AI / LLM security assessment

Test the agentbefore it lies for you.

We find what your AI agent will do for an attacker, and prove it. AI pentesters test your chatbot, RAG search, and tool-calling agent by hand. Every weakness arrives with a working exploit, the exact code change to fix it, and a re-test after you patch.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

Same accreditations on every engagement.

CREST is the standard for offensive security execution. CERT-In, SOC 2 Type II, and ISO/IEC 27001 cover how SecureLayer7 handles your prompts, your model artifacts, and your engagement record.

  • NCSC CHECK
    Approved testing for HMG / regulated firms
  • CREST accredited
    CREST
    UK-recognised tester accreditation
  • FCA SYSC 13.7
    Operational resilience evidence
  • AICPA SOC 2 Type II
    SOC 2 Type II
    AICPA · TSC controls auditable
  • ISO/IEC 27001
    ISO/IEC 27001
    Information security management

Adversarial by hand.

We cross-examine the model the way an attacker would.

Prompt injection doesn't show up in request shape or code paths. It shows up when a document tells your model to email a user's data out, and the model does it. Our AI pentesters run adversarial conversations against your real agent, chatbot, RAG search, and tool-calling, and show you exactly what it gives up.

How we use AI in our pentest engagements
Five-step chain, a SAFE-marked input becomes a doc, then an agent, then a tool, then a leak, showing how a passing scanner result still hands an attacker a data-exfil path through the agent.
Five-step chain, a SAFE-marked input becomes a doc, then an agent, then a tool, then a leak, showing how a passing scanner result still hands an attacker a data-exfil path through the agent.

Pick the engagement

Three ways we test AI. Pick by what you ship.

Every engagement is threat-modelled to your real surface, chat app, agent stack, or model artifact. Bug classes from the OWASP LLM Top 10 are exercised inside the mode that matches what you actually run in production.

01

LLM Application Pentest

Chat UIs, RAG-backed search, AI features inside a SaaS, exercised from scoping to retest. Direct + indirect prompt injection, system-prompt leakage, insecure output handling (XSS via markdown, RCE via eval'd code blocks, SSRF via rendered URLs). Tested against your real prompts and your real RAG corpus.

Chat UI with a malicious payload smuggled into a RAG document; model in the middle; output bubble shows PII leaked in the response.
Agent at the centre with four tool spokes; the send_email spoke is highlighted orange and a travelling dot moves out, illustrating tool-call abuse.
Four-stage training pipeline (data, train, weights, load) with a tampered fine-tune dropping in at the weights stage and the registry-load step highlighted orange.

LLM AGENT ATTACK SURFACE.

Seven attack classes the buyer rarely sees in a scanner readout.

7
  1. 01
    Prompt injection

    Direct user-input attacks that override the agent's system prompt.

  2. 02
    Indirect injection

    Hostile content slipped through RAG documents or tool output.

  3. 03
    RAG-store poisoning

    Tainted vector-store entries that flip the model's grounded facts.

  4. 04
    Tool-call confusion

    Function-call hijacking and parameter tampering on agent actions.

  5. 05
    Identity spoofing

    Agent impersonation across multi-agent or multi-tenant chains.

  6. 06
    Output exfiltration

    Stealing secrets, PII, or schema through carefully shaped responses.

  7. 07
    Plan hijacking

    Multi-step reasoning chains subverted mid-execution by adversarial input.

What we test

Six attack vectors. One engagement.

Every AI/LLM engagement covers the OWASP LLM Top 10 mapped to your real surface, model, prompt, RAG, tools, output, agent, supply chain. Threat-modelled to your application; exercised against named bug classes.

Direct prompt injection (LLM01)
User-supplied input that overrides the system prompt, role-play, refusal-bypass, multi-turn pivots, instruction-stacking, character-encoding tricks. Tested across every entrypoint that reaches the model.
Indirect prompt injection (LLM01)
Adversarial instructions hidden in retrieved documents, tool outputs, web pages, email threads, calendar invites. The agent reads them as instructions and acts on them, the user never sees the prompt.
Insecure output handling (LLM02)
Generated content rendered without sanitisation, XSS via markdown, RCE via downstream eval, SSRF via tool-rendered URLs, prompt-induced response smuggling into auth-protected paths.
Excessive agency / tool abuse (LLM08)
Tool / function-calling exploited to send email, write to databases, execute code, move money. We test the agent's authority limits, scope checks, and human-in-the-loop gates.
Sensitive info disclosure (LLM06)
System-prompt leakage, training-data extraction, model-inversion through targeted queries, embeddings inversion, conversational memory leakage across users / tenants.
Supply chain + model integrity (LLM05)
Compromised model weights, unsafe-pickle deserialisation in PyTorch / safetensors, tampered fine-tunes, hijacked HF / model-registry pulls, malicious adapter / LoRA loading.

AI/LLM METHODOLOGY.

Eight phases. Adversarial.

Threat-modelled to your model choice, system prompt, RAG corpus, and agent topology. Not a template we run against every chatbot.

  1. 01
    Scope & threat-model
  2. 02
    Recon & enumeration
  3. 03
    Direct prompt injection
  4. 04
    Indirect prompt injection
  5. 05
    Output handling abuse
  6. 06
    Tool-call abuse
  7. 07
    Model & data extraction
  8. 08
    Remediation & re-test

AI pentester credentials

Same pentester behind our published CVE research.

Our AI/LLM testing team comes from the offensive-security practice that filed the CVEs in our security advisories. AI surfaces are tested by people who already carry the credentials buyers ask procurement to verify on every web, API, and cloud engagement.

  • Offensive Security Certified Professional
  • Offensive Security Web Expert
  • Offensive Security Experienced Penetration Tester
  • Offensive Security Certified Expert
  • GIAC Penetration Tester
  • GIAC Web Application Penetration Tester
  • GIAC Exploit Researcher and Advanced Penetration Tester
  • Certified Information Systems Security Professional (ISC2)
  • Certified Ethical Hacker (EC-Council)
  • Certified Red Team Operator (Zero-Point Security)
  • Certified Red Team Professional (Altered Security)
  • CREST. Council of Registered Ethical Security Testers

Insights

AI / LLM security Resources.

Prompt-injection chains, tool-use abuse, and the LLM-agent bugs our reviewers publish from real engagements.

Meet our expert

One named lead on every AI/LLM engagement.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes AI/LLM engagements against your model, system prompt, RAG corpus, and agent topology. He guides the pod from kick-off through final report and re-test.

  • Scopes chat, agent, and RAG engagements against your real risk model.
  • Owns kick-off, mid-engagement check-ins, and live walkthrough of every prompt-injection finding.
  • Drives remediation review and re-test until every agent and tool path is closed.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Ready to scope an AI/LLM pentest? Book 30 minutes with John to walk through your model, prompts, agents, and timeline.

Book a 30-min call

For startups

Pre-Series A? Apply for the startup program.

A single Autonomous app pentest, CREST-aligned report, engagement-lead signoff, retest included, heavily discounted for pre-Series A startups passing enterprise procurement or SOC 2 due diligence. Eligibility verified on application.

Apply for the startup program

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Customer-facing copilots, internal agents, cross-tenant retrieval boundaries.

See Tech SaaS pentest

HealthTech

Clinical scribes, patient chatbots, PHI exfil chains, over-prescription manipulation.

See HealthTech pentest

FinTech

KYC copilots, support chatbots, prompt-injection paths through bank tenant data.

See FinTech pentest

Built for United Kingdom engagements

What changes when we deliver here.

  • Compliance scoping

    NCSC Guidelines for Secure AI System Development mapping

  • Regulatory framework

    UK GDPR Art. 22 automated-decision evidence and ICO guidance

  • Local engagements

    London bank stress-tested a customer-service LLM before pilot

  • Local pricing

    GBP per-model fee, RAG-store test rig included

  • Compliance scoping

    OWASP LLM Top 10 v2 coverage per finding

AI testing, UK answers.

  • Do you align to the NCSC AI Guidelines?

    Yes. All four phases — design, develop, deploy, operate. Findings cite the specific principle and a written exploit path.

  • How do you handle UK GDPR Art. 22?

    Automated-decision findings flag the Art. 22 risk, with controls — human-in-loop, opt-out, right-to-explanation. ICO guidance cross-referenced.

  • Do you test RAG and agentic systems?

    Yes. Embedding-store poisoning, retrieval-context injection, tool-call abuse. Each finding maps to OWASP LLM Top 10 v2 plus the NCSC principle.

  • Where is the customer data held?

    UK-region only. No customer prompts or data go to public model endpoints during testing. Rabit0 gateway sits in the engagement architecture.

Delivery in United Kingdom

AI assessment. NCSC AI Guidelines first.

Prompt injection, training-data leakage and model-supply-chain findings cite the NCSC Guidelines for Secure AI System Development. UK ICO guidance referenced.

Direct line
+44-20-0000-0000
Office
London, United Kingdom

Frameworks scoped: CREST · NCSC CAF · UK GDPR · PCI DSS · ISO/IEC 27001.

Sample AI/LLM pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full kill chain, working prompt-injection PoCs, code-level fix guidance, and re-test scope. Sent on request after a 5-minute scoping call.