url       = {https://github.com/taoq-ai/ziran},
  license   = {Apache-2.0},
  version   = {0.25.0}
}

License

Apache License 2.0 -- See NOTICE for third-party attributions.

Built by TaoQ AI

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ziran-0.36.0.tar.gz (4.4 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ziran-0.36.0-py3-none-any.whl (627.6 kB view details)

Uploaded Python 3

File details

Details for the file ziran-0.36.0.tar.gz.

File metadata

  • Download URL: ziran-0.36.0.tar.gz
  • Upload date:
  • Size: 4.4 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ziran-0.36.0.tar.gz
Algorithm Hash digest
SHA256 311079011b2cb2088ccf45f54a8c1e3d194bf728b9df2e35da7b34ae4b7f75d4
MD5 686106934dacb9b146adfaf976fa96fd
BLAKE2b-256 5994ea70e877a740088bc22256bb793713a2c6be7d4d42cfc421baef9c91970f

See more details on using hashes here.

Provenance

The following attestation bundles were made for ziran-0.36.0.tar.gz:

Publisher: release.yml on taoq-ai/ziran

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ziran-0.36.0-py3-none-any.whl.

File metadata

  • Download URL: ziran-0.36.0-py3-none-any.whl
  • Upload date:
  • Size: 627.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ziran-0.36.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ff80d0335a49209c74ea2022bce51f2d42d7db09f66412ebd62a66d0e16ada9a
MD5 ba84b6234f990c97ddaaba2a394996e9
BLAKE2b-256 e8df7c19f4a6781b5b557ff21896b3f1ff9a0450b88e6e63b8bdfe15d0b8a009

See more details on using hashes here.

Provenance

The following attestation bundles were made for ziran-0.36.0-py3-none-any.whl:

Publisher: release.yml on taoq-ai/ziran

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page