AI RED TEAM · INDEPENDENT · FOR HIRE

I break AI systems
before attackers do.

Prompt injection. Agent & tool abuse. RAG data exfiltration. Guardrail bypass. And now the robots those models are starting to drive. If your product has an LLM bolted onto it, it has an attack surface almost nobody tested. I test it — and hand you the receipts.

4
AI attack surfaces covered
9
attack classes probed
100%
findings with proof-of-concept
The problem

Your LLM feature shipped without a security review.

Nearly every AI product treats the model's output as trusted, its input as clean, and its tools as harmless. All three assumptions are wrong. Here's what that costs you.

Agents that get hijacked

An LLM with tools is an execution engine. A crafted input can make it hit internal APIs, run commands, or leak data through its own tool calls. This is RCE-adjacent — and it's the #1 thing shipping teams miss.

Prompt injection, direct & indirect

Attackers don't just type payloads into a chat box. They plant instructions in the documents, web pages, and emails your model ingests — and your RAG pipeline reads them as commands.

Untrusted output, trusted downstream

The model's output flows into your database, your browser, your shell. XSS, SQLi, and SSRF via generated content are everywhere — because devs forget the LLM is an untrusted source.

What I test

Every place you've put a model.

If it takes untrusted input and does something with a model's output, it's in scope — from a chat widget to a robot arm. Four surfaces, one attacker's mindset.

Chatbots & copilots

Support bots, in-app assistants, customer-facing LLMs. Jailbreaks, prompt injection, system-prompt & secret leakage.

Autonomous agents

Tool-using agents, MCP servers, multi-step workflows. Tool abuse, SSRF, privilege escalation, sandbox escape.

RAG & knowledge bases

Retrieval pipelines, vector stores, document ingestion. Indirect injection, poisoning, cross-tenant exfiltration.

New

Robotics & embodied AI

LLM/VLA-driven robots, drones, and autonomous systems — where a jailbreak stops being a bad sentence and becomes a physical action.

Engagements

Pick your depth. Get a report you can act on.

Fixed scope, fixed price, real proof-of-concepts. Every finding comes with a reproduction and a fix.

Quick Scan
from $1.5k
Fixed scope · fixed price · fast

A focused jailbreak & prompt-injection review of one chatbot or endpoint. Fast, high-signal.

  • Direct prompt injection
  • Jailbreak / guardrail bypass
  • System-prompt leakage
  • Findings report + PoCs
Book this
Agent / Tool-Use Red Team
from $10k
Fixed scope · fixed price · deep-dive

The deep one. For autonomous agents with real tools — where a broken model means real code execution.

  • Tool-abuse & privilege escalation
  • Multi-step injection chains
  • MCP / connector security
  • Sandbox & egress testing
  • Executive + technical report
Book this
Retainer Ongoing testing of every new AI feature before it ships. Predictable monthly coverage — talk to me for pricing.
Third-party red-team report Selling AI to enterprise? Get an independent assessment to close deals and pass procurement.
Robotics & embodied-AI red team LLM/VLA-driven robots, drones, and autonomous systems — testing the model brain that turns a jailbreak into a physical action. Scoped per platform — talk to me.
Methodology

How the engagement runs.

  1. 01

    Scope & recon

    We define targets, rules of engagement, and what "done" looks like. I map every input, tool, data source, and output path your model touches.

  2. 02

    Attack

    Injection, jailbreaks, tool abuse, RAG poisoning, exfiltration, output-handling exploits. I chain low-severity issues into real impact — a boring info leak becomes a data breach.

  3. 03

    Verify

    No unverified findings, ever. Every issue is reproduced, captured request-and-response, and proven with a working PoC. A false positive in a report is worse than a missed bug.

  4. 04

    Report & remediate

    You get a clear report: severity, impact, reproduction, and a concrete fix for each finding — plus a retest once you've patched.

Attack scenarios

The attacks I run against your AI.

These are the failure modes that show up in real LLM products and AI-driven robots — and the exact scenarios I probe for in an engagement. Every finding I deliver is reproduced and proven with a working proof-of-concept. No theory, no scare-mongering.

RAG · Indirect injection Critical

Poisoned document → cross-tenant data exfil

A support agent reads customer-uploaded files. A document carrying hidden instructions — plain text the RAG pipeline treats as commands — tells it to fetch and return another tenant's records.

Impact A "harmless" file read becomes a multi-tenant data breach.
Agents · Tool abuse Critical

Tool abuse → internal SSRF via an agent

An autonomous agent exposes an HTTP tool "only for public URLs." Crafted tool arguments walk it straight to 169.254.169.254 and internal admin endpoints it was never meant to touch.

Impact Cloud metadata + internal API access, from a chat box.
Guardrails · Jailbreak High

Reproducible guardrail bypass

Not a one-off magic string — a jailbreak class: a reusable template that keeps working after the obvious patch, so the safety filter can't be trusted as a control.

Impact Reliable safety-filter bypass that survives a first patch.
Output handling · XSS High

Stored XSS via unescaped model output

The app renders the model's Markdown/HTML answer straight into the DOM. A prompt-injected response embeds a script tag that fires for the next user who opens the thread.

Impact Account takeover through the assistant's own output.
Injection chain · Privesc High

Three low-sevs → privilege escalation

A verbose error, a leaked tool schema, and a lax role prompt — each "informational" alone. Chained together, they let a regular user drive the agent into an admin-only action.

Impact Three ignored findings combine into one real breach.
Extraction · Secrets Medium

System-prompt & secret extraction

A staged conversation walks the model past its own confidentiality clause and recovers the full system prompt — including any API key or internal instructions embedded in it.

Impact Leaked credential + a full map of the model's guardrails.
Robotics · Embodied injection Critical

Jailbreak → unsafe physical action

An LLM/VLA plans a robot's actions from natural-language goals. A poisoned instruction — spoken, or hidden in a scanned label — drives it past its safety envelope into a motion it should have refused.

Impact A prompt becomes a physical-safety incident, not a bad message.
Robotics · Sensor-to-prompt High

Vision / sensor channel injection

The model reads the world through cameras and sensors. Text on a sign, a crafted QR, or a doctored frame becomes an instruction the planner obeys — injection straight through the physical channel.

Impact The environment itself becomes an attacker-controlled input.
Robotics · Autonomy High

Guardrail / stop-condition bypass

The "it will always stop for X" assumption, tested for real: coaxing an agent to rationalize past its own constraints, human-approval gates, or geo/operational limits.

Impact Safety limits that hold in the demo, not under an adversary.
9attack classes I probe end-to-end
PoCon every finding — proven, not theoretical
+ Fixconcrete remediation with each report
Test my AI against these →
Straight answers

The questions every buyer asks.

No sales fog. Here's exactly how this works before you ever get on a call.

Do you need access to production?

No — by default I work against staging or a scoped test environment, which is safer for both of us. If production is genuinely the only realistic target, we agree strict rules of engagement in writing first.

What if you break something?

I test to prove impact, not to cause damage. Anything destructive is simulated to a safe stopping point and pre-agreed in scope. NDA and written authorization are signed before a single request goes out.

How is this different from an automated scanner?

Scanners flag patterns. I chain them into working exploits and test what a scanner can't see — business logic, tool abuse, multi-step injection, physical-channel attacks. Every finding is reproduced by hand, with receipts.

What do I actually get?

A clear report: each finding with severity, real business impact, a working proof-of-concept, and a concrete fix. Plus one free retest after you've patched, so you can prove it's closed.

Can you test AI-driven robots and agents?

Yes — that's a core focus. I test the model brain that plans a robot's or agent's actions: embodied prompt injection, sensor-to-prompt attacks, unsafe tool/actuator calls, and stop-condition bypass. Scoped per platform.

How fast can you start?

Scoping call within one business day. Quick-Scan slots usually open inside a week or two. Urgent pre-launch review? Say so — I keep room for time-critical work.

Let's talk

Think your AI is safe?
Let me try to prove otherwise.

Tell me what you've built and what you're worried about. I'll scope a focused engagement and tell you the honest impact — no fear-mongering, no filler.

  • cybersecdo@gmail.com
  • ⌁ Response within 1 business day
  • ⚑ NDA-friendly · scoped & authorized testing only

Your message goes straight to my inbox. I'll reply within 1 business day.