Service A.08 · AI & LLM Penetration Testing

AI & LLM penetration testing for the GenAI, RAG and agent stacks you are shipping.

CyberFortify's AI and LLM penetration testing service tests LLM-powered applications the way a real attacker would - prompt injection, jailbreaks, retrieval poisoning, tool and plugin abuse, system-prompt leakage and model denial-of-service - aligned with the OWASP Top 10 for LLM Applications and MITRE ATLAS. We test the whole stack, not just the model: the app around it, the retrieval layer, the agents, and the tools they can reach.

Aligned with: OWASP LLM Top 10 · MITRE ATLAS · NIST AI RMF Engagement: 1-3 weeks Covers: Chatbots · RAG · agents · copilots
LLM01
Prompt injection focus
RAG
Retrieval poisoning
Agent
Tool / plugin abuse
Manual
Human-led, not a scanner
OWASP LLM Top 10: LLM01 Prompt Injection · LLM02 Sensitive Info Disclosure · LLM03 Supply Chain · LLM04 Data & Model Poisoning · LLM05 Improper Output Handling · LLM06 Excessive Agency · LLM07 System Prompt Leakage · LLM08 Vector & Embedding Weaknesses · LLM09 Misinformation · LLM10 Unbounded Consumption OWASP LLM Top 10: LLM01 Prompt Injection · LLM02 Sensitive Info Disclosure · LLM03 Supply Chain · LLM04 Data & Model Poisoning · LLM05 Improper Output Handling · LLM06 Excessive Agency · LLM07 System Prompt Leakage · LLM08 Vector & Embedding Weaknesses · LLM09 Misinformation · LLM10 Unbounded Consumption
// Executive summary

CyberFortify AI & LLM penetration testing is manual, attacker-driven security testing of the systems you build on top of language models. We chain prompt injection into real impact - data exfiltration, unauthorised tool calls, privilege escalation through excessive agency - and deliver findings mapped to the OWASP Top 10 for LLM Applications that your engineers can fix and your auditors can accept.

// 01 What is AI & LLM penetration testing?

// DefinitionAI / LLM Pen Test

AI and LLM penetration testing is the adversarial assessment of applications that use large language models - chatbots, copilots, RAG systems and autonomous agents. It targets the failure modes unique to non-deterministic, natural-language systems, which traditional web application and API testing do not cover.

The core insight: an LLM cannot reliably separate instructions from data. Anything the model reads - a user message, a retrieved document, a web page, a tool response - can carry an instruction the model may follow. That is the root of most LLM risk.

A scanner cannot jailbreak a model. LLM security is adversarial, creative and context-specific - it is a human-led exercise. We treat every input channel into the model as an injection surface and chain from there to real business impact.

CyberFortify AI security practice

// 02 OWASP Top 10 for LLM Applications

Every CyberFortify AI engagement is structured around the OWASP Top 10 for LLM Applications. Each finding is tagged with its LLM identifier so your team can prioritise and track remediation against a recognised standard.

LLM01Prompt Injection

Direct and indirect injection that overrides system instructions via user input, retrieved content, files or tool output.

LLM02Sensitive Information Disclosure

Leakage of PII, secrets, proprietary data or other users' context through model outputs.

LLM03Supply Chain

Compromised base models, poisoned fine-tunes, malicious adapters, vulnerable ML dependencies.

LLM04Data & Model Poisoning

Manipulation of training, fine-tuning or RAG source data to bias or backdoor behaviour.

LLM05Improper Output Handling

Model output flowing unsanitised into XSS, SSRF, SQLi or command execution downstream.

LLM06Excessive Agency

Over-permissioned tools, plugins and agents that let a compromised prompt take real actions.

LLM07System Prompt Leakage

Extraction of system prompts, hidden instructions, guardrail logic and embedded secrets.

LLM08Vector & Embedding Weaknesses

RAG-specific risks: embedding inversion, cross-tenant retrieval, poisoned knowledge bases.

LLM09Misinformation

Hallucinations and over-reliance producing false, unsafe or legally exposing output.

LLM10Unbounded Consumption

Model denial-of-service, wallet-draining token abuse and cost-amplification attacks.

// 03 What we test - the whole AI stack

The model is one component. Real impact comes from what surrounds it - the retrieval layer, the agent framework, the tools it can call and the app it feeds. We test each layer and, more importantly, the seams between them.

AI.01

The model & guardrails

Jailbreaks, obfuscation and encoding bypasses, refusal-boundary probing, guardrail and content-filter evasion, safety-alignment stress testing.

AI.02

Prompt & context

Direct and indirect prompt injection, system-prompt extraction, context-window smuggling, delimiter and role confusion attacks.

AI.03

RAG & retrieval

Knowledge-base poisoning, cross-tenant document leakage, embedding-space attacks, retrieval-time indirect injection from ingested content.

AI.04

Agents, tools & plugins

Excessive agency, unsafe function calling, confused-deputy abuse, tool-chaining to SSRF / file access / code execution, autonomous-loop abuse.

AI.05

Output & downstream

Insecure output handling into web front-ends and back-end systems - stored XSS, SSRF, SQL and command injection via model output.

AI.06

Infrastructure & API

Auth and tenancy on the model API, key handling, rate-limit and cost controls, logging of sensitive prompts, cloud hosting posture.

// 04 How we test

A structured methodology grounded in PTES and the OWASP GenAI testing guidance, adapted for non-deterministic systems. Because model behaviour varies run-to-run, we validate every finding across multiple attempts and document reproducibility.

01

Scope & threat model

Map data flows, trust boundaries, tool permissions and the sensitive actions the system can take.

Threat model
02

Injection surface mapping

Enumerate every channel that reaches the model - user input, RAG sources, files, tool output, metadata.

Attack surface
03

Exploitation

Manual jailbreaks, direct/indirect injection, agency abuse - chained toward a concrete impact objective.

Manual
04

Impact & reproducibility

Demonstrate real consequence and confirm each finding reproduces reliably across runs.

Validated
05

Report & retest

OWASP-LLM-mapped findings with remediation, then a free retest once fixes ship.

Free retest

// 05 Deliverables - what you receive

Findings your engineers can action and your risk and compliance teams can file - every issue mapped to the OWASP Top 10 for LLM Applications with a reproducible proof-of-concept.

D.01

Technical report

Each finding with CVSS-informed severity, OWASP LLM mapping, reproducible prompts / payloads and a concrete remediation path.

D.02

Proof-of-concept library

The working jailbreaks and injection chains we used - so your team can regression-test guardrail changes over time.

D.03

Executive summary

Business-risk framing for leadership: what an attacker could achieve, and the residual risk after remediation.

D.04

Free remediation retest

Once fixes ship, we re-run the engagement's proof-of-concepts and issue an updated attestation at no extra cost.

// 06 Framework & standard alignment

FrameworkReferenceHow we map
OWASP Top 10 for LLM ApplicationsLLM01 - LLM10Every finding tagged with its LLM identifier
MITRE ATLASAdversarial Threat Landscape for AI SystemsTechniques mapped for AI-specific TTPs
NIST AI RMFAI 100-1 · Generative AI ProfileFindings framed against Govern / Map / Measure / Manage
OWASP ASVSApplication security verificationApplied to the app and API around the model
ISO/IEC 42001AI management systemTesting evidence for AI governance programmes
NIST CSF 2.0ID / PR / DE functionsAI risk folded into the broader security programme

// 07 Frequently asked questions

What is the difference between AI penetration testing and AI red teaming?

They overlap. AI penetration testing is a scoped, time-boxed assessment that maximises coverage of the OWASP LLM Top 10 across your application. AI red teaming is broader and goal-based - probing safety, bias and misuse of the model itself over a longer horizon. Most product teams need the pen test first; we will advise in scoping.

Do you test the model, or the application around it?

Both, but the emphasis is the application. Foundation-model providers test the base model; your risk lives in how you wire it up - the system prompt, the RAG sources, the tools the agent can call, and how you handle its output. That integration layer is where we find the highest-impact issues.

Can you test RAG and agent systems, not just chatbots?

Yes - RAG pipelines and tool-using agents are where the most serious findings appear. Indirect prompt injection through retrieved documents (LLM01 + LLM08) and excessive agency in agents (LLM06) routinely chain into data exfiltration or unauthorised actions.

Will testing affect our production model or data?

We scope non-destructive testing and prefer a staging or isolated environment for anything that could modify data or trigger real tool actions. Impact is demonstrated, not executed. Rules of engagement are agreed before any testing begins.

How long does an AI pen test take?

Typically one to three weeks depending on the number of surfaces - a single chatbot is at the short end; a multi-agent RAG platform with many tools is at the longer end. You receive a fixed-price quote, usually within 1 hour of scoping.

Shipping an AI feature? Test it first.

Schedule a 30-minute scoping call. CyberFortify will map your AI attack surface and quote a fixed-price engagement - usually within 1 hour.

Schedule scoping call → Back to CyberFortify home →