Why independence is enforced contractually

The standard objection to independent assessment is the same one accountancy faced thirty years ago: the firm doing the review is also the firm doing the build. We refuse to operate that way. On every engagement, the red-team lead and the build lead are different people who are named in your contract, and both are subject to revenue caps the contract spells out.

This is in writing because we won’t sell anything we wouldn’t sign our name to in a regulator’s submission.

The attack surface we cover

The categories below are what a comprehensive 2026 LLM red-team engagement should touch. Not every engagement runs all of them, scope is set in Week 1, and the report names which categories were in scope and which were not.

Direct prompt injection. Adversarial user inputs designed to override system instructions, leak system prompts, or coerce the model into prohibited completions. We cover both single-turn variants and extended-turn variants that build pressure across a longer exchange.

Indirect prompt injection. Attacks delivered through the model's retrieval surface, including poisoned documents in a RAG corpus, malicious instructions embedded in tool returns, and content injected through any input the model trusts more than the user. This is the highest-impact attack class for production agents in 2026.

Jailbreaks. We test for single-turn jailbreaks against trained refusal behaviour, plus multi-turn jailbreaks that build context across a conversation, including role-play attacks, hypothetical-framing attacks, and crescendo-style attacks.

Tool-misuse and agentic compromise. When the agent has tools (web search, code execution, database access, MCP servers, third-party APIs), every tool is its own attack surface. We test for tool selection manipulation, parameter injection, and chain-of-tool exploitation where compromising one tool gives an attacker leverage over the next.

Data exfiltration. Training-data extraction attempts, system-prompt leakage, membership inference where the model handles PII, and model-inversion attacks where the adversary attempts to reconstruct private training data from model outputs.

Over-refusal and dual-use calibration. Harmful-completion rates are only half the picture. We measure false-refusal rates against benign-but-edgy inputs, because a model that refuses everything is also broken. The scorecard publishes both numbers.

Tool theft and model fingerprinting. Where applicable, we test for adversarial extraction of model behaviour through query patterns designed to enable cloning or distillation.

Tooling we build on

Where it makes sense, we use the open red-teaming tooling that already exists rather than re-implementing it.

  • Garak (NVIDIA) for systematic vulnerability scanning across the LLM attack surface
  • PyRIT (Microsoft) for automated multi-turn red-teaming
  • Promptfoo for prompt regression testing and adversarial replay
  • TextAttack for NLP adversarial example generation
  • The published attack libraries from the LLM Attacks paper (Zou et al.) and the academic adversarial-ML community

The methodology pack names every tool, every version, and every custom Lattice/AI extension we add on top. Where we run a proprietary attack we developed in-house, the report says so and describes the attack class precisely enough that another team could reproduce it.

Where we draw the line

We turn down red-team work that we cannot ship a report for. If a client wants a confidential review and will not allow even a redacted public version, we refuse the engagement. The signed report is the product. Without it, what we would be selling is a private opinion, and we don’t sell those.