Independent Consultant | Cybersecurity Architect & vCISO

Currently fully booked. New engagements onboard from early 2027.Join the 2027 waitlist

AI & LLM
Penetration Testing

Your AI application accepts natural language as input.
That makes every user interaction a potential attack vector.

OWASP LLM & Agentic Top 10 · EU AI Act mapping · fixed price after scoping · from €2,900

This assessment is available on its own - the better path is the Retained Security Partner retainer, where you get it automatically once your security maturity is ready.

Why Now

The pressure to test

EU AI Act

Most obligations apply from 2 August 2026; high-risk rules now expected from 2027-2028. High-risk AI must show appropriate robustness against AI-specific attacks. Penalties are tiered: prohibited practices reach €35M or 7% of global turnover, while most operator, high-risk, and transparency breaches sit lower at up to €15M or 3%, with SME caps applied proportionally.

NIS2 & DORA

Under NIS2 and DORA, AI components that support important business or ICT functions belong in your security testing and risk-management programme. For some financial entities, DORA also brings threat-led penetration testing obligations.

The Methodology Gap

Traditional pentesting doesn't test whether your RAG pipeline leaks documents or whether an AI agent can be tricked into unauthorised API calls. This gap is active and unaddressed in most organisations.

Scope

AI attack surfaces

Your architecture determines your attack surface. We establish which layers are in scope during scoping.

Every AI App

Always in scope

Prompt injection (hidden commands), jailbreaking (safety bypass), system prompt extraction, and sensitive data leakage.

LLM01 Prompt Injection LLM07 System Prompt Leakage

Knowledge Base / RAG

If your AI retrieves documents

Injecting malicious content into documents, cross-tenant data leakage, and poisoning the knowledge base.

LLM04 Data Poisoning LLM08 Vector Weaknesses

Tool Access / Agentic

If your AI can take actions

Tool call hijacking, unauthorized API access through chained calls, and tricking agents into restricted actions.

LLM06 Excessive Agency OWASP Agentic Apps Top 10 2026

Multi-Agent Orchestration

If agents delegate to agents

Attacks between agents, trust boundary bypasses, and unauthorized delegation between orchestrator and sub-agents.

Agentic Apps Top 10 - Multi-Agent Trust LLM01 (cross-agent)

Running a self-hosted or fine-tuned model? A fifth layer covering model integrity, training data exposure, and membership inference is available on request.

Findings mapped to: OWASP LLM Top 10 (2025) OWASP Top 10 for Agentic Applications (2026) MITRE ATLAS EU AI Act / NIS2 / DORA

Pricing

Indicative pricing

Starting from
€2,900
exact quote after scoping
Always included
Prompt injection & jailbreak testing
System prompt extraction attempts
Sensitive information disclosure testing
RAG pipeline security checks (if applicable)
Tool call & privilege escalation testing (if applicable)
EU AI Act / NIS2 regulatory mapping
Technical findings with reproduction steps
Retest of critical findings + debrief call

What affects the final price

Architecture Complexity

A standalone chatbot versus a multi-agent agentic system with external tool connections. More attack surfaces = more testing time.

Integrations & Tool Access

Each additional tool integration or agentic pipeline introduces independent attack paths and is scoped separately.

Lead Time saves money

Booking at least 3 weeks in advance allows better preparation and is reflected in the quote. Urgent engagements carry a premium.

Process

How We Collaborate

01
Scoping & threat modelling

We map your AI architecture, identify which attack surfaces apply, and establish the blast radius of a potential compromise.

02
Passive reconnaissance

I fingerprint guardrails, attempt system prompt extraction, and build the attack plan before active testing begins.

03
Active testing

Systematic prompt injection, jailbreak, RAG, and tool-call testing - each finding confirmed through multiple reproductions.

04
Report & debrief

Executive summary with regulatory mapping + technical appendix with reproduction steps and remediation guidance. Debrief call included.

A one-off assessment answers a single question. A Retained Security Partner retainer schedules these assessments for you at the best time and budget, so testing keeps pace with how your business changes.

2027 waitlist

Scope a test

Many organisations deploying AI in 2026 still have not tested their AI features like real attack surfaces. With EU AI Act deadlines approaching, that's a compliance gap that won't stay quiet.
Currently fully booked - onboarding new engagements from early 2027. Join the waitlist and I'll be in touch as slots open.

Have questions? See the FAQ →

Prefer a steady monthly rhythm over one-off invoices? See the Retained Security Partner retainer.