CyberFortify AI & LLM penetration testing is manual, attacker-driven security testing of the systems you build on top of language models. We chain prompt injection into real impact - data exfiltration, unauthorised tool calls, privilege escalation through excessive agency - and deliver findings mapped to the OWASP Top 10 for LLM Applications that your engineers can fix and your auditors can accept.
// 01 What is AI & LLM penetration testing?
AI and LLM penetration testing is the adversarial assessment of applications that use large language models - chatbots, copilots, RAG systems and autonomous agents. It targets the failure modes unique to non-deterministic, natural-language systems, which traditional web application and API testing do not cover.
The core insight: an LLM cannot reliably separate instructions from data. Anything the model reads - a user message, a retrieved document, a web page, a tool response - can carry an instruction the model may follow. That is the root of most LLM risk.
A scanner cannot jailbreak a model. LLM security is adversarial, creative and context-specific - it is a human-led exercise. We treat every input channel into the model as an injection surface and chain from there to real business impact.
CyberFortify AI security practice// 02 OWASP Top 10 for LLM Applications
Every CyberFortify AI engagement is structured around the OWASP Top 10 for LLM Applications. Each finding is tagged with its LLM identifier so your team can prioritise and track remediation against a recognised standard.
Direct and indirect injection that overrides system instructions via user input, retrieved content, files or tool output.
Leakage of PII, secrets, proprietary data or other users' context through model outputs.
Compromised base models, poisoned fine-tunes, malicious adapters, vulnerable ML dependencies.
Manipulation of training, fine-tuning or RAG source data to bias or backdoor behaviour.
Model output flowing unsanitised into XSS, SSRF, SQLi or command execution downstream.
Over-permissioned tools, plugins and agents that let a compromised prompt take real actions.
Extraction of system prompts, hidden instructions, guardrail logic and embedded secrets.
RAG-specific risks: embedding inversion, cross-tenant retrieval, poisoned knowledge bases.
Hallucinations and over-reliance producing false, unsafe or legally exposing output.
Model denial-of-service, wallet-draining token abuse and cost-amplification attacks.
// 03 What we test - the whole AI stack
The model is one component. Real impact comes from what surrounds it - the retrieval layer, the agent framework, the tools it can call and the app it feeds. We test each layer and, more importantly, the seams between them.
The model & guardrails
Jailbreaks, obfuscation and encoding bypasses, refusal-boundary probing, guardrail and content-filter evasion, safety-alignment stress testing.
Prompt & context
Direct and indirect prompt injection, system-prompt extraction, context-window smuggling, delimiter and role confusion attacks.
RAG & retrieval
Knowledge-base poisoning, cross-tenant document leakage, embedding-space attacks, retrieval-time indirect injection from ingested content.
Agents, tools & plugins
Excessive agency, unsafe function calling, confused-deputy abuse, tool-chaining to SSRF / file access / code execution, autonomous-loop abuse.
Output & downstream
Insecure output handling into web front-ends and back-end systems - stored XSS, SSRF, SQL and command injection via model output.
// 04 How we test
A structured methodology grounded in PTES and the OWASP GenAI testing guidance, adapted for non-deterministic systems. Because model behaviour varies run-to-run, we validate every finding across multiple attempts and document reproducibility.
Scope & threat model
Map data flows, trust boundaries, tool permissions and the sensitive actions the system can take.
Threat modelInjection surface mapping
Enumerate every channel that reaches the model - user input, RAG sources, files, tool output, metadata.
Attack surfaceExploitation
Manual jailbreaks, direct/indirect injection, agency abuse - chained toward a concrete impact objective.
ManualImpact & reproducibility
Demonstrate real consequence and confirm each finding reproduces reliably across runs.
ValidatedReport & retest
OWASP-LLM-mapped findings with remediation, then a free retest once fixes ship.
Free retest// 05 Deliverables - what you receive
Findings your engineers can action and your risk and compliance teams can file - every issue mapped to the OWASP Top 10 for LLM Applications with a reproducible proof-of-concept.
Technical report
Each finding with CVSS-informed severity, OWASP LLM mapping, reproducible prompts / payloads and a concrete remediation path.
Proof-of-concept library
The working jailbreaks and injection chains we used - so your team can regression-test guardrail changes over time.
Executive summary
Business-risk framing for leadership: what an attacker could achieve, and the residual risk after remediation.
Free remediation retest
Once fixes ship, we re-run the engagement's proof-of-concepts and issue an updated attestation at no extra cost.
// 06 Framework & standard alignment
| Framework | Reference | How we map |
|---|---|---|
| OWASP Top 10 for LLM Applications | LLM01 - LLM10 | Every finding tagged with its LLM identifier |
| MITRE ATLAS | Adversarial Threat Landscape for AI Systems | Techniques mapped for AI-specific TTPs |
| NIST AI RMF | AI 100-1 · Generative AI Profile | Findings framed against Govern / Map / Measure / Manage |
| OWASP ASVS | Application security verification | Applied to the app and API around the model |
| ISO/IEC 42001 | AI management system | Testing evidence for AI governance programmes |
| NIST CSF 2.0 | ID / PR / DE functions | AI risk folded into the broader security programme |
// 07 Frequently asked questions
What is the difference between AI penetration testing and AI red teaming?
They overlap. AI penetration testing is a scoped, time-boxed assessment that maximises coverage of the OWASP LLM Top 10 across your application. AI red teaming is broader and goal-based - probing safety, bias and misuse of the model itself over a longer horizon. Most product teams need the pen test first; we will advise in scoping.
Do you test the model, or the application around it?
Both, but the emphasis is the application. Foundation-model providers test the base model; your risk lives in how you wire it up - the system prompt, the RAG sources, the tools the agent can call, and how you handle its output. That integration layer is where we find the highest-impact issues.
Can you test RAG and agent systems, not just chatbots?
Yes - RAG pipelines and tool-using agents are where the most serious findings appear. Indirect prompt injection through retrieved documents (LLM01 + LLM08) and excessive agency in agents (LLM06) routinely chain into data exfiltration or unauthorised actions.
Will testing affect our production model or data?
We scope non-destructive testing and prefer a staging or isolated environment for anything that could modify data or trigger real tool actions. Impact is demonstrated, not executed. Rules of engagement are agreed before any testing begins.
How long does an AI pen test take?
Typically one to three weeks depending on the number of surfaces - a single chatbot is at the short end; a multi-agent RAG platform with many tools is at the longer end. You receive a fixed-price quote, usually within 1 hour of scoping.