Prompt injection (direct and indirect)
Crafted user inputs that override system prompts. Indirect injection via documents, websites, emails, calendar invites that your agent ingests. The current top-of-mind threat for any LLM app.
frontier · 05
Test your AI features against real adversarial use.
LLM-powered features, agentic systems, MCP integrations, RAG pipelines. We probe prompt injection, model jailbreaks, training-data extraction, tool-use abuse, and supply-chain attacks against the model layer.
01. in scope
What's in scope.
Surfaces we test inside an AI security engagement.
Jailbreaks and policy bypass
We probe whether the safety boundary on your model holds against adversarial prompting. Useful when the model has access to sensitive tools or data.
Tool-use abuse
When the model can call functions, search the web, write files, or trigger external APIs, the attack surface widens fast. We map every tool call as an exploit primitive.
MCP server hardening
Misconfigured MCP servers expose internal data or grant write paths. We audit the tool definitions, the auth model, and the data they return.
Training and RAG-data poisoning
For systems that fine-tune on user data or retrieve from external sources, we test whether attacker-controlled inputs corrupt outputs or extract secrets from the index.
Supply chain (models, weights, prompts)
Where do your weights come from? Who signs them? What happens if your system prompt is exfiltrated? We map the AI-specific supply chain and the trust boundaries.
02. how we work
How we work on it.
How an AI security engagement runs.
- Scoping call60 minutes. We learn the architecture: which model, what tools, what data, what trust assumptions. Free.
- Threat modelWritten deliverable. What attackers want from your AI feature, what paths they have, what controls you currently rely on.
- Adversarial testingTwo to four weeks of manual prompt injection, jailbreak attempts, tool-use abuse, data-extraction probes. Reproducible payloads delivered with each finding.
- Report + readoutFindings catalog with payloads, model versions tested, fix strategies. Engineer Q&A on the controls that are realistic for your team.
- Retest30 days, one round, included.
03. deliverables
What you walk away with.
AI-security deliverables.
Findings report with payloads
Every attack reproducible. Model version pinned. Includes prompt text, system context, and response. Markdown source on request.
AI-specific threat model
Written, diagrammed. Suitable for adding to your architecture docs and for showing customers who ask "how do you handle prompt injection?".
Tool-call abuse map
For agentic systems: every function your model can call, classified by blast radius and recommended hardening.
Detection signal recommendations
What to log, what to alert on, what to throttle. AI workloads need different telemetry than classic apps.
Customer-facing attestation
A short letter you can give enterprise prospects who want a third-party AI security signal.
Model-version retest
Re-run findings on a new model version on request. Catches regression when you swap providers or upgrade.
04. when
When teams hire us for this.
When teams ask for AI security work.
You are shipping an LLM feature to enterprise customers
Enterprise buyers are starting to ask AI-specific questions in security review. A third-party report unblocks deals.
Your AI feature touches sensitive data
PII, financial records, source code, medical records. Indirect prompt injection turns a friendly assistant into an exfiltration channel.
You built an agentic system
Once your model can take actions, the failure modes expand. We map them before a customer reports the first one.
You wrote an MCP server
MCP servers are increasingly the attack surface in AI-tooled environments. We test them like the APIs they functionally are.
05. faq
Questions before the call.
AI security FAQ.
Do you test the foundation model itself?
We test the boundary between your application and the model. We do not have access to provider internals. If a finding is a provider-side bug, we coordinate disclosure.
Can you test our prompt without us giving you the system prompt?
Black-box and gray-box are both options. Black-box mirrors real attacker conditions; gray-box covers more surface in the same budget.
What if our model swap breaks the findings?
Findings are pinned to model version. On retest we re-run against the new version. Many issues do regress after a model swap.
Do you do red-team-style AI engagements?
Yes. Adversarial red-teaming against an LLM-powered product, with detection-signal evaluation, can be scoped as a hybrid engagement.
How fast does this field move?
Fast. Findings have a half-life in months. We recommend at least one re-test or refresh per model swap or major feature change.
Shipping AI features?
A 30-minute call covers your architecture, threat model, and likely top-three findings before we quote.