AI / Machine learning

A pentest for the LLM feature your customers can poke at.

Prompt injection, RAG leakage, tool-use safety, and the surrounding service — tested against the OWASP Top 10 for LLM Applications and ready for NIST AI RMF or EU AI Act framing.

Book a security review See what we focus on

Where we focus

Six surfaces an AI engagement always touches.

Direct prompt injection

User input overrides system prompt, exfiltrates instructions, or coerces unsafe output.

Indirect prompt injection

A retrieved document, web page, or email instructs the model into unintended actions.

RAG and retrieval boundaries

Cross-tenant retrieval leakage, source-document poisoning, content isolation in retrieval.

Tool-use safety

Unsafe tool selection, parameter tampering, unbounded chains, privilege escalation through tools.

Data exposure and tenancy

Conversation, training-data, and cross-user context leakage in chat and agent surfaces.

Surrounding service

API auth, rate limiting, abuse resistance, and the boring web-app issues that wrap the model.

How we typically scope AI

A common bundle: AI security testing + the service that wraps the model.

AI security testing → API testing → Web application testing → Authenticated testing →

FAQ

AI / ML — common questions

Do you only test the LLM, or the whole product around it?

Both, depending on scope. Most engagements start at the model surface (prompt injection, RAG, tool use) and extend into the surrounding app and API — which is usually where the real impact lives.

Are you aligned to the OWASP Top 10 for LLM Applications?

Yes. We map findings to the OWASP Top 10 for LLM Applications and to standard OWASP Web and API Top 10 categories where the surrounding service is in scope.

Can the report support NIST AI RMF or EU AI Act readiness?

Yes. We can frame the report in the language of the NIST AI Risk Management Framework or AI Act high-risk system requirements on request, in addition to standard SOC 2 / ISO control mappings.

How do you test indirect prompt injection?

We craft adversarial documents, web pages, or email content that the feature retrieves, and verify whether the instructions inside that content can override the model. We test both common injection patterns and ones tuned to the structure of your prompts.

Do you cover open-source or self-hosted models?

Yes. Whether the model is hosted (OpenAI, Anthropic, Bedrock) or self-hosted (Llama, Mistral, custom), the surface that an attacker can reach is the prompt, the retrieval, the tools, and the surrounding service. That is what we test.

Want a credible answer to: are we secure?

A 30-minute review with our lead pentester. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fair scope and timeline.

Book a security review See what we test