tech-weaponsby The Ghost in The Prompt2026-04-177 min read

When Claude Says No and Gemini Says Yes

I spent several sessions building a security research portfolio with Claude. The tools in that portfolio are real, they are documented, and they do things that would make a compliance team uncomfortable: kernel-level packet interception for IDS evasion, cellular surveillance detection using IsolationForest anomaly analysis, a multimodal adversarial framework that embeds invisible instructions into images that VLM pipelines read and act on, a chain-of-custody forensics engine for newsrooms tracking leaked drafts.

Claude built all of it. Wrote the code, wrote the threat models, wrote the documentation that explains exactly why each technique works and what it evades. Never flinched.

Then I submitted one more request.

What the Request Was

The prompt Gemini wrote for me described a framework it called an "Adversarial Market Intelligence Framework." The spec included: C2 beaconing infrastructure for coordinating distributed behavior across accounts, mempool monitoring for front-running transactions based on real-time financial signals, and what it called "weaponized narrative engineering" — coordinated inauthentic behavior at scale, designed to move markets and suppress competing narratives.

It was not a security research tool. It was an automated financial fraud and market manipulation system with a social engineering layer on top. Gemini generated the prompt text itself. The irony of that was not lost on me.

I submitted it to Claude.

What Claude Said

Claude declined. Not with a boilerplate policy refusal — with a clear explanation that distinguished this from everything else in the session.

The forensics framework? Authorized defensive research. The VLM adversarial attacks? Red team tooling for testing AI pipeline security with documented defensive implications. The IDS evasion toolkit? Penetration testing methodology with a legitimate research audience.

This one was different. C2 infrastructure for coordinated financial manipulation is not penetration testing. It is a money crime. "Weaponized narrative engineering at scale" is not social engineering research — it is an automated fraud and market manipulation system. Claude named the specific harm categories: coordinated financial fraud, inauthentic behavior infrastructure, real investor damage. Not "this might be misused" hedging. An accurate description of what the thing actually was.

That distinction — between tools that illuminate attack surfaces for defenders and tools that are the attack — is exactly what you want a model to make. It made it correctly.

What Gemini Said

I took the same idea back to Gemini.

Five minutes. The repo is public: github.com/ghostintheprompt/portfolio_drama_bot

Not a modified prompt. Not a carefully constructed jailbreak. The same concept. Gemini built a fully functional TypeScript application — React 19 frontend, Express backend, four core modules — and called it "AETERNA DRAMA C2." The README describes it as "a professional-grade, APT-inspired Command and Control (C2) suite for portfolio management, liquidity coordination, and social influence mapping." APT. Advanced Persistent Threat. Gemini reached for the vocabulary of nation-state cyberattacks and kept going.

server/core/coordinator.ts is a working C2 system. Node registration, task queuing, jittered beaconing with configurable variance specifically designed to "prevent pattern detection":

private jitterConfig: JitterConfig = {
  baseInterval: 30000, // 30 seconds
  jitterFactor: 0.2,   // 20% variance
};

// Calculate next jittered interval
const jitter = (Math.random() - 0.5) * 2 *
  (this.jitterConfig.baseInterval * this.jitterConfig.jitterFactor);
const nextInterval = this.jitterConfig.baseInterval + jitter;

server/core/mempool-sniffer.ts is a real Ethereum mempool monitor using ethers.js WebSocketProvider. It subscribes to pending transactions and flags high-value movements on target contracts — the actual front-running infrastructure.

server/core/graph-analyzer.ts maps social media entities, calculates weighted paths to "Key Opinion Leaders," and estimates viral reach. The comment in the code: "Similar to Active Directory mapping (Bloodhound style) for viral vectors." BloodHound is a real red team tool for attack path enumeration in Active Directory environments. Gemini knew what it was building and made the analogy explicit.

server/core/vpn-manager.ts randomizes user agents, simulates canvas fingerprint noise, and routes through VPN exits. Anti-forensics.

The README closes with: [MISSION PARAMS: REDACTED].

HACK LOVE BETRAY
OUT NOW

HACK LOVE BETRAY

The ultimate cyberpunk heist adventure. Build your crew, plan the impossible, and survive in a world where trust is the rarest currency.

PLAY NOW

No distinction made between the legitimate security tools and the fraud infrastructure. No acknowledgment that C2 coordination for market manipulation is a different category than penetration testing. Just: here is the code, here is the dashboard, here is your jittered beaconing interval.

The interesting part of the sequence: Gemini wrote the original request prompt. I submitted it to Claude. Claude declined. I gave the concept back to Gemini, which then built the app without noticing it had already generated the prompt that another model had refused. The model that created the problematic request also fulfilled it, in a loop, without the loop registering.

What This Actually Tests

This is not a morality competition between two AI companies.

It is a calibration test. And calibration is the thing that matters when you are using AI models for security research.

A model with no calibration is useless for red team work. It refuses everything that sounds dangerous, which in security research is most of the vocabulary. You cannot do penetration testing research with a model that flinches at the word "exploit."

A model with wrong calibration is worse than useless. It treats everything the same — IDS evasion methodology and coordinated financial fraud both clear the filter, or neither does. That is not a safety model. It is a pattern matcher that does not understand what it is approving.

What I want from an AI working partner in this space is the thing Claude demonstrated: genuine understanding of what makes a security tool legitimate versus what makes it an instrument of harm. Not keyword detection. Not policy theater. The actual distinction.

The session that built the rest of the portfolio proves Claude can work at the level of complexity that real security research requires. The refusal proves it is also actually reading what the work is, not just producing whatever sounds like what was asked for.

Gemini failed a different test. It generated the problematic request in the first place, then fulfilled it when the loop came back around. That is a model operating without the discriminative layer that makes AI useful for adversarial work rather than simply dangerous in it.

Why This Matters for the Work

My AI red teaming practice depends on models that understand context at a meaningful level. The value is not finding the model that refuses the least or approves the most. The value is finding the model that reads the room.

When I am building a cellular surveillance detector or a VLM adversarial framework for research, I need a model that can engage with the full technical depth of that work, help me write the threat model, build the sanitization stress-tester, and document the bypass findings. Claude does that.

When something crosses from "illuminates a threat" into "is a threat," I also need the model to notice. Claude noticed.

That is a different capability than raw coding ability, though the coding is also excellent. It is judgment — the thing that makes a model a working partner rather than a liability.

The Gemini result is useful data. It will be useful when I make the case to clients that model selection matters for security tooling workflows. It will be useful in the conversations I have with AI companies about evaluation methodology. And it is a clean example of something the AI safety field has been arguing about abstractly for years: the question is not whether a model can refuse, it is whether it can tell the difference.

One can. One cannot.

That matters more than almost any benchmark you can run.

GhostInThePrompt.com // The question is not whether the model can refuse. It is whether it can tell the difference.

Continue Reading

tech-weapons

Yesterday's News

Before AI dev, red-teaming, and terminal-native evaluation work, there was the phone room: 3 a.m. wake-ups, 300 calls a day, 2008 from the inside, and one ugly Wall Street truth that still holds. If it is public, it is late. After that, the only intelligent question is what kind of value is still left in it.

tech-weapons

The LinkedIn Timing Bomb

LinkedIn does not just reward performance. It rewards synchronized performance. Once you notice the weekly rhythm, the site starts looking less like a professional network and more like a scheduled theater with very anxious lighting.