Currently fully booked. New engagements onboard from early 2027.Join the 2027 waitlist
AI & LLM
Penetration Testing
Your AI application accepts natural language as input.
That makes every user interaction a potential attack vector.
OWASP LLM & Agentic Top 10 · EU AI Act mapping · fixed price after scoping · from €2,900
This assessment is available on its own - the better path is the Retained Security Partner retainer, where you get it automatically once your security maturity is ready.
Why Now
The pressure to test
EU AI Act
Most obligations apply from 2 August 2026; high-risk rules now expected from 2027-2028. High-risk AI must show appropriate robustness against AI-specific attacks. Penalties are tiered: prohibited practices reach €35M or 7% of global turnover, while most operator, high-risk, and transparency breaches sit lower at up to €15M or 3%, with SME caps applied proportionally.
NIS2 & DORA
Under NIS2 and DORA, AI components that support important business or ICT functions belong in your security testing and risk-management programme. For some financial entities, DORA also brings threat-led penetration testing obligations.
The Methodology Gap
Traditional pentesting doesn't test whether your RAG pipeline leaks documents or whether an AI agent can be tricked into unauthorised API calls. This gap is active and unaddressed in most organisations.
Scope
AI attack surfaces
Your architecture determines your attack surface. We establish which layers are in scope during scoping.
Every AI App
Prompt injection (hidden commands), jailbreaking (safety bypass), system prompt extraction, and sensitive data leakage.
Knowledge Base / RAG
Injecting malicious content into documents, cross-tenant data leakage, and poisoning the knowledge base.
Tool Access / Agentic
Tool call hijacking, unauthorized API access through chained calls, and tricking agents into restricted actions.
Multi-Agent Orchestration
Attacks between agents, trust boundary bypasses, and unauthorized delegation between orchestrator and sub-agents.
Running a self-hosted or fine-tuned model? A fifth layer covering model integrity, training data exposure, and membership inference is available on request.
Pricing
Indicative pricing
What affects the final price
Architecture Complexity
A standalone chatbot versus a multi-agent agentic system with external tool connections. More attack surfaces = more testing time.
Integrations & Tool Access
Each additional tool integration or agentic pipeline introduces independent attack paths and is scoped separately.
Lead Time saves money
Booking at least 3 weeks in advance allows better preparation and is reflected in the quote. Urgent engagements carry a premium.
Process
How We Collaborate
We map your AI architecture, identify which attack surfaces apply, and establish the blast radius of a potential compromise.
I fingerprint guardrails, attempt system prompt extraction, and build the attack plan before active testing begins.
Systematic prompt injection, jailbreak, RAG, and tool-call testing - each finding confirmed through multiple reproductions.
Executive summary with regulatory mapping + technical appendix with reproduction steps and remediation guidance. Debrief call included.
A one-off assessment answers a single question. A Retained Security Partner retainer schedules these assessments for you at the best time and budget, so testing keeps pace with how your business changes.
2027 waitlist
Scope a test
Prefer a steady monthly rhythm over one-off invoices? See the Retained Security Partner retainer.