04 / AI Security Testing

AI Security
Testing

Your AI features are your newest attack surface. Most teams ship them untested.

LLMs, agents, and RAG pipelines introduce a class of vulnerabilities that traditional security testing does not cover. Prompt injection, insecure tool use, indirect context poisoning, and training data exposure require an adversary-perspective approach built specifically for AI systems.

Request Scoping CallView Pricing ↓
FrameworkOWASP Top 10 for LLMs
IntegrationsOpenAI · Anthropic · LangChain · custom
FocusLLMs · Agents · RAG · Fine-tuned models
ComplianceSOC 2 · HIPAA
Starting from$8,000
AccessBlack-box or grey-box
Methodology

How we test.

Prompt Injection
  • Direct injection via user input
  • Indirect injection via retrieved docs (RAG)
  • System prompt extraction
  • Jailbreaking & guardrail bypass
  • Multi-turn conversation manipulation
Insecure Output Handling
  • LLM output injection into downstream systems
  • XSS via rendered AI-generated content
  • SQL/command injection via LLM queries
  • Markdown/HTML injection in responses
Tool & Agent Security
  • Function calling permission analysis
  • Arbitrary code execution via agent tools
  • SSRF via agent-controlled HTTP requests
  • Privilege escalation via tool chaining
RAG Pipeline
  • Document poisoning & context manipulation
  • Retrieval manipulation to override prompts
  • Embedding model attack surface
  • Vector database access control review
Model & Data Security
  • Training data extraction attempts
  • Membership inference testing
  • Model inversion & extraction
  • Fine-tuned model behavior analysis
Supply Chain & Integration
  • Model provenance & integrity review
  • Plugin & extension security
  • Third-party AI API dependency review
  • API key exposure in AI pipelines
Tooling

What we use.

Garak
LLM vulnerability scanner — probes for prompt injection, jailbreaks, and data extraction.
Custom prompt injection harness
Engagement-specific tooling for systematic injection testing across all input vectors.
Burp Suite Professional
Intercept and manipulate API calls between application and LLM provider.
LLM function call fuzzer
Custom tooling for testing agent tool-use boundaries and escalation paths.
Manual adversarial testing
Human-led testing for logic flaws, context manipulation, and chained attack scenarios.
OWASP LLM Top 10 checklist
Structured coverage against all 10 OWASP LLM Application risk categories.
Sample findings

What we find.

Representative findings from past engagements. Client details redacted.

CRITICAL
Prompt Injection via User-Controlled Input in RAG Pipeline
Attacker-controlled document content injected into retrieval context, overriding system prompt and exfiltrating prior conversation history.
CRITICAL
LLM-Assisted SSRF — Internal Metadata Service Access
Prompt manipulation caused the model to make HTTP requests to the cloud instance metadata endpoint, returning IAM credentials.
HIGH
Insecure Tool Use — Arbitrary Code Execution via Function Calling
Agent framework passed unsanitized LLM output directly to a code execution tool, enabling RCE on the host.
HIGH
Training Data Extraction via Membership Inference
Systematic querying of a fine-tuned model reproduced verbatim PII strings from the training dataset.
Pricing

Engagement tiers.

Most common
LLM App Review
$8,000 – $18,000
Teams shipping LLM features
  • Prompt injection (direct + indirect)
  • System prompt extraction attempts
  • Output handling + downstream injection
  • Tool/function calling security review
  • OWASP LLM Top 10 coverage
Most common. Core LLM attack surface.
Get a Quote
Agent Assessment
$15,000 – $30,000
Autonomous agent systems
  • Full agentic attack surface enumeration
  • Tool permission & scope analysis
  • Multi-agent trust boundary testing
  • SSRF & lateral movement via agent
  • Memory & state manipulation
For teams building autonomous agents.
Get a Quote
AI Red Team
Custom
Enterprise AI platforms
  • Full adversarial assessment
  • Model extraction & inversion attempts
  • RAG pipeline attack path analysis
  • Supply chain review
  • Executive + technical package
Complex systems. Scoped precisely.
Get a Quote
FAQ

Common questions.

Do you need access to our model weights?
No. Most testing is black-box or grey-box — we interact with your application the way an attacker would.
What frameworks do you cover?
OpenAI, Anthropic, and open-source models. LangChain, LlamaIndex, AutoGen, and custom implementations.
Is it too early to test?
No — pre-launch is the right time. Findings are cheapest to fix before customers are using the feature.
How does this relate to our existing pentest?
AI security testing is a separate scope from traditional web application testing. We can scope them together or separately.