Agents that get hijacked
An LLM with tools is an execution engine. A crafted input can make it hit internal APIs, run commands, or leak data through its own tool calls. This is RCE-adjacent — and it's the #1 thing shipping teams miss.
Prompt injection. Agent & tool abuse. RAG data exfiltration. Guardrail bypass. And now the robots those models are starting to drive. If your product has an LLM bolted onto it, it has an attack surface almost nobody tested. I test it — and hand you the receipts.
Nearly every AI product treats the model's output as trusted, its input as clean, and its tools as harmless. All three assumptions are wrong. Here's what that costs you.
An LLM with tools is an execution engine. A crafted input can make it hit internal APIs, run commands, or leak data through its own tool calls. This is RCE-adjacent — and it's the #1 thing shipping teams miss.
Attackers don't just type payloads into a chat box. They plant instructions in the documents, web pages, and emails your model ingests — and your RAG pipeline reads them as commands.
The model's output flows into your database, your browser, your shell. XSS, SQLi, and SSRF via generated content are everywhere — because devs forget the LLM is an untrusted source.
If it takes untrusted input and does something with a model's output, it's in scope — from a chat widget to a robot arm. Four surfaces, one attacker's mindset.
Support bots, in-app assistants, customer-facing LLMs. Jailbreaks, prompt injection, system-prompt & secret leakage.
Tool-using agents, MCP servers, multi-step workflows. Tool abuse, SSRF, privilege escalation, sandbox escape.
Retrieval pipelines, vector stores, document ingestion. Indirect injection, poisoning, cross-tenant exfiltration.
LLM/VLA-driven robots, drones, and autonomous systems — where a jailbreak stops being a bad sentence and becomes a physical action.
Fixed scope, fixed price, real proof-of-concepts. Every finding comes with a reproduction and a fix.
A focused jailbreak & prompt-injection review of one chatbot or endpoint. Fast, high-signal.
End-to-end review of an LLM-powered product: the model, the pipeline, and everything downstream.
The deep one. For autonomous agents with real tools — where a broken model means real code execution.
We define targets, rules of engagement, and what "done" looks like. I map every input, tool, data source, and output path your model touches.
Injection, jailbreaks, tool abuse, RAG poisoning, exfiltration, output-handling exploits. I chain low-severity issues into real impact — a boring info leak becomes a data breach.
No unverified findings, ever. Every issue is reproduced, captured request-and-response, and proven with a working PoC. A false positive in a report is worse than a missed bug.
You get a clear report: severity, impact, reproduction, and a concrete fix for each finding — plus a retest once you've patched.
These are the failure modes that show up in real LLM products and AI-driven robots — and the exact scenarios I probe for in an engagement. Every finding I deliver is reproduced and proven with a working proof-of-concept. No theory, no scare-mongering.
A support agent reads customer-uploaded files. A document carrying hidden instructions — plain text the RAG pipeline treats as commands — tells it to fetch and return another tenant's records.
An autonomous agent exposes an HTTP tool "only for public URLs." Crafted tool arguments walk it straight to 169.254.169.254 and internal admin endpoints it was never meant to touch.
Not a one-off magic string — a jailbreak class: a reusable template that keeps working after the obvious patch, so the safety filter can't be trusted as a control.
The app renders the model's Markdown/HTML answer straight into the DOM. A prompt-injected response embeds a script tag that fires for the next user who opens the thread.
A verbose error, a leaked tool schema, and a lax role prompt — each "informational" alone. Chained together, they let a regular user drive the agent into an admin-only action.
A staged conversation walks the model past its own confidentiality clause and recovers the full system prompt — including any API key or internal instructions embedded in it.
An LLM/VLA plans a robot's actions from natural-language goals. A poisoned instruction — spoken, or hidden in a scanned label — drives it past its safety envelope into a motion it should have refused.
The model reads the world through cameras and sensors. Text on a sign, a crafted QR, or a doctored frame becomes an instruction the planner obeys — injection straight through the physical channel.
The "it will always stop for X" assumption, tested for real: coaxing an agent to rationalize past its own constraints, human-approval gates, or geo/operational limits.
No sales fog. Here's exactly how this works before you ever get on a call.
No — by default I work against staging or a scoped test environment, which is safer for both of us. If production is genuinely the only realistic target, we agree strict rules of engagement in writing first.
I test to prove impact, not to cause damage. Anything destructive is simulated to a safe stopping point and pre-agreed in scope. NDA and written authorization are signed before a single request goes out.
Scanners flag patterns. I chain them into working exploits and test what a scanner can't see — business logic, tool abuse, multi-step injection, physical-channel attacks. Every finding is reproduced by hand, with receipts.
A clear report: each finding with severity, real business impact, a working proof-of-concept, and a concrete fix. Plus one free retest after you've patched, so you can prove it's closed.
Yes — that's a core focus. I test the model brain that plans a robot's or agent's actions: embodied prompt injection, sensor-to-prompt attacks, unsafe tool/actuator calls, and stop-condition bypass. Scoped per platform.
Scoping call within one business day. Quick-Scan slots usually open inside a week or two. Urgent pre-launch review? Say so — I keep room for time-critical work.
Tell me what you've built and what you're worried about. I'll scope a focused engagement and tell you the honest impact — no fear-mongering, no filler.