AI / LLM security assessment

Test the agentbefore it lies for you.

We find what your AI agent will do for an attacker, and prove it. AI pentesters test your chatbot, RAG search, and tool-calling agent by hand. Every weakness arrives with a working exploit, the exact code change to fix it, and a re-test after you patch.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

Same accreditations on every engagement.

CREST is the standard for offensive security execution. CERT-In, SOC 2 Type II, and ISO/IEC 27001 cover how SecureLayer7 handles your prompts, your model artifacts, and your engagement record.

  • MAS TRM
    Technology Risk Management guidelines
  • CSA Cyber Trust
    Cybersecurity Agency of Singapore mark
  • IMDA
    Info-comm Media Development Authority
  • PDPA
    Personal Data Protection Act 2012
  • AICPA SOC 2 Type II
    SOC 2 Type II
    AICPA · TSC controls auditable

Adversarial by hand.

We cross-examine the model the way an attacker would.

Prompt injection doesn't show up in request shape or code paths. It shows up when a document tells your model to email a user's data out, and the model does it. Our AI pentesters run adversarial conversations against your real agent, chatbot, RAG search, and tool-calling, and show you exactly what it gives up.

How we use AI in our pentest engagements
Five-step chain, a SAFE-marked input becomes a doc, then an agent, then a tool, then a leak, showing how a passing scanner result still hands an attacker a data-exfil path through the agent.
Five-step chain, a SAFE-marked input becomes a doc, then an agent, then a tool, then a leak, showing how a passing scanner result still hands an attacker a data-exfil path through the agent.

Pick the engagement

Three ways we test AI. Pick by what you ship.

Every engagement is threat-modelled to your real surface, chat app, agent stack, or model artifact. Bug classes from the OWASP LLM Top 10 are exercised inside the mode that matches what you actually run in production.

01

LLM Application Pentest

Chat UIs, RAG-backed search, AI features inside a SaaS, exercised from scoping to retest. Direct + indirect prompt injection, system-prompt leakage, insecure output handling (XSS via markdown, RCE via eval'd code blocks, SSRF via rendered URLs). Tested against your real prompts and your real RAG corpus.

Chat UI with a malicious payload smuggled into a RAG document; model in the middle; output bubble shows PII leaked in the response.
Agent at the centre with four tool spokes; the send_email spoke is highlighted orange and a travelling dot moves out, illustrating tool-call abuse.
Four-stage training pipeline (data, train, weights, load) with a tampered fine-tune dropping in at the weights stage and the registry-load step highlighted orange.

LLM AGENT ATTACK SURFACE.

Seven attack classes the buyer rarely sees in a scanner readout.

7
  1. 01
    Prompt injection

    Direct user-input attacks that override the agent's system prompt.

  2. 02
    Indirect injection

    Hostile content slipped through RAG documents or tool output.

  3. 03
    RAG-store poisoning

    Tainted vector-store entries that flip the model's grounded facts.

  4. 04
    Tool-call confusion

    Function-call hijacking and parameter tampering on agent actions.

  5. 05
    Identity spoofing

    Agent impersonation across multi-agent or multi-tenant chains.

  6. 06
    Output exfiltration

    Stealing secrets, PII, or schema through carefully shaped responses.

  7. 07
    Plan hijacking

    Multi-step reasoning chains subverted mid-execution by adversarial input.

What we test

Six attack vectors. One engagement.

Every AI/LLM engagement covers the OWASP LLM Top 10 mapped to your real surface, model, prompt, RAG, tools, output, agent, supply chain. Threat-modelled to your application; exercised against named bug classes.

Direct prompt injection (LLM01)
User-supplied input that overrides the system prompt, role-play, refusal-bypass, multi-turn pivots, instruction-stacking, character-encoding tricks. Tested across every entrypoint that reaches the model.
Indirect prompt injection (LLM01)
Adversarial instructions hidden in retrieved documents, tool outputs, web pages, email threads, calendar invites. The agent reads them as instructions and acts on them, the user never sees the prompt.
Insecure output handling (LLM02)
Generated content rendered without sanitisation, XSS via markdown, RCE via downstream eval, SSRF via tool-rendered URLs, prompt-induced response smuggling into auth-protected paths.
Excessive agency / tool abuse (LLM08)
Tool / function-calling exploited to send email, write to databases, execute code, move money. We test the agent's authority limits, scope checks, and human-in-the-loop gates.
Sensitive info disclosure (LLM06)
System-prompt leakage, training-data extraction, model-inversion through targeted queries, embeddings inversion, conversational memory leakage across users / tenants.
Supply chain + model integrity (LLM05)
Compromised model weights, unsafe-pickle deserialisation in PyTorch / safetensors, tampered fine-tunes, hijacked HF / model-registry pulls, malicious adapter / LoRA loading.

AI/LLM METHODOLOGY.

Eight phases. Adversarial.

Threat-modelled to your model choice, system prompt, RAG corpus, and agent topology. Not a template we run against every chatbot.

  1. 01
    Scope & threat-model
  2. 02
    Recon & enumeration
  3. 03
    Direct prompt injection
  4. 04
    Indirect prompt injection
  5. 05
    Output handling abuse
  6. 06
    Tool-call abuse
  7. 07
    Model & data extraction
  8. 08
    Remediation & re-test

AI pentester credentials

Same pentester behind our published CVE research.

Our AI/LLM testing team comes from the offensive-security practice that filed the CVEs in our security advisories. AI surfaces are tested by people who already carry the credentials buyers ask procurement to verify on every web, API, and cloud engagement.

  • Offensive Security Certified Professional
  • Offensive Security Web Expert
  • Offensive Security Experienced Penetration Tester
  • Offensive Security Certified Expert
  • GIAC Penetration Tester
  • GIAC Web Application Penetration Tester
  • GIAC Exploit Researcher and Advanced Penetration Tester
  • Certified Information Systems Security Professional (ISC2)
  • Certified Ethical Hacker (EC-Council)
  • Certified Red Team Operator (Zero-Point Security)
  • Certified Red Team Professional (Altered Security)
  • CREST. Council of Registered Ethical Security Testers

Insights

AI / LLM security Resources.

Prompt-injection chains, tool-use abuse, and the LLM-agent bugs our reviewers publish from real engagements.

Meet our expert

One named lead on every AI/LLM engagement.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes AI/LLM engagements against your model, system prompt, RAG corpus, and agent topology. He guides the pod from kick-off through final report and re-test.

  • Scopes chat, agent, and RAG engagements against your real risk model.
  • Owns kick-off, mid-engagement check-ins, and live walkthrough of every prompt-injection finding.
  • Drives remediation review and re-test until every agent and tool path is closed.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Ready to scope an AI/LLM pentest? Book 30 minutes with John to walk through your model, prompts, agents, and timeline.

Book a 30-min call

For startups

Pre-Series A? Apply for the startup program.

A single Autonomous app pentest, CREST-aligned report, engagement-lead signoff, retest included, heavily discounted for pre-Series A startups passing enterprise procurement or SOC 2 due diligence. Eligibility verified on application.

Apply for the startup program

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Customer-facing copilots, internal agents, cross-tenant retrieval boundaries.

See Tech SaaS pentest

HealthTech

Clinical scribes, patient chatbots, PHI exfil chains, over-prescription manipulation.

See HealthTech pentest

FinTech

KYC copilots, support chatbots, prompt-injection paths through bank tenant data.

See FinTech pentest

Built for Singapore engagements

What changes when we deliver here.

  • Compliance scoping

    MAS FEAT principle-level finding map

  • Regulatory framework

    IMDA Model AI Governance v2 framework tagging

  • Local engagements

    SG bank chatbot — closed indirect prompt-injection via KB ingestion

  • Local pricing

    SGD per-model band, fine-tune pipeline extra tier

  • Compliance scoping

    PDPA §26 cross-border training-data flag per pipeline

AI-security questions from SG product teams.

  • Do you cover MAS FEAT principles?

    Yes. Fairness, ethics, accountability, and transparency findings cite the FEAT principle and the model behaviour observed. MAS-licensed FIs include this in TRM audit.

  • How is training data handled under PDPA §26?

    We check whether training and fine-tune data crosses borders. PDPA §26 transfer expectations are flagged on any pipeline writing to non-SG region storage.

  • What attacks are in scope?

    Direct and indirect prompt injection, jailbreaks, model-extraction, and PII exfiltration through embeddings. Each finding shows the prompt, response, and fix.

  • Do reports help our IMDA Model AI Governance file?

    Yes. Findings are tagged to Model AI Governance v2 framework areas so your IMDA self-assessment cites tested controls, not policy claims.

Delivery in Singapore

MAS FEAT + IMDA Model AI review.

LLM apps and ML pipelines are tested for prompt injection, training-data leakage, and PDPA §26 cross-border training flows. Findings cite MAS FEAT principles and IMDA Model AI Governance v2.

Direct line
+65-6000-0000
Office
Singapore

Frameworks scoped: MAS TRM · PDPA · PCI DSS · ISO/IEC 27001.

Sample AI/LLM pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full kill chain, working prompt-injection PoCs, code-level fix guidance, and re-test scope. Sent on request after a 5-minute scoping call.