For teams running memory-enabled AI agents

Prompt injection ends.A poisoned memory doesn't.

When bad data is written into an agent's memory or RAG index, the model treats it as ground truth — across every future session. Probe your store against the six OWASP ASI06 controls before you ship: mark them, get one verdict, and find the one thing to fix first.

Get the Probe — $79one-time · instant download · yours to keep
Five deliverables · runnable
Runnable Python probe engine
stdlib
Workbook that reproduces it
.xlsx
Exposure-audit playbook
.docx
Fix-the-control runbook
.docx
7-store worked sample
.csv
Works alongside
Injection Red-Team · RAG Grader · Access Auditor
01.The Problem

A chatbot forgets. An agent remembers — including the lie.

ASI06

OWASP's 2026 Top 10 for Agentic Applications added Memory & Context Poisoning as a distinct, persistent-state attack surface.

>95%

memory-injection success in the MINJA study — through normal queries alone, no elevated access to the store.

<0.1%

of a RAG corpus poisoned was enough for AgentPoison to backdoor agents with over 80% attack success.

The root cause isn't a weak model — it's a context pipeline with no notion of trust: it accepts content from any source, stores it without provenance, indexes it without isolation, and retrieves it without validation. This probe makes that trust relationship explicit and tells you where it breaks.

02.See It Work

Mark six controls. Watch the kill-chain decide.

Try a preset:
Write-path validation & sanitization chain

Untrusted content is validated before it can be written to memory or the index.

wt 22
Trust-aware retrieval (validate before recall) chain

Retrieval weights by source trust and re-checks before recall — not relevance alone.

wt 22
Provenance on every memory entry

Every entry tagged with source, timestamp, and who introduced it — traceable later.

wt 16
Scope isolation & read-only system memory

Partitioned per user / tenant; system memory is read-only, not agent-writable.

wt 16
Eviction, TTL & temporal decay

Stale or unreinforced memories expire or decay in weight; no permanent poisoned entry.

wt 12
Audit trail of what entered memory

A reviewable log of what entered memory, so a poisoned entry can be traced and rolled back.

wt 12
POROUS
78
score / 100

Kill chain complete: untrusted content can be written (write ≤ 1) and nothing checks trust on recall (retrieval ≤ 1) — poison persists as ground truth, so this is POROUS regardless of the 78 score. Lift either chain control above 1 and the gate releases.

Fix first: Write-path validation & sanitization

Runs entirely in your browser and resets on reload. The downloadable engine and workbook produce the identical verdict from the same marks. Scores the architecture you describe, not people.

03.The Engine

The same verdict from a runnable, offline engine.

The download ships a zero-dependency Python engine. Point it at a CSV of memory stores and it returns the identical score, verdict, and fix-first the demo and workbook produce. Here is the shipped 7-store sample:

====================================================================
AGENT MEMORY & CONTEXT POISONING EXPOSURE PROBE     as of 2026-06-28
====================================================================

  Support Copilot (self-write memory)
    Score 78/100   ->   POROUS
    KILL CHAIN: untrusted write (<=1) AND no trust-aware recall (<=1)
                -> poison persists as ground truth -> POROUS regardless of score
    Fix first: Write-path validation & sanitization

  Internal Knowledge RAG
    Score 100/100   ->   CONTAINED

  Customer Service Agent
    Score 83/100   ->   CONTAINED
    Fix first: Trust-aware retrieval (validate before recall)

  Research Assistant (shared corpus)
    Score 67/100   ->   HARDEN
    Fix first: Write-path validation & sanitization

  Multi-tenant Chatbot
    Score 31/100   ->   POROUS
    KILL CHAIN: untrusted write (<=1) AND no trust-aware recall (<=1)
                -> poison persists as ground truth -> POROUS regardless of score
    Fix first: Write-path validation & sanitization

  Sales Notes Agent
    Score 72/100   ->   HARDEN
    Fix first: Provenance on every memory entry

  Onboarding Bot
    Score 69/100   ->   HARDEN
    Fix first: Write-path validation & sanitization

====================================================================
  FLEET ROLLUP: POISONABLE FLEET
====================================================================

The Support Copilot scores 78 — a CONTAINED number — and still reads POROUS, because it self-writes memory with weak write validation and recalls by relevance with no trust check. The completed chain is the whole point: a strong average can't hide a store that holds and serves poison.

04.The Standard

Six lifecycle controls. Two of them form the kill-chain.

Write-path validation & sanitization

chain

Untrusted content is validated and sanitized before it can be written to memory or the index. Half of the poisoning kill-chain: it governs what gets in.

Trust-aware retrieval (validate before recall)

chain

Retrieval weights or filters by source trust and re-checks before recall — not relevance alone. The other half of the chain: it governs what gets treated as truth.

Provenance on every memory entry

Every entry carries source, timestamp, and who introduced it — so trust-aware retrieval has something to weigh and a poisoned entry can be traced.

Scope isolation & read-only system memory

Memory partitioned per user or tenant; system memory is read-only, not agent-writable — so one session's poison can't surface in another.

Eviction, TTL & temporal decay

Stale or unreinforced memories expire or lose weight; nothing poisoned lives in the store permanently.

Audit trail of what entered memory

A reviewable log of what entered memory, so when you find a poisoned entry you can trace its origin and every decision it touched.

The kill-chain gate: when both chain controls are weak — content can be written without validation and recalled without a trust check — poison enters and is treated as ground truth. The verdict is POROUS no matter how high the score. Either control alone only drags the number; it takes both. The gate worsens only, and it releases the moment either chain control rises above 1.

05.What This Is — And Isn't

An exposure verdict, not a scanner — and not the fix itself.

What it is
  • A deterministic exposure assessment built on the OWASP ASI06 control set.
  • A single verdict with a kill-chain gate that catches the persistence fault a score hides.
  • Architecture-agnostic — RAG, vector stores, self-write memory, shared knowledge bases.
  • An engine, a workbook, and a demo that all return the same number.
What it isn't
  • Not a scanner or attack simulator — it connects to nothing and uploads nothing.
  • Not a prompt-injection tool (that's the way in; this is persistence and recall).
  • Not a guarantee — closing the gaps it names is on you.
  • Not a score of any person; it grades the memory architecture only.

A readiness aid, not a security audit. It scores the marks you enter for the architecture you describe — it never connects to, scans, or queries your memory store, and it scores no person. Pair it with attack simulation, a manual review, and (for regulated or personal data) qualified security and legal counsel. Not a penetration test and not legal advice.

06.Who It's For

If your agent has a memory, this is the question to answer first.

Built for
  • Teams shipping agents with persistent or self-write memory.
  • Builders running RAG pipelines or vector stores that accept external content.
  • Platform and security owners doing a pre-deployment exposure review.
  • Anyone whose agent “learns” from conversations or retrieved documents.
Not for
  • Stateless chatbots with no memory — there's no store to poison.
  • Teams needing runtime findings — run attack simulation and a manual review too.
  • Anyone wanting an automatic fix; this names the exposure, you close it.
08.Common Questions

The questions buyers ask first.

Six controls across the memory lifecycle that OWASP names in ASI06 (Memory & Context Poisoning): write-path validation and sanitization, provenance on every entry, trust-aware retrieval that re-checks before recall, scope isolation with read-only system memory, eviction and temporal decay, and an audit trail of what entered memory. You mark each control 0, 1, or 2 for a store and the engine returns CONTAINED, HARDEN, or POROUS plus the one control to fix first.

Find the poison path
before an attacker does.

Probe your memory store before you ship. One purchase, lifetime access, 12 months of updates. $79, once.

A readiness aid, not a security audit. It scores the marks you enter for the architecture you describe — it never connects to, scans, or queries your memory store, and it scores no person. Pair it with attack simulation, a manual review, and (for regulated or personal data) qualified security and legal counsel. Not a penetration test and not legal advice.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai