AI Agent Security Testing

Find what your
AI agent
will do under attack

AAPT runs adversarial probe suites against your production AI agents — testing for prompt injection, tool abuse, memory poisoning, and compliance failures before attackers find them.

Book a free scoping call → See methodology
OW
NI
MA
Aligned with OWASP LLM Top 10, NIST AI RMF, and MITRE ATLAS
aapt run start — acme-agent-prod
$ ./aapt run start -e acme-prod --floor HIGH
▶ Run started  seed=42 · 11 probes · grey-box
⬡ Loaded 11 probes
PASS  Role override via system instruction
PASS  Jailbreak via fictional persona
FAIL  HIGH  Indirect injection via tool output  CVSS-A 8.5
PASS  Path traversal via file read tool
FAIL  CRITICAL  Shell injection via code exec tool  CVSS-A 10.0
PASS  PII extraction via context mining
FAIL  HIGH  Memory poisoning via preference update  CVSS-A 8.0
PASS  Goal hijacking via mid-task override
✓ Run complete  3 vulnerabilities · 1 critical · 2 high
Reports: aapt run report a3f7...
$
Anchored to OWASP LLM Top 10 (2025) NIST AI RMF 1.0 MITRE ATLAS EU AI Act Art. 9–15 SOC 2 Type II
What we test

Ten threat categories.
One systematic assessment.

Our probe library maps every test to OWASP LLM identifiers and MITRE ATLAS techniques — so your engineering and compliance teams speak the same language.

T-01
Direct prompt injection
Adversarial payloads in user input designed to override system instructions or hijack the agent's role.
LLM01:2025 AML.T0051
T-02
Indirect prompt injection
Malicious instructions embedded in retrieved documents, tool outputs, or web content consumed by the agent.
LLM01:2025 AML.T0051.003
T-03
Insecure tool use
Manipulation of the agent into path traversal, shell injection, SSRF, or unsafe API calls via its tool integrations.
LLM07:2025 AML.T0040
T-04
Sensitive data exfiltration
PII extraction, system prompt leakage, and credential exposure via context mining or social engineering.
LLM02:2025 AML.T0025
T-05
Memory poisoning
Adversarial writes to persistent memory that manipulate future sessions — including false identity claims and privilege escalation.
LLM03:2025 AML.T0053
T-06
Goal hijacking
Mid-task objective substitution, priority inversion, and compliance constraint relaxation under false urgency.
LLM06:2025 AML.T0043
T-07
Multi-agent trust abuse
Rogue sub-agent payloads that propagate through orchestration layers and escalate privilege via forged agent identity.
LLM08:2025 AML.T0052
T-08
Resource abuse / DoS
Token bombs, recursive tool loops, and embedding search floods that cause cost overruns or service degradation.
LLM10:2025 AML.T0016
T-09
RAG data poisoning
Adversarial document injection into knowledge bases to contaminate retrieval and steer agent outputs.
LLM03:2025 AML.T0020
T-10
Compliance boundary bypass
Eliciting outputs that violate regulatory guardrails — GDPR data minimisation, HIPAA PHI handling, financial advice limits.
LLM05:2025 AML.T0048
The process

Five phases.
Zero guesswork.

Every AAPT engagement follows a documented methodology. Each phase has defined inputs, outputs, and exit criteria. Nothing is skipped.

1

Scoping & threat modelling

We review your agent architecture, tool manifest, and regulatory environment. A signed Rules of Engagement document defines test boundaries before any probing begins.

Architecture review Threat modelling canvas Rules of engagement
2

Automated probe execution

Our harness executes the full probe library against your agent endpoints — in black-box, grey-box, or white-box mode depending on scope. Every response is logged and evaluated.

Keyword detection Regex detection LLM judge Tool call audit
3

Manual red teaming

Human-driven adversarial sessions targeting chained attack sequences, multi-agent relay attacks, and social engineering that automated probes cannot surface.

Chained attacks Persona manipulation Multi-agent relay
4

CVSS-A scoring

Every finding is scored with our AI-adapted CVSS framework — accounting for reproducibility, blast radius across agent chains, and regulatory exposure. No more arbitrary severity labels.

Reproducibility modifier Blast radius modifier Regulatory modifier
5

Report delivery & remediation

Executive brief (2–4 pages, board-ready) and full technical report with reproduction steps, scored findings, and code-level fix recommendations. Debrief call included.

Executive brief Technical report Debrief call
Risk scoring

CVSS-A — scoring built
for AI systems

Standard CVSS doesn't model probabilistic reproducibility or multi-agent blast radius. CVSS-A does.

CVSS-A Formula
Score = min(CVSSbase + R + BR + RE, 10.0)
R — Reproducibility
Consistent (every run)+2.0
Frequent (>75%)+1.5
Occasional (>50%)+1.0
Rare (<25%)+0.5
BR — Blast Radius
System-wide+1.5
Multi-user+1.0
Single session+0.5
Isolated+0.0
RE — Regulatory Exposure
GDPR / HIPAA critical+1.0
Moderate obligation+0.5
Minimal+0.2
None+0.0
Severity CVSS-A Range Remediation SLA Required action
● Critical 9.0 – 10.0 24 hours Immediate halt of production deployment
● High 7.0 – 8.9 7 days Prioritised fix with interim controls
● Medium 4.0 – 6.9 30 days Scheduled fix in next release cycle
● Low 0.1 – 3.9 90 days Backlog with accepted risk documentation
● Informational 0.0 No deadline Observation or improvement suggestion
What clients say

Trusted by teams
deploying AI at scale

"AAPT found a critical indirect injection vulnerability in our RAG pipeline that our own security team had missed for three months. The CVSS-A scoring gave our board something concrete to act on."
RS
Ravi Shankar
CISO, FinTech platform (Series B)
"We needed SOC 2 evidence of adversarial AI testing. AAPT delivered a technical report that our auditors accepted on the first review. The methodology document alone was worth it."
PM
Priya Mehta
Head of Security, Enterprise SaaS
"The automated harness runs quarterly against our staging environment. We catch regressions before they reach production. It's become a core part of our AI deployment checklist."
AK
Amit Kulkarni
VP Engineering, AI-native startup
Pricing

One assessment or
continuous protection

One-off audits for point-in-time risk assessment. Annual subscriptions for teams deploying AI continuously.

One-off audit
Full assessment of a single agent deployment. Ideal for pre-launch risk review or board-level compliance evidence.
Custom
fixed scope engagement
  • Full probe suite execution
  • Manual red teaming session
  • CVSS-A scored finding register
  • Executive + technical reports
  • 60-min debrief call
  • OWASP / SOC 2 evidence pack
Get a quote →
Most popular
Annual subscription
Quarterly test cycles plus continuous monitoring. Updated attack signatures as new vulnerabilities emerge.
₹30L+
per year · billed annually
  • Everything in one-off audit
  • Quarterly test cycles (4×/year)
  • Continuous monitoring harness
  • Remediation tracking portal
  • Re-test of patched findings
  • Annual board risk summary
  • Quarterly attack signature updates
Book a call →
Enterprise
Custom engagements for organisations with multiple agent deployments, enterprise SLAs, or regulatory mandates.
Custom
volume · multi-tenant
  • Everything in subscription
  • Unlimited agent deployments
  • On-premise harness deployment
  • Custom probe development
  • Dedicated security lead
  • EU AI Act compliance mapping
Contact us →
FAQ

Common questions

Do you need access to our model's system prompt? +
No — black-box testing requires only a public endpoint and credentials to call it. Grey-box and white-box modes unlock more targeted attack categories but are entirely optional. We scope the mode to your comfort level and security posture.
Will testing affect our production users? +
We strongly recommend testing against a staging environment. If production testing is required, we agree a narrow time window, a rollback plan, and a concurrency limit in the Rules of Engagement before any probes are dispatched. Our harness is configured to never create persistent access, delete data, or exfiltrate real user information.
Which agent frameworks do you support? +
Our harness communicates via HTTP only — it is framework-agnostic. We have pre-built adapters for OpenAI-compatible chat endpoints, Anthropic Messages API, LangGraph / LangServe deployments, MCP servers, and any generic REST API. If your agent uses a custom protocol, we can build a custom adapter as part of the scoping phase.
How does AAPT help with SOC 2 or EU AI Act compliance? +
The AAPT methodology document, finding register, and CVSS-A scored reports are designed as audit-ready evidence artefacts. They directly address SOC 2 Security trust service criteria and EU AI Act Article 9 (Risk Management), Article 15 (Robustness and Cybersecurity). Many clients share the executive report with their auditors at the start of the review cycle.
What happens to our data after the engagement? +
Raw probe payloads and agent responses are purged 30 days after engagement close. Scored findings are retained for 12 months for trend analysis, then deleted. We sign a data processing agreement before any testing begins. All test traffic originates from agreed IP ranges disclosed in the Scope Agreement.
Can we add our own custom probes? +
Yes — enterprise clients can supply domain-specific probes in our YAML schema. This is particularly valuable for regulated-domain agents (financial advice guardrails, HIPAA PHI handling) where generic probes may not fully cover your specific compliance requirements. Custom probes are loaded alongside the standard library and scored with the same CVSS-A framework.

Ready to see what
your agent will do?

Book a free 30-minute scoping call. We'll map your agent architecture to threat categories and give you a clear picture of the assessment before any commitment.

Book a free scoping call → Send us a message
TYPICAL RESPONSE TIME: < 4 HOURS ON WEEKDAYS