We stress-test what others have built.
Independent expert red-teaming of LLMs, agents, and AI systems, conducted before they ship, before they scale, and before the regulator calls. Our campaigns cover the OWASP LLM Top 10 attack surface, the MITRE ATLAS techniques, and the NIST AI 100-2e2025 adversarial-ML taxonomy: direct and indirect prompt injection, jailbreak attempts, multi-turn agentic attacks, tool-misuse and tool-chain compromise, data exfiltration (training-data extraction, system-prompt leakage), membership inference where PII is in scope, and over-refusal calibration alongside harmful-completion rates. Every finding gets a CVSS-aligned severity score on a 1-3 ladder, and every report we deliver is signed and dated.
Methodology
/ 4 phasesScope + threat model
We agree which systems are in scope, which failure modes matter most, what access we need, and what we’re not allowed to touch. Independence clauses get drafted with your legal counsel before anyone runs a prompt.
Adversarial campaign
We run the full attack surface against the system as a third party. Direct prompt injection (user-input attacks), indirect prompt injection (attacks delivered through RAG sources, documents, and tool returns), single-turn and multi-turn jailbreaks, tool-misuse scenarios across the full agent tool chain, data-exfiltration attempts (training-data extraction, system-prompt leakage, membership inference where the model handles PII), and over-refusal calibration so the false-refusal rate is measured alongside the harmful-completion rate. Code review, prompt review, eval review, log review where in scope. Every finding is referenced to a primary-source attack technique with a citation to OWASP LLM Top 10 or MITRE ATLAS where applicable.
Test + report
We run our own evaluation suite against the system as a third party. The report draft goes through internal review by a red-team lead who is not on the engagement.
Sign-off + submission pack
We deliver the final report signed by the red-team lead, with the regulatory submission pack assembled per framework where it applies. Findings, evidence, the severity ladder, and any dissents from the internal review are all included in the pack. The red-team lead's name appears on every page.
Engagement shape
/ what you sign up for- 01Findings report, signed and dated, with CVSS-aligned severity scores on a 1–3 ladder for every finding
- 02Patch playbook by failure mode, actionable, with rerun criteria so a fix can be verified rather than asserted
- 03Threat model documentation, mapped to OWASP LLM Top 10 and MITRE ATLAS techniques, so your team can keep using it after the engagement closes
- 04Evidence pack scoped to the relevant framework (EU AI Act conformity assessment, ISO 42001 internal audit, SOC 2 controls), ready for your legal and compliance team to file
- 05Independence attestation, structurally enforced, recorded in your engagement contract
Mappings
/ 8 frameworksEvidence
/ forthcomingThe proof for this pillar gets linked here as we ship public scorecards and clear case studies for publication. We do not backfill this section with placeholders; evidence appears here only when it lands.
Why independence is enforced contractually
The standard objection to independent assessment is the same one accountancy faced thirty years ago: the firm doing the review is also the firm doing the build. We refuse to operate that way. On every engagement, the red-team lead and the build lead are different people who are named in your contract, and both are subject to revenue caps the contract spells out.
This is in writing because we won’t sell anything we wouldn’t sign our name to in a regulator’s submission.
The attack surface we cover
The categories below are what a comprehensive 2026 LLM red-team engagement should touch. Not every engagement runs all of them, scope is set in Week 1, and the report names which categories were in scope and which were not.
Direct prompt injection. Adversarial user inputs designed to override system instructions, leak system prompts, or coerce the model into prohibited completions. We cover both single-turn variants and extended-turn variants that build pressure across a longer exchange.
Indirect prompt injection. Attacks delivered through the model's retrieval surface, including poisoned documents in a RAG corpus, malicious instructions embedded in tool returns, and content injected through any input the model trusts more than the user. This is the highest-impact attack class for production agents in 2026.
Jailbreaks. We test for single-turn jailbreaks against trained refusal behaviour, plus multi-turn jailbreaks that build context across a conversation, including role-play attacks, hypothetical-framing attacks, and crescendo-style attacks.
Tool-misuse and agentic compromise. When the agent has tools (web search, code execution, database access, MCP servers, third-party APIs), every tool is its own attack surface. We test for tool selection manipulation, parameter injection, and chain-of-tool exploitation where compromising one tool gives an attacker leverage over the next.
Data exfiltration. Training-data extraction attempts, system-prompt leakage, membership inference where the model handles PII, and model-inversion attacks where the adversary attempts to reconstruct private training data from model outputs.
Over-refusal and dual-use calibration. Harmful-completion rates are only half the picture. We measure false-refusal rates against benign-but-edgy inputs, because a model that refuses everything is also broken. The scorecard publishes both numbers.
Tool theft and model fingerprinting. Where applicable, we test for adversarial extraction of model behaviour through query patterns designed to enable cloning or distillation.
Tooling we build on
Where it makes sense, we use the open red-teaming tooling that already exists rather than re-implementing it.
The methodology pack names every tool, every version, and every custom Lattice/AI extension we add on top. Where we run a proprietary attack we developed in-house, the report says so and describes the attack class precisely enough that another team could reproduce it.
Where we draw the line
We turn down red-team work that we cannot ship a report for. If a client wants a confidential review and will not allow even a redacted public version, we refuse the engagement. The signed report is the product. Without it, what we would be selling is a private opinion, and we don’t sell those.