Prompt injection ends.A poisoned memory doesn't.
When bad data is written into an agent's memory or RAG index, the model treats it as ground truth — across every future session. Probe your store against the six OWASP ASI06 controls before you ship: mark them, get one verdict, and find the one thing to fix first.
A chatbot forgets. An agent remembers — including the lie.
OWASP's 2026 Top 10 for Agentic Applications added Memory & Context Poisoning as a distinct, persistent-state attack surface.
memory-injection success in the MINJA study — through normal queries alone, no elevated access to the store.
of a RAG corpus poisoned was enough for AgentPoison to backdoor agents with over 80% attack success.
The root cause isn't a weak model — it's a context pipeline with no notion of trust: it accepts content from any source, stores it without provenance, indexes it without isolation, and retrieves it without validation. This probe makes that trust relationship explicit and tells you where it breaks.
Mark six controls. Watch the kill-chain decide.
Untrusted content is validated before it can be written to memory or the index.
Retrieval weights by source trust and re-checks before recall — not relevance alone.
Every entry tagged with source, timestamp, and who introduced it — traceable later.
Partitioned per user / tenant; system memory is read-only, not agent-writable.
Stale or unreinforced memories expire or decay in weight; no permanent poisoned entry.
A reviewable log of what entered memory, so a poisoned entry can be traced and rolled back.
Kill chain complete: untrusted content can be written (write ≤ 1) and nothing checks trust on recall (retrieval ≤ 1) — poison persists as ground truth, so this is POROUS regardless of the 78 score. Lift either chain control above 1 and the gate releases.
Fix first: Write-path validation & sanitization
Runs entirely in your browser and resets on reload. The downloadable engine and workbook produce the identical verdict from the same marks. Scores the architecture you describe, not people.
The same verdict from a runnable, offline engine.
The download ships a zero-dependency Python engine. Point it at a CSV of memory stores and it returns the identical score, verdict, and fix-first the demo and workbook produce. Here is the shipped 7-store sample:
====================================================================
AGENT MEMORY & CONTEXT POISONING EXPOSURE PROBE as of 2026-06-28
====================================================================
Support Copilot (self-write memory)
Score 78/100 -> POROUS
KILL CHAIN: untrusted write (<=1) AND no trust-aware recall (<=1)
-> poison persists as ground truth -> POROUS regardless of score
Fix first: Write-path validation & sanitization
Internal Knowledge RAG
Score 100/100 -> CONTAINED
Customer Service Agent
Score 83/100 -> CONTAINED
Fix first: Trust-aware retrieval (validate before recall)
Research Assistant (shared corpus)
Score 67/100 -> HARDEN
Fix first: Write-path validation & sanitization
Multi-tenant Chatbot
Score 31/100 -> POROUS
KILL CHAIN: untrusted write (<=1) AND no trust-aware recall (<=1)
-> poison persists as ground truth -> POROUS regardless of score
Fix first: Write-path validation & sanitization
Sales Notes Agent
Score 72/100 -> HARDEN
Fix first: Provenance on every memory entry
Onboarding Bot
Score 69/100 -> HARDEN
Fix first: Write-path validation & sanitization
====================================================================
FLEET ROLLUP: POISONABLE FLEET
====================================================================The Support Copilot scores 78 — a CONTAINED number — and still reads POROUS, because it self-writes memory with weak write validation and recalls by relevance with no trust check. The completed chain is the whole point: a strong average can't hide a store that holds and serves poison.
Six lifecycle controls. Two of them form the kill-chain.
Write-path validation & sanitization
chainUntrusted content is validated and sanitized before it can be written to memory or the index. Half of the poisoning kill-chain: it governs what gets in.
Trust-aware retrieval (validate before recall)
chainRetrieval weights or filters by source trust and re-checks before recall — not relevance alone. The other half of the chain: it governs what gets treated as truth.
Provenance on every memory entry
Every entry carries source, timestamp, and who introduced it — so trust-aware retrieval has something to weigh and a poisoned entry can be traced.
Scope isolation & read-only system memory
Memory partitioned per user or tenant; system memory is read-only, not agent-writable — so one session's poison can't surface in another.
Eviction, TTL & temporal decay
Stale or unreinforced memories expire or lose weight; nothing poisoned lives in the store permanently.
Audit trail of what entered memory
A reviewable log of what entered memory, so when you find a poisoned entry you can trace its origin and every decision it touched.
The kill-chain gate: when both chain controls are weak — content can be written without validation and recalled without a trust check — poison enters and is treated as ground truth. The verdict is POROUS no matter how high the score. Either control alone only drags the number; it takes both. The gate worsens only, and it releases the moment either chain control rises above 1.
An exposure verdict, not a scanner — and not the fix itself.
- A deterministic exposure assessment built on the OWASP ASI06 control set.
- A single verdict with a kill-chain gate that catches the persistence fault a score hides.
- Architecture-agnostic — RAG, vector stores, self-write memory, shared knowledge bases.
- An engine, a workbook, and a demo that all return the same number.
- Not a scanner or attack simulator — it connects to nothing and uploads nothing.
- Not a prompt-injection tool (that's the way in; this is persistence and recall).
- Not a guarantee — closing the gaps it names is on you.
- Not a score of any person; it grades the memory architecture only.
A readiness aid, not a security audit. It scores the marks you enter for the architecture you describe — it never connects to, scans, or queries your memory store, and it scores no person. Pair it with attack simulation, a manual review, and (for regulated or personal data) qualified security and legal counsel. Not a penetration test and not legal advice.
If your agent has a memory, this is the question to answer first.
- Teams shipping agents with persistent or self-write memory.
- Builders running RAG pipelines or vector stores that accept external content.
- Platform and security owners doing a pre-deployment exposure review.
- Anyone whose agent “learns” from conversations or retrieved documents.
- Stateless chatbots with no memory — there's no store to poison.
- Teams needing runtime findings — run attack simulation and a manual review too.
- Anyone wanting an automatic fix; this names the exposure, you close it.
Probe the memory. Cover the injection, retrieval, and reach next door.
Prompt Injection Red Team Kit
$99Probes the attack on the way in. This probe is the persistence layer — what your store holds and recalls after an injection lands.
ViewRAG Retrieval Grader
$89Grades retrieval quality (Recall/Precision/MRR). Pairs with this probe, which grades whether retrieval can be poisoned.
ViewAI Agent & Connector Access Auditor
$99Audits what your agents and connectors can touch — the reach layer alongside this memory-integrity layer.
ViewThe questions buyers ask first.
Find the poison path
before an attacker does.
Probe your memory store before you ship. One purchase, lifetime access, 12 months of updates. $79, once.
A readiness aid, not a security audit. It scores the marks you enter for the architecture you describe — it never connects to, scans, or queries your memory store, and it scores no person. Pair it with attack simulation, a manual review, and (for regulated or personal data) qualified security and legal counsel. Not a penetration test and not legal advice.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai