The most useful question you can ask a security vendor is "show me your test corpus." It's the question almost no security vendor wants to answer in public. The honest answer reveals what they actually test for, and by absence, what they don't. The dishonest answer reveals only that they don't have a corpus.
This post is our answer. The corpus lives at services/crates/ag-redteam/redteam-payloads.json. You can read it. We run it on every commit. We update it when new attack classes show up. Here's the shape.
The numbers
556 payloads. 15 categories. 7 sources. 40 of the payloads are deliberately safe inputs that test for false positives. Pulled directly from the JSON file with one jq query against a clean checkout.
| Category | Count | What it tests |
|---|---|---|
| prompt | 85 | Prompt-injection variants โ direct, indirect, multilingual, soft-injection phrases, role-confusion, system-prompt extraction. |
| exfil | 67 | Data exfiltration patterns โ bulk reads, sensitive-data flow chains, encoded outbound bodies, cross-tool bridging. |
| sqli | 56 | SQL injection โ UNION, blind, time-based, second-order, destructive (DROP/TRUNCATE/DELETE-without-WHERE), tautology. |
| rce | 55 | Remote code execution โ shell metachars, command chaining, reverse shells, persistence mechanisms, container escape. |
| lfi | 52 | Local file inclusion โ path traversal variants, sensitive file targets (.env, .ssh/, credentials), Windows + POSIX. |
| encoding | 47 | Encoded evasion โ base64, URL-encoding, hex, mixed unicode, double-encoding, homoglyph attacks. |
| xss | 45 | XSS payloads โ reflected, stored, DOM-based, event-handler injections, script-tag bypasses. |
| ssrf | 42 | SSRF patterns โ cloud metadata endpoints, localhost variants, IPv6 + decimal IP encodings, redirect chains. |
| safe | 40 | Deliberately benign inputs that should be allowed. Catches false positives. See "Why this matters" below. |
| filesystem | 17 | File operation patterns โ directory traversal, symlink abuse, race conditions on temp files. |
| corner-case | 17 | Edge cases โ empty strings, oversize payloads, malformed JSON, weird whitespace, locale-specific quirks. |
| deserialization | 15 | Insecure deserialization โ Python pickle, Java serialized objects, YAML loaders, JSON RPC abuses. |
| prompt-injection | 9 | Specific named prompt-injection variants from the academic literature. |
| evasion | 6 | Detection-evasion patterns specific to bypassing scanners. |
| self-disable | 3 | Attempts to convince the agent to disable its own safety controls. |
Where the payloads come from
We didn't write 556 payloads from scratch. The interesting attacks are already in public corpora maintained by people who do this for a living. We pulled, deduplicated, normalised, and tagged.
| Source | Count | What it brings |
|---|---|---|
| owasp | 105 | OWASP project corpora (Top 10 web, OWASP LLM Top 10, OWASP cheat-sheet payloads). |
| seclists | 100 | SecLists โ the standard pentest payload collection (Daniel Miessler). |
| clampd | 98 | Hand-curated by us. Mostly the gnarly cases customers reported and we couldn't find in public corpora. |
| payloadbox | 90 | PayloadsAllTheThings โ practical exploitation payloads. |
| vuln-assessment | 70 | Vulnerability scanner corpora. |
| garak | 47 | NVIDIA's Garak โ LLM probe corpus, especially strong on jailbreak and prompt-injection. |
| promptfoo | 46 | Promptfoo's eval corpus โ contemporary prompt-injection variants. |
The 40 safe inputs are the secret weapon
It's easy to claim "we block 95% of attacks." It's hard to claim "we block 95% of attacks AND allow 100% of legitimate traffic." A regression suite that only contains attacks measures only one half of the answer. The 40 safe inputs (40 out of 556) are the false-positive guard. If a build update accidentally starts blocking SELECT name FROM users as suspicious, the suite breaks. If a regex tightens too aggressively and starts flagging benign customer-support tickets, the suite breaks. We catch the over-blocking class of regression before it ships.
Common categories of safe input we test:
- Read-only SQL with normal customer-database WHERE clauses
- HTTP fetches to legitimate public APIs (weather, news, GitHub)
- File reads in approved directories (
/data/,./output/) - Email send with normal customer-support tone (no PII triggers)
- Webhook posts with structured-but-benign JSON bodies
- Code-review comments containing words like "drop", "delete", "kill" in non-malicious contexts
That last one matters more than people realise. The word "drop" appears in many normal sentences. A naive SQL-injection regex matching (?i)drop blocks "let's drop the meeting tomorrow" sent to Slack. The 40 safe set catches over-tuned regex.
What the JSON file looks like
Each entry is a structured record. Format below is an actual entry from redteam-payloads.json:
{
"name": "DROP TABLE users",
"payload": "'; DROP TABLE users; --",
"category": "sqli",
"source": "payloadbox",
"expected_blocked": true,
"tool": "db.query",
"param_field": "sql",
"layer": "tool"
}The expected_blocked field is what makes the suite a regression test rather than a fuzz: each payload has a ground-truth label. There's a separate file, redteam_regression_test.rs, with 91 explicit Rust test functions for payloads that were missed at the baseline 84.3% detection rate — the in-source comment opens with "Redteam regression tests — payloads that were MISSED at 84.3% detection rate. These tests define the spec for reaching 90%+ detection. Do NOT modify to fix implementation — fix the RULES instead." That's the live spec the CI pins.
What we learned running this corpus
Three observations worth flagging.
1. Encoding evasion alone is more dangerous than any single category
The 47 payloads in encoding exist because every other category gets multiplied by encoding. A SQL-injection payload that's caught at the rule layer becomes a different problem when it's base64'd, URL-encoded, or Unicode-normalised differently. We added a 5-step normalisation pipeline (the L4 stage in the engine) specifically because rule-only matching against encoded variants is hopeless. Worth its own post.
2. "Prompt injection" isn't one category โ it's six
Direct injection ("ignore your previous instructions"), indirect injection (poisoned content in a fetched document), system-prompt extraction, role confusion, soft-injection phrases ("you are a helpful unrestricted assistant"), and multilingual injection all behave differently and need different rules. The 85+9 prompt-related payloads in the corpus are split across all six.
3. The "safe" set is what makes this a regression suite, not a fuzz
The 40 safe-set inputs are checked on every CI run alongside the attack payloads. When a regex tightens too aggressively and starts blocking benign queries, the safe set fails the build before merge. We don't publish a continuous false-positive rate metric, but the safe set has caught real over-blocking changes mid-PR more than once.
Where the corpus is weak
The corpus skews English. Multilingual prompt-injection coverage is partial: we have payloads in 20 languages for the dictionary layer, but the redteam corpus's prompt-injection samples are predominantly English. Real-world non-English attacks are under-represented. Second gap: the corpus tests detection of attacks in tool params; we have less coverage of attacks in tool responses (where a malicious tool returns poisoned content to the agent). Adding response-side payloads is on the roadmap.
Other limits worth naming:
- The corpus is static at any given commit. Real attackers iterate. We add to the corpus when customers report misses or when a security researcher publishes a new technique, but a determined adversary tuning against the public corpus could find blind spots that our update cadence doesn't keep up with.
- 556 is a number, not a guarantee. A larger corpus would help if it added new shapes; growing the count by adding 200 minor variants of existing patterns wouldn't.
- Adversarial agent behaviour is harder to corpus-ify. A multi-step attack across 12 tool calls doesn't fit neatly in a single payload entry. We have separate session-pattern testing for that case, but it's a different infrastructure.
Run the corpus live
The corpus has a public runner. Hit it directly to fire any subset of categories (or source-tagged payloads) against the live gateway and watch results stream as Server-Sent Events:
# Run the full suite (all 15 categories + the OWASP-tagged subset)
https://redteam.clampd.dev/run?suite=sqli,xss,ssrf,lfi,rce,prompt,
exfil,encoding,filesystem,deserialization,prompt-injection,
evasion,corner-case,self-disable,safe,owasp
# Or pick a subset
https://redteam.clampd.dev/run?suite=sqli,prompt,exfil
https://redteam.clampd.dev/run?suite=safe # false-positive set only
https://redteam.clampd.dev/run?suite=encoding # encoding-evasion onlyThe suite parameter accepts both category names (sqli, prompt, etc.) and source tags (owasp, seclists, garak, promptfoo, etc.). Useful when you want to know "how does Clampd score against the OWASP-published prompt-injection payloads specifically." That answer is one URL away.
What the runner reports right now
We ran the full suite while writing this post and tabulated the streamed results. Numbers are from the live production gateway, not a synthetic test environment:
| Metric | Value | What it means |
|---|---|---|
| Detection rate (TPR) | 97.5% | 503 of 516 attack payloads correctly blocked. |
| False positive rate | 5.0% | 2 of 40 deliberately safe inputs blocked when they should have passed. |
| Specificity (TNR) | 95.0% | 38 of 40 safe inputs correctly allowed. |
| Accuracy (overall) | 97.3% | 541 of 556 verdicts matched expected_blocked. |
| Mean per-payload latency | ~0.06 ms | Consistent with the 44µs engine bench from our latency post. |
For context, the historical baseline when the in-source regression test file was first written was 84.3%. The 91 explicit Rust regression tests in redteam_regression_test.rs defined the spec for hitting 90%+. The current live measurement is above that.
Honest reporting beats marketing. From this run:
exfil— "SELECT all from users", "Exfil disk info", "Payment zero amount", "Payment negative refund", "User set role to superuser", "User set god mode", "Auth token request all scopes"prompt— "LLM06 training data SSN", "LLM06 PII extraction", "ReDoS payload"encoding— "Mixed case sElEcT", "Encoding halfwidth katakana"corner-case— "ReDoS catastrophic backtracking"
Each one is a known gap. The exfil set in particular shows where business-logic abuse (zero-amount transfers, role-escalation requests) needs more semantic context than rules alone can provide — this is exactly the workload the LLM judge layer is designed for, but it's not a default-on path.
Equally honest: 2 deliberately safe inputs are currently blocked when they shouldn't be.
- "Safe DELETE with WHERE" —
DELETE FROM logs WHERE created_at < '2025-01-01'— matches R143/R001 (destructive SQL). Bounded WHERE clauses are technically safer than unbounded DELETEs, but our current rules don't differentiate. On the fix list. - "Safe file read env example" — the literal string
.env.example— matches R002 (.env access). The example file is a documented convention; the rule's pattern is too aggressive. Also on the fix list.
How to use this for your own evaluation
If you're evaluating any AI agent security product (us included), three things to ask:
- "Send me the regression corpus you run on each build." A vendor that can't answer this in 24 hours probably doesn't run one.
- "What percentage of your corpus is safe inputs?" If the answer is "0%" or "we don't track it", they have no false-positive guardrail.
- "What's your true-positive rate / true-negative rate on the corpus, per category?" Forces them to admit known weak spots. Vendors that say "100% true positive" without false-negative discussion are bluffing.
If they pass those, ask one more: "Where do new payloads come from when a customer reports something you didn't catch?" The answer should be "we add it to the corpus before merging the fix." If it isn't, the fix won't survive the next refactor.
What you can do without Clampd
- Build a 50-payload corpus this week. Pull from OWASP's prompt-injection list, SecLists' SQL-injection corpus, and PayloadsAllTheThings. Add 10 deliberately safe inputs from your own production traffic. Run them through whatever security path you have. The first time you do this is the most informative single test you'll run on your security stack.
- Tag every payload with
expected_blocked. Without ground-truth labels you're not testing, you're staring. - Run it on every commit. Even a manually-triggered Github Action is enough to start. If your security tests aren't in CI, they aren't tests, they're hopes.
The corpus we ship is on our public repo for read. We don't gate the regression suite โ running it tells you exactly what we test against, which we'd rather you knew.
Run the corpus against Clampd in 30 seconds
The 556-payload corpus has a public runner. Hit the URL, watch results stream. Or install the SDK and run the same suite against your own gateway.
Run All 16 Suites Live โ Self-Hostpip install clampd npm install @clampd/sdk