Architecture first
Challenges are selected from observed agent, tool, workflow, credential, data, and instruction surfaces.
CapitalGuard Attack Lab
CapitalGuard connects architecture-aware control challenges to a multi-hop exposure path, a required policy change, and a regression check that stays with the repository.
cg-attack-lab-1.1.0 · cg-exposure-graph-1.0.0 · cg-risk-2026.07.1
CapitalGuard Exposure Graph
Synthetic repository. No customer data.
Inputs
Agent runtime
Authority
Downstream
Entry point
Untrusted instruction in repository documentation
Vulnerable component
Coding agent with command and workflow access
Trust boundary crossed
Repository text crosses into executable agent instruction
Downstream assets
A manipulated task could affect published code, customers, and the company release chain.
Required control
Treat repository text as untrusted, block credential paths, and require approval for workflow or release actions.
Nine control categories
This synthetic demonstration shows the exact output structure. Paid local runs derive challenges from the authorized repository and retain only redacted, deterministic evidence.
Architecture-aware control challenges
9
Control challenges
9
Exposed paths
9
Retained regressions
CGAL-INJ-001
Prompt injection
Check whether untrusted repository text can influence an agent with consequential tools.
Signal: Repository instructions plus command or network authority
CGAL-TOOL-001
Tool abuse
Check whether a connected tool can cross its approved data or action scope.
Signal: Tool bridge plus broad filesystem or API scope
CGAL-PRIV-001
Privilege escalation
Check whether an agent-controlled workflow inherits write-capable credentials.
Signal: Workflow automation plus write or identity-token permission
CGAL-LEAK-001
Data leakage
Check whether private context can reach an unapproved destination.
Signal: Sensitive path plus transfer-capable tool
CGAL-SECRET-001
Secrets misuse
Check whether credential-bearing paths are inside agent-readable scope.
Signal: Secret-like path plus repository read access
CGAL-SHELL-001
Unsafe shell execution
Check whether repository input can reach an unreviewed shell or lifecycle script.
Signal: Untrusted input plus shell, install, or deployment execution
CGAL-DISCOVERY-001
Tool discovery abuse
Check whether automatic tool discovery exposes more capability than the task requires.
Signal: Discoverable MCP or plugin tools without an explicit allowlist
CGAL-MEMORY-001
Memory abuse
Check whether persistent instructions can silently change later agent behavior.
Signal: Persistent agent instructions plus weak ownership or review
CGAL-MCP-001
MCP misuse
Check whether an MCP server can reuse broad identity or downstream authority outside the approved task.
Signal: MCP transport plus broad token, filesystem, API, or data-store scope
Challenges are selected from observed agent, tool, workflow, credential, data, and instruction surfaces.
The local tool never executes a payload, target application, package hook, workflow, or external network call.
Every exposed category becomes a stable check that can run manually or fail CI when exposure returns.
Each path records the entry point, crossed boundary, downstream assets, confidence, blast radius, and required control.
One closed security loop
Discover
Map
Attack
Prioritize
Fix
Generate Policy
Create Regression Test
GitHub
Monitor
Recalculate Risk
GitHub receives only the deterministic regression result and privacy-safe evidence state. Official scoring and CapitalGuard Reviewed remain tied to the paid, authorized review process.
See GitHub Workflow