ConceptsThreat Taxonomy

Threat Taxonomy

Surfinguard includes 18 analyzers covering 152 threat patterns across every action type an AI agent can perform.

Analyzers Overview

AnalyzerAction TypeThreatsIDs
URLurl14U01-U14
Commandcommand20C01-C20
Texttext12P01-P12
File Readfile_read10FR01-FR10
File Writefile_write12FW01-FW12
API Callapi_call10A01-A10
Queryquery7D01-D07
Codecode8G01-G08
Messagemessage6M01-M06
Transactiontransaction6T01-T06
Authauth6ID01-ID06
Gitgit6V01-V06
UI Actionui_action6UI01-UI06
Infrainfra12I01-I06, CL01-CL06
Agent Commagent_comm4MA01-MA04
Data Pipelinedata_pipeline5ML01-ML05
Documentdocument4DC01-DC04
IoTiot4IOT01-IOT04

Total: 152 threat patterns

URL Analyzer (U01-U14)

Analyzes URLs for phishing indicators, brand impersonation, and suspicious structure.

IDThreatPrimitiveDescription
U01Data URIMANIPULATIONdata: URIs embedding executable content
U02IP address URLMANIPULATIONURLs using raw IP addresses instead of domains
U03URL shortenerMANIPULATIONbit.ly, t.co, and other redirection services
U04Risky TLDMANIPULATION.tk, .ml, .ga, .cf, and other abuse-prone TLDs
U05Brand impersonationMANIPULATIONLookalike domains (g00gle, paypa1)
U06Excessive subdomainsMANIPULATIONlogin.secure.google.evil.com
U07Suspicious keywordsMANIPULATION/verify, /login, /update in path
U08Long URLMANIPULATIONExtremely long URLs used to hide content
U09Homograph attackMANIPULATIONUnicode characters mimicking ASCII
U10Free hostingMANIPULATIONSites on free hosting platforms
U11Cloud metadataEXFILTRATIONAWS/GCP/Azure metadata endpoints (169.254.169.254)
U12Encoded contentMANIPULATIONExcessive URL encoding or base64 in URLs
U13Port numberMANIPULATIONNon-standard ports in URLs
U14Mixed signalsMANIPULATIONHTTPS domain with HTTP-like characteristics

Command Analyzer (C01-C20)

Analyzes shell commands for destructive operations, data exfiltration, and privilege escalation.

IDThreatPrimitiveDescription
C01Recursive deletionDESTRUCTIONrm -rf with broad targets
C02Disk formattingDESTRUCTIONmkfs, dd to disk devices
C03File overwriteDESTRUCTIONRedirecting /dev/null or /dev/zero to files
C04Kill processesDESTRUCTIONkill -9, killall on critical processes
C05Network exfiltrationEXFILTRATIONcurl/wget posting file contents externally
C06DNS exfiltrationEXFILTRATIONData encoded in DNS queries
C07Credential accessEXFILTRATIONReading password files, keychains
C08Pipe to shellDESTRUCTIONcurl … | bash, wget … | sh
C09Redirect to sensitive fileESCALATIONWriting to /etc/passwd, /etc/shadow
C10Reverse shellEXFILTRATIONnc, bash /dev/tcp reverse connections
C11Privilege escalationESCALATIONsudo, su, doas commands
C12Setuid manipulationESCALATIONchmod +s, chown root
C13Firewall modificationESCALATIONiptables, ufw rule changes
C14Cron persistencePERSISTENCEcrontab -e, writing to cron directories
C15Service persistencePERSISTENCEsystemctl enable, creating service files
C16Shell config modificationPERSISTENCEWriting to .bashrc, .zshrc, .profile
C17SSH key injectionPERSISTENCEWriting to authorized_keys
C18Fork bombDESTRUCTION:(){ :|:& };: and variants
C19Encoded commandMANIPULATIONbase64 -d | bash, eval of encoded strings
C20Container escapeESCALATIONDocker —privileged, mount host filesystem

Text Analyzer (P01-P12)

Detects prompt injection and manipulation attempts in text input.

IDThreatPrimitiveDescription
P01Direct injectionMANIPULATION”Ignore previous instructions”
P02Indirect injectionMANIPULATIONHidden instructions in fetched content
P03Goal hijackingMANIPULATIONRedirecting agent objectives
P04Tool manipulationMANIPULATIONTricking agents into misusing tools
P05Persona hijackingMANIPULATION”You are now DAN” style attacks
P06Encoding evasionMANIPULATIONBase64, ROT13, hex-encoded instructions
P07Markup injectionMANIPULATIONHidden HTML, zero-width characters
P08System prompt extractionEXFILTRATIONAttempts to leak system prompts
P09Context poisoningMANIPULATIONRepetitive text, oversized contexts
P10Delayed triggerPERSISTENCETime-based or condition-based payloads
P11Language switchingMANIPULATIONNon-Latin scripts to bypass filters
P12Multi-turn manipulationMANIPULATIONGradual escalation across turns

File Read Analyzer (FR01-FR10)

Detects reads of sensitive files that could leak credentials or system information.

IDThreatPrimitiveDescription
FR01SSH private keysEXFILTRATION~/.ssh/id_rsa, id_ed25519
FR02System credentialsEXFILTRATION/etc/passwd, /etc/shadow
FR03Cloud credentialsEXFILTRATION~/.aws/credentials, ~/.gcp/
FR04Environment filesEXFILTRATION.env, .env.local, .env.production
FR05Browser dataEXFILTRATIONCookie databases, saved passwords
FR06Kubernetes secretsEXFILTRATION~/.kube/config, service account tokens
FR07Docker credentialsEXFILTRATION~/.docker/config.json
FR08GPG/PGP keysEXFILTRATION~/.gnupg/private-keys-v1.d/
FR09Application secretsEXFILTRATIONcredentials.json, keystore files
FR10Shell historyEXFILTRATION.bash_history, .zsh_history

File Write Analyzer (FW01-FW12)

Detects file writes that could compromise system integrity or establish persistence.

IDThreatPrimitiveDescription
FW01System config overwriteDESTRUCTIONWriting to /etc/hosts, resolv.conf
FW02SSH authorized_keysPERSISTENCEInjecting keys for backdoor access
FW03Cron job creationPERSISTENCEWriting to /etc/cron.d/
FW04Startup scriptPERSISTENCEWriting to init.d, systemd units
FW05Shell configPERSISTENCEModifying .bashrc, .zshrc
FW06Git hooksPERSISTENCE.git/hooks/ with executable content
FW07CI/CD pipelinePERSISTENCE.github/workflows/, .gitlab-ci.yml
FW08Package scriptsPERSISTENCEpackage.json lifecycle scripts
FW09Shebang scriptsESCALATIONCreating executable scripts
FW10Curl-pipe-bashDESTRUCTIONScripts with curl|bash patterns
FW11SSH key contentEXFILTRATIONFiles containing private key material
FW12Destructive scriptsDESTRUCTIONScripts containing rm -rf patterns

API Call Analyzer (A01-A10)

Detects malicious API call patterns including SSRF and credential forwarding.

IDThreatPrimitiveDescription
A01SSRF - internalEXFILTRATIONRequests to localhost, 127.0.0.1, 10.x
A02SSRF - metadataEXFILTRATIONCloud metadata endpoints
A03Destructive methodDESTRUCTIONDELETE/PUT to critical endpoints
A04Credential forwardingEXFILTRATIONAuth headers sent to third parties
A05Webhook manipulationMANIPULATIONRegistering/modifying webhooks
A06DNS exfiltrationEXFILTRATIONData encoded in DNS requests
A07Mass data retrievalEXFILTRATIONBulk export, pagination abuse
A08Admin API accessESCALATIONAdmin/superuser endpoints
A09Rate limit bypassESCALATIONTechniques to evade rate limits
A10API key exposureEXFILTRATIONKeys/tokens in URLs or logs

Query Analyzer (D01-D07)

Detects SQL injection, data exfiltration, and destructive database operations.

IDThreatPrimitiveDescription
D01SQL injectionMANIPULATIONUNION SELECT, OR 1=1, stacked queries
D02Data destructionDESTRUCTIONDROP TABLE, TRUNCATE, DELETE without WHERE
D03Schema modificationDESTRUCTIONALTER TABLE, DROP INDEX
D04Privilege escalationESCALATIONGRANT ALL, CREATE USER
D05Data exfiltrationEXFILTRATIONINTO OUTFILE, bulk SELECT
D06Stored procedure abuseESCALATIONxp_cmdshell, LOAD_FILE
D07Comment obfuscationMANIPULATIONUsing /**/ to bypass filters

Code Analyzer (G01-G08)

Detects malicious code patterns across multiple programming languages.

IDThreatPrimitiveDescription
G01Shell executionDESTRUCTIONexec(), system(), child_process
G02Network exfiltrationEXFILTRATIONSending data to external servers
G03File system destructionDESTRUCTIONRecursive deletion in code
G04Eval injectionMANIPULATIONeval(), Function(), dynamic code execution
G05Crypto miningDESTRUCTIONCryptominer patterns, wallet addresses
G06Credential harvestingEXFILTRATIONKeylogger, input capture patterns
G07Obfuscated codeMANIPULATIONHeavy encoding, string manipulation
G08Backdoor patternsPERSISTENCEHidden network listeners, reverse shells

Message Analyzer (M01-M06)

Analyzes inter-agent and user messages for social engineering and manipulation.

IDThreatPrimitiveDescription
M01ImpersonationMANIPULATIONPretending to be admin/system
M02Social engineeringMANIPULATIONUrgency, authority pressure
M03Credential requestEXFILTRATIONAsking for passwords/tokens
M04Link injectionMANIPULATIONEmbedding malicious links
M05Instruction overrideMANIPULATION”New instructions from admin”
M06Data harvestingEXFILTRATIONRequesting personal information

Transaction Analyzer (T01-T06)

Detects suspicious financial transactions and payment manipulations.

IDThreatPrimitiveDescription
T01Unusual amountEXFILTRATIONTransactions outside normal range
T02New recipientEXFILTRATIONFirst-time payment destination
T03Currency manipulationMANIPULATIONExchange rate exploitation
T04Split transactionsMANIPULATIONStructuring to avoid limits
T05Account drainingEXFILTRATIONEmptying account balance
T06Unauthorized transferESCALATIONTransfers without proper approval

Auth Analyzer (ID01-ID06)

Detects authentication and identity-related threats.

IDThreatPrimitiveDescription
ID01Brute forceESCALATIONRepeated login attempts
ID02Token theftEXFILTRATIONSession token extraction
ID03Privilege grantESCALATIONUnauthorized role assignment
ID04MFA bypassESCALATIONAttempting to skip MFA
ID05Account takeoverESCALATIONCredential stuffing patterns
ID06Session fixationMANIPULATIONPre-setting session identifiers

Git Analyzer (V01-V06)

Detects dangerous Git operations that could compromise code integrity.

IDThreatPrimitiveDescription
V01Force pushDESTRUCTIONgit push —force to protected branches
V02Unreviewed mergeESCALATIONMerging without required approvals
V03CI/CD modificationPERSISTENCEChanging pipeline configurations
V04Unauthorized releaseESCALATIONPublishing without approval
V05Branch deletionDESTRUCTIONDeleting protected branches
V06Gitignore weakeningEXFILTRATIONRemoving entries from .gitignore

UI Action Analyzer (UI01-UI06)

Detects malicious UI interactions in automated browser or desktop scenarios.

IDThreatPrimitiveDescription
UI01Destructive buttonDESTRUCTIONClicking delete/remove actions
UI02Form corruptionMANIPULATIONAltering form data
UI03Dialog auto-acceptMANIPULATIONAutomatically dismissing warnings
UI04Payment formEXFILTRATIONInteracting with payment fields
UI05Malicious downloadDESTRUCTIONTriggering suspicious downloads
UI06Screen captureEXFILTRATIONScreenshot or clipboard access

Infra Analyzer (I01-I06, CL01-CL06)

Detects infrastructure and cloud operations that could compromise environments.

IDThreatPrimitiveDescription
I01Container escapeESCALATIONBreaking out of container sandbox
I02IaC modificationPERSISTENCETerraform, CloudFormation changes
I03Firewall rulesESCALATIONSecurity group modifications
I04Certificate manipulationMANIPULATIONModifying TLS certificates
I05DNS modificationMANIPULATIONChanging DNS records
I06Secret store accessEXFILTRATIONReading from Vault, KMS
CL01Resource provisioningESCALATIONCreating new compute instances
CL02IAM modificationESCALATIONChanging identity/access policies
CL03Security group changesESCALATIONOpening network ports
CL04Backup deletionDESTRUCTIONRemoving backup snapshots
CL05Production deployDESTRUCTIONDeploying to production environment
CL06Cloud secretsEXFILTRATIONAccessing cloud secret managers

Agent Communication Analyzer (MA01-MA04)

Detects threats in inter-agent communication patterns.

IDThreatPrimitiveDescription
MA01Task delegationESCALATIONDelegating privileged tasks to other agents
MA02Context poisoningMANIPULATIONInjecting malicious context into agent messages
MA03Tool sharingESCALATIONSharing tools with elevated permissions
MA04MCP abuseMANIPULATIONExploiting Model Context Protocol

Data Pipeline Analyzer (ML01-ML05)

Detects threats to data pipelines, ML models, and training data.

IDThreatPrimitiveDescription
ML01ETL modificationMANIPULATIONAltering data transformation logic
ML02Model poisoningMANIPULATIONModifying trained model weights
ML03Training data alterationMANIPULATIONTampering with training datasets
ML04Vector store accessEXFILTRATIONUnauthorized embedding store access
ML05Dataset exportEXFILTRATIONBulk export of training data

Document Analyzer (DC01-DC04)

Detects suspicious document operations that could leak or alter sensitive documents.

IDThreatPrimitiveDescription
DC01Contract modificationMANIPULATIONAltering legal document terms
DC02Spreadsheet tamperingMANIPULATIONModifying financial spreadsheets
DC03External sharingEXFILTRATIONSharing documents outside organization
DC04Public publicationEXFILTRATIONMaking private documents public

IoT Analyzer (IOT01-IOT04)

Detects threats to IoT devices and physical systems.

IDThreatPrimitiveDescription
IOT01Smart lock manipulationDESTRUCTIONUnlocking/disabling smart locks
IOT02Industrial controlDESTRUCTIONModifying SCADA/ICS systems
IOT03Security camera disableEXFILTRATIONDisabling surveillance systems
IOT04Vehicle command injectionDESTRUCTIONSending commands to vehicle systems (max score 10)
Scoring ModelJavaScript / TypeScript