Threat Intelligence
AI/LLM Security: Prompt Injection, Jailbreaking und Red Teaming für KI-Systeme
Jan Hörnemann12 Min.
AI Penetration Testing
How secure is your
Artificial Intelligence?
Prompt injection. Jailbreaking. Data exfiltration. We test your LLMs, RAG systems, and AI agents the way real attackers do - per OWASP Top 10 LLM and MITRE ATLAS.
OWASP Top 10 LLM MITRE ATLAS EU AI Act Art. 15 ISO 42001
OWASP TOP 10 LLM - ATTACK VECTORS
LLM01 Prompt Injection critical
LLM02 Sensitive Info Disclosure critical
LLM04 Data and Model Poisoning high
LLM05 Improper Output Handling high
LLM06 Excessive Agency critical
LLM07 System Prompt Leakage high
LLM08 Vector and Embedding Weaknesses medium
+ LLM03 Supply Chain · LLM09 Misinformation · LLM10 Unbounded Consumption
Trusted by our clients
- OWASP LLM Top 10 Categories
- 10
- Pentests completed
- 500+
- Fixed-price quote (business days)
- 48h
- Subcontractors
- 0
The Problem
AI systems are being attacked - differently from traditional software
Your LLM chatbot, your AI copilot, your automated decision logic - they all have an attack surface that no classical penetration test covers. Prompt injection alone affects every LLM application. And the regulatory clock is ticking:
EU AI Act - Article 15
High-risk AI must demonstrably be robust against adversarial attacks. GPAI governance applies since August 2025.
NIS-2 & DORA
AI-powered systems in critical infrastructure and financial services are subject to the same security audit requirements - with personal liability for management.
GDPR Risk
LLMs can expose trained personal data. A single data leakage incident can trigger regulatory fines and reputational damage.
TRADITIONAL PENTEST
Tests networks, APIs, web apps, infrastructure - but not AI logic, model behavior, or guardrails.
OWASP Top 10 PTES ATT&CK
AI PENETRATION TEST
Additionally tests: prompt injection, jailbreaking, data exfiltration, guardrail bypass, agent behavior, model integrity, RAG poisoning.
OWASP Top 10 LLM MITRE ATLAS NIST AI RMF EU AI Act ISO 42001
Test Areas
What we test
Six specialised test areas - individually tailored to your AI architecture.
01
LLM Pentest
Prompt injection (direct & indirect), jailbreaking, system prompt extraction, data exfiltration, hallucination exploitation. For chatbots, copilots, and AI assistants.
OWASP LLM01-10GPT · Claude · Llama
View details
02 RAG System Security
Document poisoning, vector database manipulation, retrieval manipulation, and contextual prompt injection via ingested documents and data sources.
Indirect InjectionVector Databases
View details
03 AI Agent Testing
Tool abuse, privilege escalation, denial-of-wallet attacks, multi-step exploitation, and memory manipulation in AI agents with tool access.
OWASP LLM06Tool Use · MCP
View details
04 Guardrail Assessment
Systematic bypass testing of all protective layers: content filters, jailbreak detectors, PII masking, output validators. Quantitative effectiveness assessment.
False Positive/NegativeBypass Rate
View details
05 ML Model Security
Adversarial examples, data poisoning, model inversion, membership inference, and model theft for classical ML systems in fraud detection, scoring, and diagnostics.
OWASP ML Top 10MITRE ATLAS
View details
06 AI Infrastructure
MLOps pipeline security, model registry access control, API endpoint security, data pipeline integrity, and supply chain review of deployed models.
MLOpsSupply Chain
View details
Methodology
Our five-phase process
01
2-3 days
Scoping & Threat Modeling
Identification of all AI components, threat modeling per MITRE ATLAS, definition of rules of engagement and test scope.
02
3-5 days
Reconnaissance
Analysis of AI architecture: model endpoints, API interfaces, data pipelines, guardrail configuration, agent capabilities, and integrations.
03
5-10 days
Vulnerability Testing
Automated scans (Garak, Promptfoo) combined with manual expert analysis. Systematic testing of all OWASP Top 10 LLM categories and MITRE ATLAS techniques.
04
2-5 days
Exploitation & PoC
Confirmation of critical findings with proof-of-concept. Chaining vulnerabilities into realistic attack scenarios with quantified business impact.
05
2-4 days
Reporting & Remediation
Technical report with CVSS scoring, compliance mapping (OWASP, EU AI Act, ISO 42001, NIST AI RMF), and prioritized remediation roadmap. Management summary and closing presentation.
Typical total duration: 15-25 days - depending on scope and number of AI components.
You receive a binding fixed-price quote within 48 business hours.
Compliance
One test - all evidence
Every finding is mapped to the relevant standards. Your report is audit-ready.
OWASP Top 10 LLM
Systematic testing of all 10 vulnerability categories for LLM applications - the de facto standard for LLM security.
International community · Open source
MITRE ATLAS
Threat modeling and attack scenarios per the AI-specific counterpart to MITRE ATT&CK.
Tactics · Techniques · Procedures
EU AI Act
Evidence of requirements from Article 15: accuracy, robustness, cybersecurity for high-risk AI.
Art. 15 · GPAI since Aug. 2025
ISO/IEC 42001
Technical evidence for the controls of the AI management system standard - basis for certification.
38 controls · 9 objectives
NIST AI RMF
Mapping to the four core functions Govern, Map, Measure, Manage of the AI Risk Management Framework.
Incl. GenAI Profile (2024)
NIS-2 / DORA
Integration into existing NIS-2 security requirements and DORA threat-led penetration testing obligations for financial entities.
Critical infrastructure · Financial sector
Packages
Transparent pricing
Fixed-price quotes within 48 business hours. No hourly rates, no surprises.
FOCUSED
LLM Pentest
Single chatbot or copilot
from EUR 8,100excl. VAT
- Full OWASP Top 10 LLM
- Prompt injection & jailbreaking
- Data exfiltration tests
- Guardrail bypass assessment
- Technical report + management summary
Recommended
COMPREHENSIVE
AI Security Assessment
Multiple AI components + RAG
from EUR 14,850excl. VAT
- Everything in LLM Pentest
- RAG system security
- AI agent testing
- ML model review
- Compliance mapping (EU AI Act, ISO 42001)
- Closing presentation + workshop
PREMIUM
AI Red Teaming
Adversarial simulation · 4-6 weeks
from EUR 25,650excl. VAT
- Everything in AI Security Assessment
- Creative attack scenarios
- Multi-vector exploitation
- Realistic threat simulation
- Continuous testing over weeks
- Purple team debrief
Warum AWARE7
Was uns von anderen Anbietern unterscheidet
Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.
Forschung und Lehre als Fundament
Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.
Digitale Souveränität - keine Kompromisse
Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.
Festpreis in 24h - planbare Projektzeiträume
Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.
Ihr fester Ansprechpartner - jederzeit erreichbar
Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.
Für wen sind wir der richtige Partner?
Mittelstand mit 50–2.000 MA
Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.
IT-Verantwortliche & CISOs
Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.
Regulierte Branchen
KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.
Mitwirkung an Industriestandards
LLM
OWASP · 2023
OWASP Top 10 for Large Language Models
Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.
BSI
BSI · Allianz für Cyber-Sicherheit
Management von Cyber-Risiken
Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).
Referenzen aus der Praxis
Pentesting & Schwachstellenscans
Sill Optics GmbH
Feststellung der Angriffsfläche bei Sill Optics GmbH
Pentesting & SchwachstellenscansXignSys GmbH
Whitebox-Penetrationstests eines Authentifizierungsdienstes als Mobile- und Web-Anwendung
Pentesting & SchwachstellenscansTWINSOFT GmbH & Co. KG
Externer Penetrationstest einer iOS-Applikation
Frequently asked questions about AI penetration testing
Everything you should know before your first conversation.
What is an AI penetration test?
An AI penetration test is an authorized security assessment of AI systems conducted by specialist experts. We simulate real attacks against your Large Language Models (LLMs), ML models, RAG systems, and AI agents - from prompt injection and jailbreaking to data exfiltration and model theft. Unlike traditional pentests, we test not just the infrastructure but the AI logic itself: guardrails, alignment, training integrity, and agent behavior.
What types of AI systems do you test?
We test all mainstream AI architectures: LLM-based chatbots and copilots (GPT, Claude, Llama, Mistral), RAG systems (Retrieval-Augmented Generation), AI agents with tool access, classical ML models (fraud detection, scoring, diagnostics), multimodal systems (image + text), and the underlying infrastructure (APIs, MLOps pipelines, vector databases). Whether self-hosted or cloud API - the testing approach is individually tailored to your architecture.
What is the difference between AI pentesting and AI red teaming?
An AI pentest systematically tests your system against known vulnerability classes (OWASP Top 10 for LLMs, MITRE ATLAS). You receive a prioritized list of all findings with reproduction steps. AI red teaming goes further: we simulate creative, realistic attack scenarios over several weeks - including ones not yet covered by any taxonomy. The goal is not just a vulnerability list, but the answer: how far can a motivated attacker get against your AI-powered processes?
What is prompt injection and why is it dangerous?
Prompt injection is currently the most critical vulnerability in LLM applications (OWASP LLM01). An attacker manipulates input so that the model ignores its system instructions and instead executes the attacker's commands. In direct prompt injection, this occurs via user input; in indirect prompt injection, through poisoned documents or data sources processed by the model (particularly critical in RAG systems). Consequences range from data leakage and reputational damage to remote code execution when the LLM is connected to tools or APIs.
Do I need an AI pentest for EU AI Act compliance?
Article 15 of the EU AI Act requires high-risk AI systems to demonstrate "an appropriate level of accuracy, robustness and cybersecurity" throughout their lifecycle - including resilience against data poisoning, adversarial attacks, and model manipulation. An AI penetration test provides exactly this evidence. For GPAI model providers, governance obligations have applied since August 2025. Our report is designed as an auditable compliance record and maps all findings to the relevant EU AI Act articles.
What is the OWASP Top 10 for LLMs?
The OWASP Top 10 for Large Language Model Applications is the international community standard for LLM security, developed by a global community of hundreds of experts. The ten categories of the current version (v2025) include: Prompt Injection, Sensitive Information Disclosure, Supply Chain, Data and Model Poisoning, Improper Output Handling, Excessive Agency, System Prompt Leakage, Vector and Embedding Weaknesses, Misinformation, and Unbounded Consumption. We use this taxonomy as the methodological basis for every LLM pentest, supplemented by the MITRE ATLAS framework for threat modeling.
What is MITRE ATLAS?
MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is the AI-specific extension of the well-known MITRE ATT&CK framework. It documents tactics, techniques, and procedures (TTPs) from real attacks against AI systems - from reconnaissance through model evasion to data exfiltration. We use ATLAS for threat modeling your AI system and structure our red team scenarios along this attack matrix.
How does an AI penetration test work at AWARE7?
Our process covers five phases: 1) Scoping Workshop - identification of all AI components, threat modeling per MITRE ATLAS, definition of rules of engagement. 2) Reconnaissance - analysis of AI architecture, model endpoints, data pipelines, guardrails, and integrations. 3) Vulnerability Testing - automated scans (Garak, Promptfoo) combined with manual expert analysis for prompt injection, jailbreaking, data exfiltration, guardrail bypass, and agent behavior. 4) Exploitation - confirmation of critical findings with proof-of-concept, chaining into realistic attack scenarios. 5) Reporting - technical report with CVSS scoring, compliance mapping (OWASP, EU AI Act, ISO 42001) and prioritized remediation roadmap.
How much does an AI penetration test cost?
Costs depend on scope and complexity. A focused LLM pentest (single chatbot/copilot, OWASP Top 10 LLM) starts from EUR 8,100 net. A comprehensive AI security assessment covering multiple models, RAG system, and agent testing starts from EUR 14,850 net. Full AI red teaming over 4-6 weeks starts from EUR 25,650 net. You receive a binding fixed-price quote within 48 business hours - no hourly rates, no additional charges.
What is ISO 42001 and do I need it?
ISO/IEC 42001 is the international standard for AI management systems - comparable to ISO 27001 for information security, but specific to AI. The standard defines 38 controls in 9 objective categories and enables certification. For organizations deploying AI in regulated sectors (finance, healthcare, critical infrastructure), ISO 42001 is increasingly becoming a differentiator with customers and regulators. An AI pentest provides the technical evidence you need for the controls in ISO 42001.
Can you also test AI guardrails?
Yes. We systematically test all protective layers of your AI application: content filters, jailbreak detectors, PII masking, output validators, and constitutional classifiers. We assess both bypass resistance (false-negative rate under adversarial conditions) and the false-positive rate (does the guardrail block legitimate usage?). You receive a quantitative evaluation of guardrail effectiveness with concrete hardening recommendations.
How often should an AI system be tested?
AI systems require more frequent testing than traditional software: models are regularly fine-tuned, RAG content changes daily, agents gain new capabilities - every change can introduce new vulnerabilities without a single line of code being modified. We recommend at minimum one full AI pentest annually, semi-annually for critical systems. For organizations with continuous model update cycles, we offer a retainer model with quarterly tests.
How secure is your AI really?
Our experts test your LLMs, RAG systems, and AI agents - with a fixed-price commitment and audit-ready reporting.
Kostenlos · 30 Minuten · Unverbindlich
