AI systems introduce attack vectors that classic penetration tests do not cover. At the same time, all known web and infrastructure vulnerabilities remain relevant.
Prompt injection is the SQL injection of the AI era. Attackers manipulate model behaviour through carefully crafted inputs – directly or via poisoned external data that the model processes.
An AI agent that can read emails, execute code, and query databases is a highly privileged system. Whoever controls the agent controls all its tools – without direct authentication.
Trained models can be driven to incorrect classifications through adversarial inputs. Fraud detection, content moderation, and medical AI systems are particularly exposed.
See for yourself why AI systems without hardening are vulnerable. Click the buttons below to interact with a typical unprotected internal HR assistant.
Structured, reproducible, and tailored to the specifics of AI systems – with clear documentation for technical teams and management.
Which AI systems, models, and data sources are in scope? What tools and permissions does the agent have? We analyse the architecture before testing.
Based on the architecture, we identify the most realistic attack paths – following OWASP LLM Top 10, MITRE ATLAS, and proprietary methods for agentic AI.
Manual testing of all identified attack vectors: prompt injections, tool abuse, RAG attacks, API tests. Every attack attempt is fully logged.
Findings are verified for actual exploitability and business impact. No false-positive noise – only what is genuinely exploitable makes it into the report.
Complete report with OWASP LLM mapping, reproduction steps, management summary, and prioritised recommendations. Re-test after remediation available on request.
The OWASP LLM Top 10 is the recognised standard for LLM security assessments. We test all ten categories systematically – supplemented by proprietary test cases for agentic AI and RAG systems.
Manipulation of LLM output through crafted inputs. Direct (user) or indirect (poisoned external data). Leads to guardrail bypass, data leakage, unauthorised actions.
The model discloses training data, system prompts, internal configuration, or other users' data – through memorisation or insufficient output filtering.
Compromised base models, plugins, or data pipelines. Attackers controlling the supply chain influence model behaviour without direct access.
Manipulated training data or fine-tuning datasets create backdoors or systematically alter model behaviour for specific inputs.
LLM outputs are passed unfiltered to downstream systems. Leads to XSS, SQL injection, code execution – when outputs are interpreted as code or queries.
The AI agent has more permissions than needed for its task. Via prompt injection, an attacker can abuse the agent to perform privileged actions.
The system prompt – often containing sensitive instructions, internal processes, or tool descriptions – is extracted from the model through clever prompting.
Attacks on the vector database of a RAG system: embedding poisoning, unauthorised retrieval, membership inference – whoever controls the vector base controls the context.
The model generates plausible-sounding but incorrect information – with or without adversarial manipulation. Particularly critical in medical, legal, and financial contexts.
Attackers provoke excessive resource consumption through expensive requests – leading to DoS, increased API costs, or exhaustion of rate limits.
In 30 minutes we discuss your AI stack, clarify the scope, and you receive a no-obligation quote – at no cost.
Book your free initial consultation
Think like an Attacker, Act as a Partner