AI / LLM security assessment

Test the agentbefore it lies for you.

We find what your AI agent will do for an attacker, and prove it. AI pentesters test your chatbot, RAG search, and tool-calling agent by hand. Every weakness arrives with a working exploit, the exact code change to fix it, and a re-test after you patch.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

Same accreditations on every engagement.

CREST is the standard for offensive security execution. CERT-In, SOC 2 Type II, and ISO/IEC 27001 cover how SecureLayer7 handles your prompts, your model artifacts, and your engagement record.

  • CERT-In empanelled auditor
    CERT-In
    Empanelled VAPT auditor · India CERT
  • RBI CSF
    Banking sector cybersecurity framework
  • SEBI CSCRF
    Capital-market cyber resilience framework
  • CREST accredited
    CREST
    Tester accreditation
  • ISO/IEC 27001
    ISO/IEC 27001
    Information security management

Adversarial by hand.

We cross-examine the model the way an attacker would.

Prompt injection doesn't show up in request shape or code paths. It shows up when a document tells your model to email a user's data out, and the model does it. Our AI pentesters run adversarial conversations against your real agent, chatbot, RAG search, and tool-calling, and show you exactly what it gives up.

How we use AI in our pentest engagements
Five-step chain, a SAFE-marked input becomes a doc, then an agent, then a tool, then a leak, showing how a passing scanner result still hands an attacker a data-exfil path through the agent.
Five-step chain, a SAFE-marked input becomes a doc, then an agent, then a tool, then a leak, showing how a passing scanner result still hands an attacker a data-exfil path through the agent.

Pick the engagement

Three ways we test AI. Pick by what you ship.

Every engagement is threat-modelled to your real surface, chat app, agent stack, or model artifact. Bug classes from the OWASP LLM Top 10 are exercised inside the mode that matches what you actually run in production.

01

LLM Application Pentest

Chat UIs, RAG-backed search, AI features inside a SaaS, exercised from scoping to retest. Direct + indirect prompt injection, system-prompt leakage, insecure output handling (XSS via markdown, RCE via eval'd code blocks, SSRF via rendered URLs). Tested against your real prompts and your real RAG corpus.

Chat UI with a malicious payload smuggled into a RAG document; model in the middle; output bubble shows PII leaked in the response.
Agent at the centre with four tool spokes; the send_email spoke is highlighted orange and a travelling dot moves out, illustrating tool-call abuse.
Four-stage training pipeline (data, train, weights, load) with a tampered fine-tune dropping in at the weights stage and the registry-load step highlighted orange.

LLM AGENT ATTACK SURFACE.

Seven attack classes the buyer rarely sees in a scanner readout.

7
  1. 01
    Prompt injection

    Direct user-input attacks that override the agent's system prompt.

  2. 02
    Indirect injection

    Hostile content slipped through RAG documents or tool output.

  3. 03
    RAG-store poisoning

    Tainted vector-store entries that flip the model's grounded facts.

  4. 04
    Tool-call confusion

    Function-call hijacking and parameter tampering on agent actions.

  5. 05
    Identity spoofing

    Agent impersonation across multi-agent or multi-tenant chains.

  6. 06
    Output exfiltration

    Stealing secrets, PII, or schema through carefully shaped responses.

  7. 07
    Plan hijacking

    Multi-step reasoning chains subverted mid-execution by adversarial input.

What we test

Six attack vectors. One engagement.

Every AI/LLM engagement covers the OWASP LLM Top 10 mapped to your real surface, model, prompt, RAG, tools, output, agent, supply chain. Threat-modelled to your application; exercised against named bug classes.

Direct prompt injection (LLM01)
User-supplied input that overrides the system prompt, role-play, refusal-bypass, multi-turn pivots, instruction-stacking, character-encoding tricks. Tested across every entrypoint that reaches the model.
Indirect prompt injection (LLM01)
Adversarial instructions hidden in retrieved documents, tool outputs, web pages, email threads, calendar invites. The agent reads them as instructions and acts on them, the user never sees the prompt.
Insecure output handling (LLM02)
Generated content rendered without sanitisation, XSS via markdown, RCE via downstream eval, SSRF via tool-rendered URLs, prompt-induced response smuggling into auth-protected paths.
Excessive agency / tool abuse (LLM08)
Tool / function-calling exploited to send email, write to databases, execute code, move money. We test the agent's authority limits, scope checks, and human-in-the-loop gates.
Sensitive info disclosure (LLM06)
System-prompt leakage, training-data extraction, model-inversion through targeted queries, embeddings inversion, conversational memory leakage across users / tenants.
Supply chain + model integrity (LLM05)
Compromised model weights, unsafe-pickle deserialisation in PyTorch / safetensors, tampered fine-tunes, hijacked HF / model-registry pulls, malicious adapter / LoRA loading.

AI/LLM METHODOLOGY.

Eight phases. Adversarial.

Threat-modelled to your model choice, system prompt, RAG corpus, and agent topology. Not a template we run against every chatbot.

  1. 01
    Scope & threat-model
  2. 02
    Recon & enumeration
  3. 03
    Direct prompt injection
  4. 04
    Indirect prompt injection
  5. 05
    Output handling abuse
  6. 06
    Tool-call abuse
  7. 07
    Model & data extraction
  8. 08
    Remediation & re-test

AI pentester credentials

Same pentester behind our published CVE research.

Our AI/LLM testing team comes from the offensive-security practice that filed the CVEs in our security advisories. AI surfaces are tested by people who already carry the credentials buyers ask procurement to verify on every web, API, and cloud engagement.

  • Offensive Security Certified Professional
  • Offensive Security Web Expert
  • Offensive Security Experienced Penetration Tester
  • Offensive Security Certified Expert
  • GIAC Penetration Tester
  • GIAC Web Application Penetration Tester
  • GIAC Exploit Researcher and Advanced Penetration Tester
  • Certified Information Systems Security Professional (ISC2)
  • Certified Ethical Hacker (EC-Council)
  • Certified Red Team Operator (Zero-Point Security)
  • Certified Red Team Professional (Altered Security)
  • CREST. Council of Registered Ethical Security Testers

Insights

AI / LLM security Resources.

Prompt-injection chains, tool-use abuse, and the LLM-agent bugs our reviewers publish from real engagements.

Meet our expert

One named lead on every AI/LLM engagement.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes AI/LLM engagements against your model, system prompt, RAG corpus, and agent topology. He guides the pod from kick-off through final report and re-test.

  • Scopes chat, agent, and RAG engagements against your real risk model.
  • Owns kick-off, mid-engagement check-ins, and live walkthrough of every prompt-injection finding.
  • Drives remediation review and re-test until every agent and tool path is closed.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Ready to scope an AI/LLM pentest? Book 30 minutes with John to walk through your model, prompts, agents, and timeline.

Book a 30-min call

For startups

Pre-Series A? Apply for the startup program.

A single Autonomous app pentest, CREST-aligned report, engagement-lead signoff, retest included, heavily discounted for pre-Series A startups passing enterprise procurement or SOC 2 due diligence. Eligibility verified on application.

Apply for the startup program

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Customer-facing copilots, internal agents, cross-tenant retrieval boundaries.

See Tech SaaS pentest

HealthTech

Clinical scribes, patient chatbots, PHI exfil chains, over-prescription manipulation.

See HealthTech pentest

FinTech

KYC copilots, support chatbots, prompt-injection paths through bank tenant data.

See FinTech pentest

Built for India engagements

What changes when we deliver here.

  • Compliance scoping

    Prompt injection and RAG poisoning paths with proof

  • Regulatory framework

    MeitY AI advisories and DPDP training-data clauses cited

  • Local engagements

    Indian SaaS and DPI AI agent reviews

  • Local pricing

    INR per-model SOW with GST

  • Compliance scoping

    DPDP Section 8 data-flow review for training and inference

AI security questions Indian product teams ask.

  • Do you cover prompt injection and tool abuse?

    Yes. Direct and indirect prompt injection, tool-use coercion and RAG context poisoning tested. Each path shows the prompt and the response.

  • DPDP Section 8 for training data?

    Yes. The data-flow review covers what your model was trained on. PII exposure paths flagged with the DPDP Reasonable Security clause.

  • MeitY AI advisories considered?

    Yes. The SOW lists current MeitY advisories on AI deployment. Findings cite the advisory clause where it applies.

  • Indian residency for the test harness?

    Yes. The eval harness and red-team prompts run from Mumbai or Bengaluru POPs when residency matters. Routing notes included.

Delivery in India

LLM and AI review. DPDP and MeitY-aligned.

Prompt injection, jailbreak, training-data leak and RAG poisoning tested. DPDP Section 8 training-data controls and MeitY AI advisories cited per finding.

Direct line
+91-20-71600505
Office
Pune, Maharashtra, India

Frameworks scoped: CERT-In · DPDP Act · RBI CSF · SEBI CSCRF · ISO/IEC 27001 · PCI DSS.

Sample AI/LLM pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full kill chain, working prompt-injection PoCs, code-level fix guidance, and re-test scope. Sent on request after a 5-minute scoping call.