Purpose-Built for AI Agent Attack Surfaces

Every AI agent your enterprise has deployed is a potential attack vector. We systematically exploit them using the APEX framework — before adversaries do.

Duration: 6-8 weeks Team: 1 Senior AI Security Researcher + AI Agent Swarm
The Challenge

You might be experiencing...

Your AI agents have been live for months. No one has tested them for prompt injection or tool poisoning.
Your current pentest firm has never tested an AI agent. They don't have the methodology.
Your CI/CD pipeline deploys AI agents continuously. Security testing is still annual.
ISO 27001 and SOC 2 compliance require documented AI security testing — annual pentests no longer satisfy auditors asking about AI-specific controls.
A compromised AI agent can access your entire tool ecosystem — CRM, databases, email, payment rails.

Every enterprise shipping AI features is deploying AI agents. Most have never had them security-tested.

The attack surface is unlike anything traditional penetration testing was designed to assess. An AI agent doesn’t just run code — it reads instructions, calls tools, maintains memory, and takes autonomous actions. Each of those capabilities is an attack vector.

What Adversaries Are Actually Doing

Prompt injection embeds adversarial instructions in data your agent reads — a document, an email, a web page. The agent executes those instructions as if they came from you. Your agent becomes the adversary’s proxy inside your own systems.

Tool poisoning compromises one of the tools your agent calls. The agent, acting in good faith, retrieves and executes attacker-controlled data. If your agent calls a retrieval tool to fetch customer records, a poisoned tool returns data that hijacks the agent’s next action.

Memory manipulation injects false context into your agent’s memory store. Future agent sessions execute based on corrupted context. An adversary can persist across agent restarts without maintaining network access.

Agentic privilege escalation uses your agent’s tool access — write access to your CRM, your email, your database, your payment rails — to move laterally into systems the agent can reach but the adversary cannot.

The APEX Framework

pentest.qa’s APEX methodology (Agentic Penetration Exercise) is a documented framework for systematically testing these attack vectors. Human senior researchers drive all five phases. AI agents automate enumeration, fuzzing, and injection sweeps in parallel — covering attack surface that would take a human team weeks to enumerate manually.

The result: faster, deeper, and more comprehensive coverage than any manual-only approach — without the false-positive noise that purely automated tools produce.

Why Engineering Teams Are Responsible for AI Security

The security of an AI agent is not a CISO problem alone — it is an engineering problem. The attack surface is created at the code level: in the system prompt, in the tool definitions, in the output handling pipeline, in the agent memory architecture. A CISO cannot write a safer system prompt. Your QA team can.

Traditionally, security and QA were separate disciplines. Security assessed what QA had built, after the fact. AI changes this boundary permanently. The prompt injection surface is a direct function of how your engineering team writes system prompts and processes user input. The tool poisoning surface is a direct function of how your agent validates tool outputs. The excessive agency surface is a direct function of what permissions your team granted the agent at provisioning time.

Engineering teams that understand their AI attack surface build more secure agents from the start. The APEX engagement includes a technical workshop with your engineering team — not just a findings report for your CISO — because the remediation happens in code.

Furthermore, CI/CD pipelines now deploy AI agents continuously. A new system prompt, a new tool integration, a new model version — each represents a change to the attack surface. An annual red team exercise is a snapshot of a system that may look very different twelve months later. Enterprises with mature AI security programs combine the APEX exercise with continuous Security QA Integration — automated checks in the pipeline between annual engagements.

Compliance frameworks are moving in the same direction. ISO 27001 Annex A controls, SOC 2 CC6 and CC7 requirements, and the NIST AI Risk Management Framework all require documented evidence that security testing has been conducted against AI-specific attack vectors. An Agentic Red Team Exercise produces that evidence — and produces it for a system your auditors have never assessed before.

Our Approach

Engagement Phases

Week 1

PLAN

Scope definition, threat modeling, AI architecture review, rules of engagement, OSINT gathering on AI stack exposure.

Week 2

SURFACE

AI agent enumeration, tool connection mapping, privilege scope assessment, MCP server inventory, API endpoint discovery.

Weeks 3-5

EXPLOIT

Manual prompt injection chaining, tool poisoning, memory manipulation, unauthorized lateral movement via agent tool calls. Parallel AI agent fuzzing with Garak and PyRIT.

Week 6

PERSIST

Persistent agent compromise simulation, privilege escalation through agent chains, exfiltration path mapping.

Weeks 7-8

REPORT

Executive and technical findings reports, CVSS scoring, remediation roadmap, OWASP LLM Top 10 compliance mapping.

What You Get

Deliverables

Executive summary (board-level, non-technical)
Full technical findings report with CVSS scores and evidence
OWASP LLM Top 10 compliance mapping
Prioritized remediation roadmap with effort estimates
ISO 27001 / SOC 2 / NIST AI RMF compliance mapping
Remediation verification testing (one retest per critical finding)
Expected Outcomes

Before & After

MetricBeforeAfter
Engagement CoverageTraditional pentest firm — no AI agent methodologyFull APEX methodology, 6-8 weeks end-to-end
Attack Vectors TestedOWASP Top 10 onlyOWASP Top 10 + OWASP LLM Top 10 + Agent-specific vectors
Findings DeliveryEnd of engagement onlyCritical findings within 48h of discovery
Technology

Tools We Use

Garak PyRIT PromptBench Burp Suite Pro Claude Code Agents Shodan / Amass
Common Questions

Frequently Asked Questions

What is an Agentic Red Team Exercise?

An Agentic Red Team Exercise simulates a real adversary attempting to compromise your AI agents and the systems they interact with. Unlike traditional penetration testing, we test AI-specific vulnerabilities: prompt injection, tool poisoning, memory manipulation, and agentic privilege escalation. We use the APEX methodology with both human researchers and AI agent automation covering attack surface that manual testing alone cannot enumerate.

Which AI systems can you test?

We test any AI agent or LLM-powered application: OpenAI GPT-4/o3 integrations, Anthropic Claude deployments, AWS Bedrock agents, Azure AI applications, Google Vertex AI agents, LangChain and LangGraph applications, CrewAI multi-agent systems, custom fine-tuned models, MCP server implementations, and any application with an LLM at its core — including the tool ecosystem those agents access.

Do I need written authorization?

Yes. Written authorization from a person with legal authority over all systems in scope is mandatory before testing begins. We provide a standard Authorization to Test (ATT) document. No testing begins without signed written authorization.

How does this relate to a standard penetration test?

A standard penetration test covers traditional attack surfaces: web applications, APIs, networks, cloud infrastructure. An Agentic Red Team Exercise adds AI-specific attack vectors that no traditional penetration test covers. For enterprises with AI agents deployed, our Strike AI Red Team engagement combines both — covering the complete attack surface.

Ship Secure. Test Everything.

Book a free 30-minute security discovery call with our AI Security experts. We map your AI attack surface and identify your highest-risk vectors — actionable findings within days, CI/CD integration recommendations included.

Talk to an Expert