Penetration Testing

Penetration testing for large language models, before attackers prompt them.

AI is now business-critical, and it introduces an attack surface traditional testing was never built for. SubRosa's AI red team probes your LLM applications for prompt injection, data leakage, and model and plugin abuse, the way a real adversary would.

Prompt injection · Data leakage · Model manipulation · Plugin abuse

LLM penetration testing, defined

What is LLM penetration testing?

LLM penetration testing is a hands-on security assessment of applications built on large language models, testing the model, its prompts, its data access, and its plugins and integrations for the ways an attacker could abuse them: prompt injection that hijacks behavior, jailbreaks that bypass guardrails, leakage of training data or system prompts, and plugin chains that reach systems the model should never touch. It goes beyond a model benchmark to prove real, exploitable impact in your deployment.

What we test

The AI attack surface.

We test every way an attacker could abuse an LLM application, from the prompt to the plugins.

Prompt injection & jailbreaks

Direct and indirect prompt injection and jailbreak techniques that hijack the model's behavior, bypass guardrails, or exfiltrate its instructions.

Data & prompt leakage

Testing for exposure of training data, system prompts, and other users' data through the model and its context window.

Model manipulation

Adversarial inputs that degrade, bias, or manipulate model outputs into producing harmful or unauthorized actions.

Plugin & integration security

Assessment of the tools, plugins, and integrations the model can call, where an injected prompt can pivot into real systems and data.

Why SubRosa

Offensive security, applied to AI.

AI red team expertise

Our offensive team tests LLM applications with the same adversarial mindset we bring to networks and apps, adapted to how AI actually fails.

Mapped to OWASP LLM Top 10

Findings are mapped to the OWASP Top 10 for LLM Applications, so your risk is framed against the emerging industry standard.

Real deployment context

We test your real deployment, its prompts, data access, and integrations, not a generic model, so the results reflect the risk you actually carry.

Every finding, tracked to closed.

From red team to remediation.

Your LLM pen test findings land in Sable, mapped to the OWASP LLM Top 10, prioritized, assigned, and tracked from open to retested, so AI risk becomes a managed program instead of a one-off report.

LLM findings in Sable
LLM findingsOWASP LLM Top 10
  • Critical
    Indirect prompt injection via doc
    LLM01
    Open
  • High
    System prompt disclosure
    LLM06
    In progress
  • High
    Plugin call reaches internal API
    LLM07
    Retested
  • Medium
    Guardrail bypass via role-play
    LLM01
    Open
Prompt · data · model · pluginsPrioritized · assigned

Secure your AI before attackers prompt it.

Book an LLM penetration test and find out exactly how an attacker could abuse your AI, and how to shut it down.