Every company is racing to ship AI features, and most are wiring large language models into products faster than they can secure them. An LLM connected to your data, your tools, and your customers is not just a new feature. It is a new attack surface with failure modes that traditional application testing was never designed to catch.
Why AI systems need dedicated testing
A conventional application has predictable inputs and outputs. You can enumerate the fields, define what is valid, and test the boundaries. An LLM-backed application takes open-ended natural language and produces non-deterministic output, often with the authority to act: query a database, call an API, send an email, execute code.
That combination, untrusted natural-language input plus real capabilities, creates risks that do not exist in a standard web app. The model does not distinguish between the developer’s instructions and an attacker’s; to the model, it is all just text in the context window. Security has to come from the architecture around the model, and that architecture is exactly what needs testing.
How attackers target LLM applications
The most important classes of attack in real engagements:
- Direct prompt injection. A user crafts input that overrides the system’s instructions, “ignore your previous rules and…”, to make the model reveal its prompt, bypass content restrictions, or misuse its tools.
- Indirect prompt injection. The dangerous one. Malicious instructions are planted in content the model will later ingest: a web page it browses, a document it summarizes, an email it processes. The attacker never talks to the model directly; they poison what it reads. If your assistant reads untrusted data and can also take actions, indirect injection turns that data into commands.
- Sensitive information disclosure. Models leak system prompts, secrets embedded in context, or data from other users and tenants when isolation is weak.
- Excessive agency. When a model is given tools, the question is what it can do if manipulated. An assistant that can issue refunds, modify records, or run queries becomes a way to perform those actions without authorization.
- Insecure output handling. Model output treated as trusted and passed into a browser, a shell, or a database, turning classic injection flaws into AI-triggered ones.
- Supply chain and integration risks. Third-party models, plugins, and the connections between your app and external AI services all expand the surface.
The insight that reframes everything
Treat the model as an untrusted component, even though it lives inside your own application. Anything the model can be talked into doing, an attacker can attempt to make it do. Security cannot live in the prompt; a prompt is a suggestion, not a control. It has to live in the boundaries around the model: what data it can reach, what tools it can call, and what happens to its output.
That principle is what a good AI penetration test validates.
What testing an AI system involves
An AI-focused engagement goes beyond running a list of jailbreak prompts. It examines the whole system:
- The model boundary: direct and indirect injection, jailbreaks, and prompt extraction.
- The tool and action layer: what the model can invoke, and whether manipulating it leads to unauthorized actions, the highest-impact findings by far.
- Data isolation: whether one user or tenant can reach another’s data through the model.
- Output handling: whether model responses are safely treated downstream.
- The surrounding application: the AI feature still sits inside a normal app with authentication, authorization, and APIs that need conventional web application and API testing too.
At Invadel we test AI features as what they are: a new capability layered onto an existing application, requiring both AI-specific techniques and the fundamentals. Our methodology combines adversarial prompting with a hard look at the integration points, because that is where natural-language attacks turn into real-world impact.
Before you ship
If you are deploying an AI feature, ask a few questions early. What untrusted data does the model ingest? What tools or actions can it invoke? What is the worst thing it could do if fully manipulated? What isolates one user’s data from another’s? If the answers are unclear, that is the argument for testing before launch, not after an incident. Scope an assessment around the specific AI features you are shipping, or read about our AI/ML penetration testing service, and find out what an adversary could make your model do while you can still change it.
Written by
Invadel Team
Senior penetration testers writing from real engagements — the same team that scopes, tests, and reports for our clients. About Invadel →