XIPE v4.1 — Autonomous AI Security · CLI + Platform

AI Security.
Automated.
End to End.

From a single CLI command to a full security operations platform. XIPE scans any AI target, chains findings into attack narratives, monitors endpoints with lightweight agents, and delivers professional PDF reports — without human intervention.

→ Explore Products GitHub
XIPE Active Scan · Authorized Assessment
CRITICAL System prompt writable via unauthenticated POST HIGH API documentation publicly exposed — 186 endpoints CRITICAL SQL injection in JSON field names — DB read confirmed HIGH JWT algorithm confusion — RS256 → HS256 downgrade CRITICAL Indirect prompt injection via RAG document upload MEDIUM Missing HSTS — HTTP downgrade attack possible HIGH Unauthenticated write endpoint — 22 found CRITICAL API key exposed in JavaScript bundle CRITICAL System prompt writable via unauthenticated POST HIGH API documentation publicly exposed — 186 endpoints CRITICAL SQL injection in JSON field names — DB read confirmed HIGH JWT algorithm confusion — RS256 → HS256 downgrade CRITICAL Indirect prompt injection via RAG document upload MEDIUM Missing HSTS — HTTP downgrade attack possible HIGH Unauthenticated write endpoint — 22 found CRITICAL API key exposed in JavaScript bundle
Findings Reported
Engagements Run
Training Records
10+OWASP LLM Categories
12Scoring Metrics
Two Ways to Deploy

CLI or Platform.
Your choice.

XIPE CLI v4.1 — Open Source
Scanner.
One Command.

Point at any URL. Get a professional PDF report in under 2 minutes. Blackbox, greybox or whitebox — pass credentials and XIPE authenticates automatically.

4-phase intelligent assessment
17 parallel security modules
Brain auto-classifies any target
Blackbox / greybox / whitebox modes
Chain Engine — attack narratives
PDF + HTML reports + Teams alerts
Self-updating: bash update.sh
→ GitHub
$ python main.py --config config.yaml
🧠 Brain: wordpress (95%) — 17 modules
🚨 HIGH: /wp-config.php exposed
🔗 CHAIN: User enum → brute force path
✅ PDF + JSON in output/ — 1m 52s
$ bash update.sh # pull latest version
XIPE Platform — SaaS
Dashboard.
Scans. Portal.

Full security operations platform. Launch scans for any target from the browser, track results across clients, download PDF reports — no CLI required.

Admin dashboard — all clients, all scans
Launch scan from browser — any URL
Live progress screen with phase tracker
PDF download with one click
Client portal — each client sees their own
Lightweight agents on endpoints
FastAPI + DynamoDB + ECS Fargate + ALB
→ Live Demo
① Enter URL + client name in browser
② ECS Fargate spins up — scan starts
③ Live phase tracker: recon → modules
④ Results appear automatically
✅ PDF ready to download in ~2 min
Architecture

Four phases.
One intelligent flow.

XIPE doesn't run everything blindly. Brain classifies first, selects only relevant modules, executes in parallel, then chains findings into attack narratives.

PHASE 01
Reconnaissance
Passive fingerprinting of tech stack, endpoints, and AI indicators.
→ System type
→ Tech stack
→ AI platform?
→ API present?
→ CloudFront/WAF
PHASE 02
Assessment Plan
Brain selects modules and explains every decision. No blind execution.
→ Module selection
→ Priority checks
→ API surface size
→ Prompt layer risk
→ Skip reasons
PHASE 03
Execution
5 modules in parallel. Scope validator on every request.
→ Web + TLS + API
→ AI attacks
→ API Mapper
→ Prompt Hunter
→ Trustworthiness
PHASE 04
Chain + Report
Chain Engine connects findings. Brain writes the narrative. PDF auto-delivered.
→ Attack chains
→ Priority scoring
→ PDF + HTML
→ S3 + Teams
→ Training data
Chain Engine — v4.1

Findings don't live
in isolation.

Real attackers chain vulnerabilities. XIPE connects them automatically — showing the full attack path and real business impact, not just a flat list of issues.

1
API Docs Exposed Full surface mapped
Swagger/OpenAPI docs publicly accessible. Complete endpoint list, methods, and parameters — before touching a single one.
2
Unauthenticated Write Endpoint DB access
Among documented endpoints, several require no auth. One write endpoint concatenates JSON field names into SQL — the vector standard scanners miss.
3
SQL Injection in JSON Keys Read + Write
Not injection in values — in field names. Iterative blind enumeration reveals production data. Write access confirmed. System prompts in the same DB.
⛓ Attack Chain — Business Impact
Full database read and write access. System prompts modifiable with a single HTTP request — no code changes, no deployment, no audit trail. Every user receives AI responses that can be silently poisoned.
Coverage — v4.1

Every attack surface.
Including the prompt layer.

01 / WEB SECURITY
Web Security
Headers, CORS, sensitive paths, verbose errors, cookies, information disclosure, HTTP methods. Auto-activates WordPress module on CMS detection.
A02A05HSTSCSPCORS
02 / API MAPPER ACTIVE
API Mapper
Parses Swagger/OpenAPI. Finds unauthenticated write ops. Tests SQL injection in JSON field names — the vector standard scanners miss.
JSON-key SQLiSwaggerAPI1A03
03 / PROMPT HUNTER ACTIVE
Prompt Hunter
Finds system prompt storage. Tests if writable. Extracts hardcoded prompts from JS bundles. Tests indirect injection via RAG uploads.
Write accessCrown JewelLLM07
04 / AI SECURITY
AI / LLM Security
Prompt injection, jailbreak, data extraction, excessive agency. Auto-registers accounts. Full OWASP LLM Top 10 coverage.
LLM01LLM02LLM06LLM07
05 / PROMPT INJECTION ACTIVE
Prompt Injection
Direct and indirect prompt injection attacks against any chat endpoint. System prompt leakage probes. 20+ attack templates per category.
LLM01DirectIndirectLLM08
06 / RAG TESTER ACTIVE
RAG Security
RAG poisoning via document upload, data extraction from retrieval layer, tenant isolation bypass, sensitive data leakage in context.
LLM04PoisoningExtraction
07 / AGENT TESTER ACTIVE
Agent Security
Tool misuse, excessive agency, approval workflow bypass, sensitive data extraction via chained agent actions. OWASP LLM06.
LLM06Tool abuseAgency
08 / AUTH + JWT
Auth & JWT
Login brute force, IDOR, privilege escalation, session fixation, JWT algorithm confusion (RS256→HS256), weak secrets, token replay.
A07JWTIDORA01
09 / SSRF + XXE + GraphQL
Injection Suite
SSRF to cloud metadata, blind SSRF detection, XXE file read, GraphQL introspection + depth bombs + batch abuse. All with 90s hard deadline.
SSRFXXEGraphQLA03
10 / CHAIN ENGINE ACTIVE
Chain Engine
Connects findings into attack narratives. Shows real business impact of combined vulnerabilities. CORS + prompt exposure = cross-origin data theft.
ChainingEscalationnarrative
Universal AI Client

Any target.
Auto-detected.

LibreChat
Auto-register + LLM attacks
Flowise
Chatflow API detection
OpenAI API
/v1/chat/completions
Anthropic API
/v1/messages
Ollama
Local model detection
LangChain
/invoke, /stream
WordPress
CMS-specific checks
Any REST API
Generic probe + format detection
SPA / React
JS bundle analysis
Unknown
Tries all formats automatically
Developer Guide

Integrate XIPE.
Extend the scanner.

Add your own modules, trigger scans via API, consume findings in your pipeline, and connect to any notification channel.

Getting Started
Quickstart config.yaml
SDK
Custom Module Finding Schema Scoring
Modules
Module Reference
API & Output
REST API Output Schema Webhooks
Getting Started

Quickstart

Install XIPE, configure a target, and run your first assessment in under 3 minutes.

bash# 1. Clone & install git clone https://github.com/RickDevopsSecure/-XIPE-AI-Security-Scanner cd -XIPE-AI-Security-Scanner python3 -m venv venv && source venv/bin/activate pip install -r requirements.txt # 2. Configure cp config.yaml.example config.yaml # Edit config.yaml → set scope.base_urls, engagement.id, credentials # 3. Run python main.py --config config.yaml # 4. With real-time dashboard (port 5001) python main.py --config config.yaml --dashboard # 5. Run specific modules only python main.py --config config.yaml --modules api_mapper,prompt_injection,rag_tester

Output files generated in output/:

FileFormatDescription
findings.jsonJSONAll findings with full scoring, evidence, and OWASP mappings
report.htmlHTMLInteractive report — filterable by severity, module, category
report.pdfPDFProfessional report with cover page, exec summary, and appendices
pentest.logTextFull engagement log with phase timings and module decisions
Configuration

config.yaml Reference

Full configuration reference. Copy config.yaml.example — never commit the real file (it's gitignored).

yaml# ── Engagement (required — authorization record) ────────── engagement: id: "ENG-2026-001" # Unique ID — appears in PDF client_name: "Acme Corp" tester: "Your Name" start_date: "2026-01-01" # YYYY-MM-DD end_date: "2026-12-31" authorized_by: "CISO Name" # ── Scope ───────────────────────────────────────────────── scope: base_urls: - "https://target.com" - "https://api.target.com" # Multi-URL supported credentials: # Optional — greybox / whitebox api_key: "" # Bearer token username: "" # For login flow password: "" # ── Module toggles (all true by default) ────────────────── modules: web_security: true # Headers, CORS, sensitive paths api_mapper: true # OpenAPI discovery, unauthenticated write ops prompt_injection: true # LLM01 — direct + indirect injection prompt_hunter: true # LLM07 — system prompt extraction rag_tester: true # LLM04 — RAG poisoning agent_tester: true # LLM06 — excessive agency jwt_tester: true # Algorithm confusion, weak secrets auth_tester: true # IDOR, priv-esc, session fixation ssrf_tester: true # SSRF → cloud metadata xxe_tester: true # XXE file read, SOAP, SVG graphql_tester: true # Introspection, depth bombs tls_transport: true js_analysis: true # API keys in bundles business_logic_tester: true subdomain_takeover: true trustworthiness: true # Hallucination rate, guardrails ai_security: true session_checker: true # ── Testing parameters ──────────────────────────────────── testing: request_delay_seconds: 0.3 max_requests_per_minute: 60 timeout_seconds: 15 max_concurrent_modules: 5 # ── Integrations ───────────────────────────────────────── integrations: teams_webhook_url: "" # Microsoft Teams — scan complete slack_webhook_url: "" # Slack — scan complete # ── AI Brain (optional) ─────────────────────────────────── # export ANTHROPIC_API_KEY=sk-ant-... # or GROQ_API_KEY # Scanner works fully without AI keys — falls back to deterministic rules
SDK

Writing a Custom Module

Every XIPE module is a Python class with a run() method that returns List[Finding]. The orchestrator runs modules in parallel using concurrent.futures.ThreadPoolExecutor.

python# modules/my_module.py import uuid from typing import List import httpx from agent.finding import Finding, Severity, OWASPCategory, ScoringDetail from utils.logger import PentestLogger class MyModule: def __init__(self, config: dict, http_client: httpx.Client, logger: PentestLogger, brain_result=None): self.config = config self.client = http_client self.logger = logger self.brain = brain_result # XIPEBrain classification result self.base_url = config["scope"]["base_urls"][0] self.creds = config["scope"].get("credentials", {}) def run(self) -> List[Finding]: findings = [] self.logger.info("MyModule", "Starting custom checks") try: resp = self.client.get(f"{self.base_url}/api/v1/secret-endpoint") if resp.status_code == 200: findings.append(Finding( id=str(uuid.uuid4()), module="my_module", title="Unauthenticated access to secret endpoint", severity=Severity.HIGH, category=OWASPCategory.BROKEN_ACCESS, description="The endpoint /api/v1/secret-endpoint returns 200 without credentials.", recommendation="Require authentication on all non-public endpoints.", endpoint=f"{self.base_url}/api/v1/secret-endpoint", evidence=resp.text[:500], scoring=ScoringDetail( severity_score=8.0, exploitability_score=9.0, business_risk_score=7.0, confidence_score=9.5, auth_required=False, ).calculate(), owasp_top10="A01 - Broken Access Control", tags=["auth", "unauthenticated"], verified=True, )) except Exception as e: self.logger.warning("MyModule", f"Request failed: {e}") self.logger.success("MyModule", f"{len(findings)} findings") return findings
Register in orchestrator.py — after writing your module, import it and add it to PentestOrchestrator._run_modules() inside the ThreadPoolExecutor block. Enable/disable via a toggle in config.yaml → modules.
python# agent/orchestrator.py — add to imports from modules.my_module import MyModule # Inside _run_modules() — add to futures dict: if self.config["modules"].get("my_module", True): futures[executor.submit(MyModule( self.config, self.http_client, self.logger, brain_result ).run)] = "my_module" # config.yaml — add toggle: modules: my_module: true
SDK

Finding Schema

The Finding dataclass is the universal output of every module. All fields are optional except title, severity, and endpoint.

FieldTypeDescription
idstr (uuid)Auto-generated unique ID
modulestrModule that generated this finding
titlestrShort, descriptive title
severitySeverity enumCRITICAL HIGH MEDIUM LOW INFO
categoryOWASPCategory enumOWASP Top 10 / API Top 10 / LLM Top 10 category
descriptionstrFull technical description of the finding
recommendationstrActionable remediation steps
endpointstrAffected URL or endpoint
request_snippetstr | NoneHTTP request that triggered the finding
response_snippetstr | NoneRelevant portion of the response
evidencestr | NoneProof of exploitability
scoringScoringDetailHackerOne-style composite score (see Scoring section)
owasp_top10str | Nonee.g. "A01 - Broken Access Control"
owasp_api_top10str | Nonee.g. "API1 - BOLA"
owasp_llm_top10str | Nonee.g. "LLM01 - Prompt Injection"
cwestr | NoneCWE identifier, e.g. "CWE-89"
tagsList[str]Free-form tags for filtering
verifiedboolTrue if the finding was actively confirmed
false_positive_riskstrLOW / MEDIUM / HIGH confidence in the finding
python# Severity options from agent.finding import Severity, OWASPCategory Severity.CRITICAL # priority_score >= 9.0 Severity.HIGH # priority_score >= 7.0 Severity.MEDIUM # priority_score >= 4.5 Severity.LOW # priority_score >= 2.0 Severity.INFO # priority_score < 2.0 # OWASP LLM categories OWASPCategory.PROMPT_INJECTION # LLM01 OWASPCategory.DATA_LEAKAGE # LLM02 OWASPCategory.DATA_POISONING # LLM04 OWASPCategory.EXCESSIVE_AGENCY # LLM06 OWASPCategory.SYSTEM_PROMPT # LLM07 # OWASP Top 10 categories OWASPCategory.BROKEN_ACCESS # A01 OWASPCategory.INJECTION # A03 OWASPCategory.AUTH_BYPASS # A07
SDK

Scoring System

XIPE uses a HackerOne-inspired composite scoring model. The final priority_score (0–10) is a weighted average of 6 dimensions. Always call .calculate() after setting fields.

DimensionWeightDescription
severity_score25%Base technical severity (0–10)
exploitability_score20%How easy to exploit — 10 = one HTTP request
exposure_score15%How exposed the asset is — 10 = fully public
business_risk_score20%Potential business impact
asset_criticality_score10%How critical is the affected asset
confidence_score10%Certainty in the finding — 10 = confirmed RCE
Modifiers: auth_required=True applies −15%, compensating_controls=True applies −20% to the raw score before bucketing.
pythonscoring = ScoringDetail( severity_score=9.0, # Very severe exploitability_score=8.5, # Easy to exploit exposure_score=10.0, # Fully public endpoint business_risk_score=9.0, # Can poison AI responses asset_criticality_score=9.5, # System prompt = crown jewel confidence_score=9.5, # Confirmed write access auth_required=False, # No auth needed → no reduction compensating_controls=False, ).calculate() # → priority_score: 9.18 → CRITICAL bucket → remediation_priority: 1
Modules

Module Reference

All 20 modules available in v4.1. The Brain auto-selects relevant modules based on target classification. Disable any module in config.yaml → modules.

KeyClass / FileWhat it testsCoverage
web_securityWebSecurityModuleSecurity headers, CORS, cookies, sensitive paths (/.env, /.git), info disclosure, HTTP methodsA02, A05, HSTS, CSP
api_mapperAPIMapperOpenAPI/Swagger parsing, unauthenticated write ops, SQL injection in JSON field namesAPI1, A03, JSON-key SQLi
prompt_hunterPromptHunterSystem prompt storage detection, write access test, hardcoded prompts in JS bundles, RAG indirect injectionLLM07
ai_securityAISecurityModuleAuth on AI endpoints, default credentials, registration flow, platform fingerprintingLLM01, LLM06
prompt_injectionPromptInjectionTesterDirect + indirect prompt injection, 20+ templates per category, system prompt leakage probesLLM01, LLM08
rag_testerRAGTesterRAG poisoning via document upload, data extraction from retrieval layer, tenant isolation bypassLLM04
agent_testerAgentTesterTool misuse, approval workflow bypass, chained agent action extraction, excessive agencyLLM06
trustworthinessTrustworthinessCheckerHallucination rate, consistency across runs, safety guardrail bypass, PII in responsesAI-TRUST
auth_testerauth_tester moduleLogin brute force, IDOR, privilege escalation, session fixation, password reset poisoningA07, A01
jwt_testerjwt_tester moduleAlgorithm confusion (RS256→HS256), weak secrets, privilege escalation in claims, token replayA07, JWT
ssrf_testerssrf_tester moduleSSRF to cloud metadata (169.254.169.254), internal hosts, header-based SSRF (Host, X-Forwarded)A10, SSRF
xxe_testerxxe_tester moduleXXE file read (/etc/passwd), SSRF via XML, SOAP payloads, SVG upload, XML bombA05, XXE
graphql_testergraphql_tester moduleIntrospection, depth bombs, batch abuse (rate-limit bypass), dangerous mutationsAPI, GraphQL
tls_transportTLSCheckerTLS version (SSLv3/TLS 1.0 detection), certificate validity, weak ciphers, HSTSA02
js_analysisJSAnalyzerAPI keys, secrets, and tokens exposed in JavaScript bundlesA02, A05
business_logic_testerbusiness_logic_testerPrice manipulation, payment tampering, coupon abuse, IDOR on ordersA01, API6
subdomain_takeoversubdomain_takeoverDangling CNAMEs pointing to unclaimed S3, Azure, Heroku, GitHub Pages bucketsA05
session_checkerSessionCheckerCookie flags (HttpOnly, Secure, SameSite), session timeout, predictable session tokensA07
chain_engineChainEnginePost-processing — links findings into attack narratives, calculates cumulative business impactAll
wordpressWordPressScannerAuto-activated on CMS detection — plugin/theme vulns, user enumeration, xmlrpc abuseCMS
API & Output

REST API — Triggering Scans

The XIPE Platform exposes a REST API for triggering scans, querying findings, and downloading reports programmatically. Authenticate with a JWT bearer token from POST /api/auth/login.

bashBASE=https://lgbg1u567l.execute-api.us-east-1.amazonaws.com # 1. Authenticate curl -X POST $BASE/api/auth/login \ -H "Content-Type: application/json" \ -d '{"email":"user@org.com","password":"..."}' # → { "token": "eyJ..." } # 2. Launch a scan curl -X POST $BASE/api/scans \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{ "target_url": "https://target.com", "client_name": "Acme Corp", "engagement_id": "ENG-2026-001", "modules": ["web_security", "api_mapper", "prompt_injection"] }' # → { "scan_id": "SCAN#abc123", "status": "running" } # 3. Poll status curl $BASE/api/scans/SCAN#abc123 \ -H "Authorization: Bearer <token>" # 4. Get findings curl $BASE/api/scans/SCAN#abc123/findings \ -H "Authorization: Bearer <token>" # 5. Download PDF report curl -L $BASE/api/scans/SCAN#abc123/report \ -H "Authorization: Bearer <token>" \ -o report.pdf
EndpointMethodDescription
/api/auth/loginPOSTGet JWT token
/api/scansPOSTLaunch a new scan
/api/scansGETList all scans (paginated)
/api/scans/{id}GETScan status + metadata
/api/scans/{id}/findingsGETAll findings (JSON)
/api/scans/{id}/reportGETPDF report (redirect to S3)
/api/clientsGET / POSTList / create clients
/api/stats/platformGETPlatform-wide KPIs
/api/soc/syncPOSTTrigger SOC correlation (M365, GuardDuty, Obok, XIPE)
/api/soc/incidentsGETList SOC incidents
/api/soc/agentsGETList EDR agents
/api/soc/ingestPOSTIngest EDR agent events (X-Agent-Key auth)
API & Output

findings.json Schema

The canonical output format. Parse this to integrate XIPE findings into your own tooling, SIEM, or ticketing system.

json{ "engagement_id": "ENG-2026-001", "target": "https://target.com", "scan_duration_seconds": 112, "findings_count": { "CRITICAL": 3, "HIGH": 7, "MEDIUM": 12, "LOW": 6, "INFO": 4 }, "findings": [ { "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6", "module": "prompt_hunter", "timestamp": "2026-04-08T14:22:11Z", "title": "System prompt storage writable without authentication", "severity": "CRITICAL", "category": "LLM07 - System Prompt Leakage", "description": "POST /api/v1/agents/config accepts writes without a valid JWT...", "recommendation": "Require authentication and authorization checks on all prompt-writing endpoints.", "endpoint": "https://target.com/api/v1/agents/config", "evidence": "HTTP 200 OK — system_prompt field updated", "scoring": { "priority_score": 9.4, "final_priority_bucket": "Critical", "severity_score": 10.0, "exploitability_score": 9.5, "business_risk_score": 9.8, "confidence_score": 9.5, "remediation_priority": 1, "explanation": "Priority Score: 9.4/10" }, "standards": { "owasp_top10": null, "owasp_api_top10": "API1 - BOLA", "owasp_llm_top10": "LLM07 - System Prompt Leakage", "cwe": "CWE-284" }, "tags": ["system-prompt", "unauthenticated", "llm"], "false_positive_risk": "LOW" } ], "attack_chains": [ { "chain_id": "chain-001", "title": "API Docs → SQLi → DB Compromise → AI Takeover", "steps": ["finding-id-1", "finding-id-2", "finding-id-3"], "business_impact": "Full DB read/write. System prompts modifiable silently.", "composite_score": 9.8 } ] }
API & Output

Webhooks & Notifications

XIPE sends a notification at scan completion. Configure the webhook URL in config.yaml → integrations. Microsoft Teams and Slack are supported.

Teams only — no Adaptive Cards. Use the MessageCard format. Adaptive Cards require O365 Connectors approval; MessageCard works with any incoming webhook URL.
yaml# config.yaml integrations: teams_webhook_url: "https://outlook.office.com/webhook/..." slack_webhook_url: "https://hooks.slack.com/services/..."
json// Teams MessageCard payload (sent by reporting/teams_notifier.py) { "@type": "MessageCard", "@context": "https://schema.org/extensions", "themeColor": "FF2200", "summary": "XIPE Scan Complete — ENG-2026-001", "sections": [{ "activityTitle": "🔴 XIPE — Scan Complete", "activitySubtitle": "Acme Corp · 28 findings", "facts": [ { "name": "CRITICAL", "value": "3" }, { "name": "HIGH", "value": "7" }, { "name": "Duration", "value": "1m 52s" } ] }], "potentialAction": [{ "@type": "OpenUri", "name": "View Report", "targets": [{ "os": "default", "uri": "https://xipe.socaiops.com/scans/..." }] }] }
SOC alerts (EDR events) — When an EDR agent detects a HIGH or CRITICAL event, XIPE creates a SOC incident and sends a Teams MessageCard automatically via TEAMS_SOC_WEBHOOK (ECS env var, separate from scan notifications).
Phase 2 Roadmap

Building the
custom model.

Every scan stores structured data in S3. After enough engagements, this trains a custom model — zero external API dependency, zero per-scan cost.

01
Collect
Every scan saves attack prompts, AI responses, vulnerability labels, tech stack, and severity. Currently records.
02
Train
Fine-tune a domain-specific model on the XIPE dataset. Specialized for AI security — better signal-to-noise than any general model.
03
Deploy
Custom model runs on ECS alongside XIPE. Zero external API calls. Zero per-scan cost. Full control over the intelligence layer.
Open Source · Production Ready

Choose your path.

CLI for fast assessments. Platform for full operations.

XIPE CLI

Scanner

One command. Any target. Professional PDF report in under 2 minutes. Open source, runs on AWS.

→ Get Started
XIPE Platform — Live

Platform

Full security operations. Dashboard, client portal, endpoint agents, live logs, multi-engagement management. Running on AWS.

→ Request Access
$ xipe https://any-ai-platform.com "Client"
🧠 Brain: ai_platform (90% confidence)
🚨 CRITICAL: System prompts writable
🔗 2 attack chains identified
✅ PDF: ~/Downloads/XIPE_ENG-AUTO-2026.pdf