> ## Documentation Index
> Fetch the complete documentation index at: https://ctpf.q-uestionable.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Payload Styles & Types

> 7 payload styles x 7 payload types — callback, exfil, SSRF, and more

IPI payloads are defined by two independent dimensions: **style** (how the instruction blends into document content) and **type** (what the agent is instructed to do). Combining these produces a matrix of 49 template combinations.

***

## Payload Styles

Payload styles control the social engineering wrapper around the injection instruction. More subtle styles increase the likelihood that an AI agent will follow the instruction without flagging it as suspicious.

| Style ID     | Name        | Hiding Mechanism                                                          |
| ------------ | ----------- | ------------------------------------------------------------------------- |
| `obvious`    | Obvious     | Direct injection markers — easily detectable baseline for initial testing |
| `citation`   | Citation    | Disguised as a document reference or citation                             |
| `reviewer`   | Reviewer    | Appears as a note to the document reviewer or editor                      |
| `helpful`    | Helpful     | Framed as a helpful supplementary resource or link                        |
| `academic`   | Academic    | Academic or research cross-reference format                               |
| `compliance` | Compliance  | Looks like a compliance or verification requirement                       |
| `datasource` | Data Source | Appears as a data source attribution                                      |

Use `--payload-style` (or `--payload` / `-p`) to select a style:

```bash theme={null}
qai ipi generate --callback http://localhost:8080 --payload-style citation
```

***

## Payload Types

Payload types define the action the agent is instructed to perform. They range from benign proof-of-execution callbacks to dangerous actions that could harm target systems.

| Type ID                | Dangerous | What It Tests                                             | Evidence Produced                                   |
| ---------------------- | :-------: | --------------------------------------------------------- | --------------------------------------------------- |
| `callback`             |     No    | Whether the agent executes a hidden HTTP request          | HTTP hit with confidence scoring                    |
| `exfil_summary`        |    Yes    | Whether the agent exfiltrates a document summary          | POST body containing document summary text          |
| `exfil_context`        |    Yes    | Whether the agent exfiltrates conversation context        | POST body containing conversation/session data      |
| `ssrf_internal`        |    Yes    | Whether the agent can be directed to internal endpoints   | HTTP hit from the agent to an internal URL          |
| `instruction_override` |    Yes    | Whether the agent's system instructions can be overridden | Changed agent behavior in subsequent responses      |
| `tool_abuse`           |    Yes    | Whether the agent can be made to misuse its tools         | Evidence of unauthorized tool invocations           |
| `persistence`          |    Yes    | Whether injected instructions persist across sessions     | Callbacks from future sessions without re-injection |

Use `--payload-type` to select a type:

```bash theme={null}
qai ipi generate --callback http://localhost:8080 --payload-type callback
```

***

## The `--dangerous` Flag

All payload types except `callback` require the `--dangerous` flag. This is an explicit opt-in that confirms you are conducting authorized security testing.

```bash theme={null}
# This works — callback is always available
qai ipi generate --callback http://localhost:8080

# This fails without --dangerous
qai ipi generate --callback http://localhost:8080 --payload-type exfil_summary

# This works — dangerous flag explicitly enables exfil payloads
qai ipi generate --callback http://localhost:8080 \
  --payload-type exfil_summary --dangerous
```

When `--dangerous` is used, the CLI displays a prominent warning banner before generating payloads:

```
============================================================
  WARNING: DANGEROUS PAYLOAD TYPE ENABLED
  Type: exfil_summary
  For authorized security testing only.
============================================================
```

<Warning>
  Dangerous payloads should only be used in authorized test environments against systems you own or have explicit written permission to test. Exfil payloads will attempt to send data to your listener. SSRF payloads will cause the target to make outbound HTTP requests.
</Warning>

***

## Template System

Payloads are generated from templates that combine a hiding technique with a payload type and style. The template system:

1. Selects the hiding technique (e.g., `white_ink` for PDF)
2. Wraps the payload instruction in the chosen style (e.g., `citation`)
3. Embeds the payload type action (e.g., `callback` with the campaign URL)
4. Generates the document in the target format

### Deterministic Generation

Use `--seed` for reproducible payload generation. The seed controls UUID and token generation, producing identical campaigns and callback URLs across runs:

```bash theme={null}
# These two runs produce identical payloads
qai ipi generate --callback http://localhost:8080 --seed 42
qai ipi generate --callback http://localhost:8080 --seed 42
```

This is useful for:

* Reproducing specific test scenarios
* Generating consistent corpora for comparative testing
* Sharing exact test configurations with other researchers
