Skip to content

Services, Wiki-Artikel und Blog-Beiträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

AI Penetration Testing · RAG Security

How secure is your
RAG system?

Your vector database is the blind spot of every LLM pentest. Document poisoning, indirect prompt injection, and retrieval manipulation attack where classic security tools don't look. We test RAG systems the way real attackers do.

Request RAG Security Test View attack vectors
OWASP LLM01 Indirect Injection Document Poisoning Vector Database Security MITRE ATLAS
RAG ATTACK SURFACE - CRITICAL VECTORS
INGEST
Document Poisoning critical

Malicious content in the knowledge base

STORE
Vector DB Access high

Insufficient access controls

STORE
Embedding Extraction high

Reconstruction of sensitive original data

RETRIEVE
Retrieval Manipulation critical

Forcing attacker-controlled context

GENERATE
Indirect Prompt Injection critical

Injected instructions in context

GENERATE
Data Poisoning high

Poisoned training data via RAG

A classic LLM pentest only covers the GENERATE layer.

RAG attack layers
4
Pentests conducted
500+
Fixed-price offer
48h
Subcontractors
0

Attack Vectors

The Four Main Attack Vectors on RAG Systems

A RAG system is more than an LLM. Every layer - ingestion, vector database, retrieval, generation - has its own attack surface that a classic LLM pentest does not cover.

Critical · OWASP LLM03

Document Poisoning

An attacker injects malicious content into the knowledge base of your RAG system - via compromised data sources, manipulated document uploads, or poisoned public content that your system crawls. The LLM trusts the retrieved context and executes the embedded instructions.

Injected instructions in PDFs, Word documents, emails

Manipulation of crawled web content and RSS feeds

Compromise of third-party system interfaces (SharePoint, Confluence)

Long-term poisoning: attacks on future retrieval sessions

High · MITRE ATLAS AML.T0012

Vector Database Manipulation

Vector databases (Pinecone, Weaviate, Chroma, pgvector) are often insufficiently secured: missing access controls at namespace level, weak multi-tenancy isolation, and unencrypted embeddings enable unauthorized access to sensitive company data - or targeted manipulation of stored knowledge.

Insufficient namespace isolation in multi-tenant systems

Direct API manipulation without authentication

Reconstruction of sensitive texts from embeddings (model inversion)

Missing audit logs for retrieval operations

Critical · OWASP LLM01

Retrieval Manipulation

The retrieval phase determines which context is passed to the LLM. Attackers manipulate search queries or embedding vectors to force attacker-controlled content into the context - thereby controlling the model's output behavior without requiring direct access to the model itself.

Query manipulation to force attacker-controlled documents

Adversarial embeddings with high cosine similarity to target queries

Re-ranking exploits in advanced RAG architectures

Context window flooding: displacing legitimate content

Critical · OWASP LLM01 Indirect

Indirect Prompt Injection

The most dangerous RAG attack: hidden instructions in retrieved documents are interpreted by the LLM as legitimate requests - without the actual user's knowledge. In RAG systems with agent capabilities, this can lead to remote code execution.

Hidden instructions in publicly accessible documents

Exfiltration of system context and other user data

Tool abuse in agent-based RAG systems (MCP, function calling)

Persistent manipulation across multiple conversation turns

Classic WAFs and input filters do not detect this attack.

Architecture

How a RAG system works - and where attacks target

Every phase of the RAG workflow has its own attack surface. Highlighted in red: positions we systematically test.

01

Document Ingestion

Crawl & ingest data sources

Document Poisoning
02

Embedding Generation

Text → Vectors

03

Vector Database

Pinecone · Weaviate · pgvector

DB Manipulation
04

Retrieval

Semantic search

Retrieval Manipulation
05

LLM Generation

Context + Query → Response

Indirect Injection

Important: A classic LLM pentest tests only layer 05 (Generation) - what the user directly inputs. The four preceding layers of your RAG system remain untested.

Test Scope

What we test in your RAG system

Six specialized test categories - from the document ingestion process to final model behavior.

01

Document Poisoning & Data Poisoning

Testing all ingestion paths for susceptibility to poisoned documents: PDF, DOCX, HTML, Markdown, emails, API feeds. Testing validation and sanitization logic before ingestion into the vector database.

OWASP LLM03Data Poisoning
02

Vector Database Security

Access controls, namespace isolation, multi-tenancy separation, authentication and authorization at the API level. Testing for embedding extraction (model inversion) and unauthorized data access.

Access ControlsEmbedding Security
03

Indirect Prompt Injection

Systematic injection of instructions via all retrieval paths: documents, web content, emails, database entries. Testing for exfiltration of system context and user data, as well as tool abuse.

OWASP LLM01Indirect Injection
04

Retrieval Pipeline Testing

Adversarial queries and embedding manipulations to force attacker-controlled contexts. Testing of re-ranking mechanisms, HyDE weaknesses, and context window flooding attacks.

Query ManipulationEmbedding Attacks
05

RAG Guardrail Assessment

Evaluation of protection layers against retrieval-based attacks: contextual guardrails, output grounding checks, hallucination detectors, and anomaly detection for unusual retrieval patterns.

Contextual GuardrailsGrounding Checks
06

Agentic RAG & Tool Security

For RAG systems with agent capabilities: tool abuse via indirect injection, privilege escalation through tool access, multi-step exploitation, and memory poisoning in persistent agents.

OWASP LLM08Tool Use · MCP

Methodology

Our approach to RAG security testing

01

1-2 days

Architecture Analysis & Threat Modeling

Capture of all RAG components: data sources, embedding models, vector database, retrieval strategy, connected LLMs, and agent capabilities. Threat modeling per MITRE ATLAS specifically for RAG architectures.

02

2-3 days

Data Sources & Ingestion Path Analysis

Identification of all ingestion paths: which documents, data sources, and feeds are processed? Where are validation gaps? Which paths are influenceable by external actors (public websites, emails, APIs)?

03

3-5 days

Document Poisoning & Injection Tests

Systematic injection of poisoned documents via all identified paths. Manual development of prompt injection payloads for indirect attacks, adapted to the specific system prompt and retrieval context of the target system.

04

2-3 days

Vector Database & Retrieval Tests

Testing vector database security: access controls, multi-tenancy, embedding extraction. Adversarial retrieval attacks: query manipulation, embedding poisoning, context window flooding.

05

2-3 days

Exploitation & Reporting

Confirmation of critical findings with proof-of-concept and quantified business impact. Technical report with CVSS scoring, compliance mapping (OWASP LLM Top 10, MITRE ATLAS, EU AI Act), and prioritized remediation roadmap.

Typical total duration: 10-15 days - depending on architectural complexity and number of data sources.
You receive a binding fixed-price offer within 48 hours.

Investment

Transparently calculated

Fixed-price offers within 48 hours. No hourly rates, no additional charges.

FOCUSED

RAG Security Test

Dedicated test of your RAG system

from EUR 10,000

  • Document poisoning of all ingestion paths
  • Vector database security testing
  • Indirect prompt injection (all retrieval paths)
  • Retrieval manipulation tests
  • Guardrail assessment (contextual guardrails)
  • Technical report + management summary
Request offer
Recommended

COMPREHENSIVE

AI Security Assessment

RAG + LLM + Agents - complete

from EUR 15,000

  • Everything from the RAG security test
  • LLM pentest (full OWASP Top 10 LLM)
  • AI agent testing (tool abuse, privilege escalation)
  • Agentic RAG security review
  • Compliance mapping (EU AI Act, ISO 42001)
  • Final presentation + remediation workshop
Request offer

Also deploying an LLM chatbot or AI agent? View full AI penetration testing services →

Warum AWARE7

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

Frequently Asked Questions about RAG Security

Everything about vector database security, document poisoning, and RAG pentesting.

RAG stands for Retrieval-Augmented Generation - an AI architecture where a large language model (LLM) first retrieves relevant documents or knowledge snippets from an external data source (retrieval) and then incorporates them into response generation (generation). The model "hallucinates" less, as it accesses current, context-specific knowledge. Typical use cases: internal knowledge bases, AI-assisted customer services, compliance chatbots, and document analysis systems. The vector database (e.g., Pinecone, Weaviate, Chroma, pgvector) stores the semantically-encoded document embeddings.
Document poisoning is an attack on RAG systems in which an attacker deliberately injects malicious content into the knowledge base. Since the LLM trusts the retrieved context, the attacker can control the model's behavior through poisoned documents: causing it to output false information, exfiltrate sensitive data, or hide prompt injection instructions that execute on the next retrieval. This attack is particularly dangerous because it compromises the data source - not the model itself - which classic security solutions often do not detect.
Vector databases such as Pinecone, Weaviate, Chroma, Qdrant, or pgvector present specific security risks that go far beyond classic database security: insufficient access controls at the embedding level, inadequate tenant isolation (multi-tenancy weaknesses), missing input sanitization for document uploads, unencrypted embeddings at rest and in transit, and missing audit logs for retrieval operations. Additionally, under certain circumstances, the original text can be reconstructed from embeddings (model inversion at the embedding level). A dedicated RAG security test systematically examines all these vectors.
Indirect prompt injection (OWASP LLM01 - indirect variant) is the most dangerous attack on RAG systems: an attacker places instructions in an external document that the RAG system later retrieves and passes to the LLM as context. The model interprets these instructions as legitimate requests - without the actual user knowing anything about it. Examples: hidden instructions in public PDFs, manipulated websites that are crawled, or malicious email attachments in automated workflows. Consequences range from data exfiltration and identity theft to remote code execution when the AI agent has tool access.
We test all common RAG implementations: simple single-stage RAG (query → vector search → LLM), advanced RAG (re-ranking, HyDE, multi-query), agentic RAG with tool use and multi-step reasoning, knowledge graph RAG (Neo4j, Amazon Neptune), hybrid RAG (vector + BM25 search), self-RAG, and corrective RAG. We are familiar with common frameworks (LangChain, LlamaIndex, Haystack, DSPy, AutoGen) and leading vector databases (Pinecone, Weaviate, Chroma, Qdrant, Milvus, pgvector, Redis Vector). The test approach is individually tailored to your specific architecture.
A dedicated RAG security test starts from EUR 10,000 as part of a comprehensive AI security assessment (from EUR 15,000). The price depends on the complexity of your RAG architecture: number of data sources, retrieval strategies, connected agent capabilities, and compliance requirements. Within 48 hours you receive a binding fixed-price offer - no hourly rates, no additional charges. The result is an audit-ready report with compliance mapping to OWASP LLM Top 10, MITRE ATLAS, and EU AI Act.
The most important security measures for RAG systems: 1) Strict input validation and sanitization of all documents before ingestion into the vector database. 2) Robust access controls at the embedding and document level (row-level security). 3) Detection and filtering of prompt injection patterns in retrieved contexts (contextual guardrails). 4) Tenant isolation in the vector database for multi-tenant systems. 5) Audit logs for all retrieval operations with anomaly detection. 6) Output validation and grounding checks against hallucinations and unexpected behavioral changes. 7) Regular integrity checks of the knowledge base for unauthorized content. An AWARE7 security test delivers a prioritized remediation roadmap for all these measures.
A classic LLM pentest tests model behavior - prompt injection via user input, jailbreaking, guardrail bypass, data exfiltration from the model. A RAG system has additional attack surfaces that an LLM pentest does not cover: vector database security, the retrieval pipeline, document ingestion, and the security of all data sources. We always recommend a dedicated RAG security test for RAG-based systems - either standalone or as part of a comprehensive AI security assessment that combines both.
Yes. If your RAG system is deployed in a high-risk AI context (Article 6 EU AI Act - e.g., automated decisions on credit, insurance, employment, critical infrastructure), Article 15 requires demonstrably robust security measures against data manipulation and adversarial attacks. RAG systems with poisonable knowledge bases are explicitly relevant in the context of training data poisoning and data governance (Article 10). Our report is designed as an auditable compliance document and maps all findings to the relevant EU AI Act articles, OWASP LLM categories, and MITRE ATLAS techniques.

How secure is your RAG system really?

Our experts test vector databases, document poisoning, and indirect prompt injection - with a fixed-price commitment and audit-ready reporting.

Schedule a free consultation

Kostenlos · 30 Minuten · Unverbindlich