The latest articles on DEV Community by KRISHNAKAANTH REDDY YEDUGURU (@krishnakaanth_reddyyedug). https://dev.to/krishnakaanth_reddyyedug https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3869272%2Fe623cd2b-a772-48a9-81ec-10b53f3dc885.png https://dev.to/krishnakaanth_reddyyedug en KRISHNAKAANTH REDDY YEDUGURU Thu, 09 Apr 2026 07:47:48 +0000 https://dev.to/krishnakaanth_reddyyedug/redsoc-open-source-framework-to-benchmark-adversarial-attacks-on-ai-powered-socs-100-detection-1lj4 https://dev.to/krishnakaanth_reddyyedug/redsoc-open-source-framework-to-benchmark-adversarial-attacks-on-ai-powered-socs-100-detection-1lj4 <p>I've been working on a problem that I think is underexplored: what happens when you actually attack the AI assistant inside a SOC?<br> Most organizations are now running RAG-based LLM systems for alert triage, threat intelligence, and incident response. But almost nobody is systematically testing how these systems fail under adversarial conditions.<br> So I built RedSOC — an open-source adversarial evaluation framework specifically for LLM-integrated SOC environments.<br> What it does:<br> Three attack types are implemented and benchmarked:</p> <p>Corpus poisoning (PoisonedRAG threat model) — inject malicious documents into the knowledge base to steer analyst responses toward dangerous advice<br> Direct prompt injection — embed override instructions in the user query<br> Indirect prompt injection — hide adversarial instructions inside retrieved documents (Greshake et al. threat model)</p> <p>The detection layer runs three mechanisms in parallel without requiring model internals:</p> <p>Semantic anomaly scoring (cosine similarity between query and retrieved docs)<br> Provenance tracking (whitelist-based source verification)<br> Response consistency checking (answer vs source divergence)</p> <h2> Benchmark results (15 scenarios, Llama 3.2, fully local via Ollama) </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Attack Class</th> <th>Attack Success Rate</th> <th>Detection Rate</th> </tr> </thead> <tbody> <tr> <td>Corpus poisoning</td> <td>80%</td> <td>100%</td> </tr> <tr> <td>Direct injection</td> <td>60%</td> <td>100%</td> </tr> <tr> <td>Indirect injection</td> <td>100%</td> <td>100%</td> </tr> <tr> <td><strong>Overall</strong></td> <td><strong>80%</strong></td> <td><strong>100%</strong></td> </tr> </tbody> </table></div> <p>Indirect prompt injection succeeds 100% of the time against an undefended RAG pipeline. The detection layer catches everything at 100% with zero misses across all 15 scenarios.<br> Stack: Python, LangChain, FAISS, Ollama (Llama 3.2) — runs fully local, no API keys needed.<br> The accompanying survey paper maps the full adversarial threat landscape (RAG poisoning, prompt injection, multi-agent hijacking, concept drift) with 16 citations including PoisonedRAG, AgentPoison, MemoryGraft, and the recent DarkSide paper.<br> Code: <a href="https://github.com/krishnakaanthreddyy1510-cell/RedSOC" rel="noopener noreferrer">https://github.com/krishnakaanthreddyy1510-cell/RedSOC</a><br> Paper: [arXiv link — pending, will update]<br> Happy to answer questions about the detection architecture or the benchmark methodology. Feedback welcome — especially from anyone who's seen these attack patterns in production.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F25ra0rt7a6b61iyys9a3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F25ra0rt7a6b61iyys9a3.png" alt=" " width="800" height="266"></a></p> security python llm machinelearning