Technical Fact Sheets

AI Penetration Testing Fact Sheet

This technical fact sheet explains how penetration testing approaches AI-integrated applications, including LLM APIs, Retrieval-Augmented Generation (RAG) systems, Model Context Protocol (MCP) servers, AI agents, and AI-generated code.

Download document

Key Takeaways

Understand the five major AI attack surfaces tested during an AI pentest.

Learn how security researchers evaluate LLM APIs, RAG pipelines, MCP servers, AI agents, and AI-generated code.

See real examples of vulnerabilities discovered in AI-integrated applications.

Understand how prompt injection, cross-tenant access, privilege escalation, and tool abuse occur.

Learn why securing the application around the model is often more important than testing the model itself.

Understand the differences between traditional application pentesting and AI-specific security testing.

Identify where AI features create new opportunities for unauthorized access, data exposure, and unintended actions.

Learn what enterprise buyers and security teams expect from AI security testing.

Penetration Testing for AI-Integrated Applications – Software Secured

Software Secured · Technical Fact Sheet

Penetration Testing for
AI-Integrated Applications

Who this is forEngineering leads, CTOs, and security teams shipping products that use LLMs, RAG pipelines, AI agents, or MCP-connected tooling.

01LLM API Integrations

Testing Approach

We treat the LLM as an untrusted component in the application stack, not as a black box. Testing focuses on how user input reaches the model, how model output is handled downstream, and whether the boundary between the application and the LLM provider is properly enforced. We probe prompt construction logic, test system prompt confidentiality, and evaluate whether the application trusts model output in ways it shouldn't.

Sample Vulnerabilities

System prompt extraction via indirect prompt injection in user-supplied content

Model response passed to a downstream function (e.g., code executor, SQL builder) without sanitization

API key exposure through verbose error handling when provider calls fail

Unbounded token consumption leading to denial-of-service via inflated inference costs

Sensitive data (PII, internal instructions) reflected back in model completions due to poor context management

02Retrieval-Augmented Generation (RAG)

Testing Approach

RAG systems introduce two attack surfaces that LLM-only integrations don't have: the document ingestion pipeline and the vector retrieval layer. We test both. On ingestion, we evaluate whether malicious content embedded in source documents can influence model behavior at query time. On retrieval, we test whether users can manipulate queries to surface documents they shouldn't have access to, and whether the retrieval results respect tenant or role boundaries. We also evaluate how the application handles conflicting or adversarially crafted retrieved chunks.

Sample Vulnerabilities

Prompt injection embedded in ingested documents (PDFs, emails, knowledge base articles) that hijacks model behavior when retrieved

Cross-tenant document retrieval: user in Tenant A retrieves chunks belonging to Tenant B through crafted semantic queries

Retrieval manipulation that forces the model to ignore its knowledge base and respond from injected context

Metadata leakage: document filenames, author fields, or internal IDs exposed in cited sources

No re-ranking or relevance threshold, allowing low-quality injected content to dominate retrieved context

03Model Context Protocol (MCP)

Testing Approach

MCP dramatically expands what an AI system can do - and therefore what it can be made to do. We test MCP servers as network-exposed services with their own attack surface, evaluate tool definitions for overly permissive capability declarations, and assess whether the host application enforces meaningful human-in-the-loop controls before executing sensitive tools. We also test for prompt injection paths that could cause an LLM client to invoke MCP tools without user intent.

Sample Vulnerabilities

MCP server exposes tools (file write, shell exec, API calls) without enforcing caller authentication

Tool descriptions crafted or manipulated to mislead the LLM into invoking higher-privilege operations

Prompt injection in external content (emails, documents) causes the LLM to silently invoke destructive MCP tools

Tool results returned to the LLM contain adversarial instructions that redirect subsequent tool use

No rate limiting or scope restriction on MCP tool execution, enabling automated abuse at scale

04AI Agents

Testing Approach

Agents operate with greater autonomy, longer task horizons, and more real-world side effects than single-turn LLM calls. Testing focuses on whether agents can be diverted from their intended task, whether they enforce scope boundaries across multi-step workflows, and whether their actions are reversible when something goes wrong. We simulate adversarial inputs at each step in multi-agent pipelines and evaluate whether orchestrator-to-subagent trust is properly scoped.

Sample Vulnerabilities

Task hijacking via adversarial content in the environment (a webpage, file, or API response the agent reads mid-task)

Privilege escalation: subagent granted broader permissions than the initiating user holds

Persistent memory poisoning - injecting false context into agent memory that influences future sessions

Unbounded action loops triggered by malformed tool results, consuming credentials or budget without user awareness

Orchestrator blindly trusts subagent output, allowing a compromised subagent to direct orchestrator behavior

05AI-Assisted Developer Tooling & Platform-Generated Code

Testing Approach

AI-generated code introduces risk at the point of deployment, not at the point of generation. We review codebases and infrastructure where AI tooling (Copilot, Claude Code, Cursor, platform scaffolding) has contributed material functionality, focusing on the vulnerability patterns that appear most frequently in LLM-authored code. We also test platforms that generate executable output - workflow builders, low-code tools, AI-authored scripts - treating generated artifacts as first-class attack surface.

Sample Vulnerabilities

Generated authentication code that omits token expiry, scope validation, or revocation logic

AI-scaffolded API endpoints with missing authorization checks (the model implements the happy path, not the security path)

Over-permissioned IAM roles and cloud policies produced by AI infrastructure tooling

Generated SQL or shell commands built from user input without parameterization

Platform-generated code deployed without review, containing hardcoded credentials or insecure default configurations

XSS and unsafe HTML rendering from AI-generated UI components that embed dynamic content without sanitization

About Software Secured

Software Secured is a premium manual penetration testing firm serving Series A/B SaaS companies. Every finding we deliver is confirmed exploitable. Zero false positives. Reports accepted by SOC 2 auditors and enterprise security teams.

Get in touch

softwaresecured.com sales@softwaresecured.com