What an LLM Security Assessment Covers: Scope, Methodology, and Deliverables

The most important framing for an LLM security assessment is that it tests the application, not the underlying model. The LLM itself, whether GPT-4, Claude, Llama, or a proprietary model, is treated as infrastructure. Its general capabilities, training data composition, and inherent limitations are known quantities. What the assessment evaluates is how the application wraps that model: the system prompt, the tool integrations, the data pipeline, the authorization logic, the output handling, and the user interface.

The typical scope for an LLM security assessment maps to the OWASP LLM Top 10 as a starting framework, then extends based on the specific architecture. For a RAG-based application, the scope includes the document ingestion pipeline, the vector store configuration, metadata filtering logic, and retrieval authorization boundaries. For an agentic application, the scope includes tool bindings, parameter validation, permission scoping, inter-agent communication protocols, and human oversight mechanisms. For any deployment, it includes system prompt security, input handling, output handling, session management, and data flow analysis.

Scope exclusions are equally important to define upfront. LLM security assessments do not typically include testing the model provider's API infrastructure, evaluating the model's training data for bias, assessing the model's factual accuracy across domains, or conducting a full application penetration test of the surrounding web application. Those are separate engagements. An LLM assessment stays focused on the AI-specific attack surface to deliver depth rather than breadth.

The assessment methodology combines two complementary approaches: architecture review and manual adversarial testing. The architecture review examines the application's design for structural vulnerabilities before any active testing begins. This includes analyzing the system prompt for information leakage and injection-enabling patterns, mapping the data flow from user input through the LLM to output and any downstream systems, evaluating tool permissions and parameter validation logic, assessing the authorization model for RAG retrieval, and reviewing logging and monitoring coverage for LLM-specific events.

Manual adversarial testing is the core of the assessment. Unlike automated scanning, which submits a fixed set of payloads and checks for known responses, manual testing adapts to the specific application in real time. The assessor crafts injection payloads tailored to the system prompt's language, structure, and instruction patterns. They test extraction techniques calibrated to the model's specific behavior. They probe tool invocations with parameters designed to bypass the application's specific validation logic. This human-driven approach is necessary because LLM applications are non-deterministic and context-dependent. The same payload may succeed in one conversational context and fail in another.

Testing covers a structured set of attack categories: system prompt extraction, direct prompt injection with jailbreaking, indirect prompt injection through data sources, authorization boundary testing in the retrieval layer, tool invocation manipulation, output injection into downstream systems, session isolation validation, and data leakage across user boundaries. Each finding is validated with a reproducible proof of concept, rated for severity based on impact and exploitability, and documented with specific remediation guidance.

The primary deliverable is a findings report that documents every identified vulnerability with a description of the issue, the attack technique used to exploit it, a proof-of-concept demonstration, an impact assessment, and specific remediation guidance. Findings are rated using a severity framework that accounts for both the technical exploitability and the business impact of each vulnerability. A system prompt extraction in a low-stakes internal tool is lower severity than a system prompt extraction in a customer-facing financial application whose prompt contains business logic about transaction limits.

The attack surface map is a secondary deliverable that provides a visual and narrative description of the application's AI-specific attack surface. This includes all data inputs to the LLM context window, all tools and their permissions, all data sources feeding the retrieval pipeline, and all downstream systems that consume LLM output. The map serves as a reference for the development team during remediation and as a baseline for future assessments. It answers the question: where are the boundaries that an attacker would probe, and which ones held under testing?

Remediation guidance is tailored to each finding and prioritized by severity and implementation effort. Quick wins, such as removing credentials from system prompts or tightening tool parameter validation, are distinguished from architectural changes, such as implementing per-user vector store namespaces or adding human-in-the-loop approval for high-risk agent actions. A retest window is included in most engagements, allowing the development team to implement fixes and have the assessor verify that the specific vulnerabilities have been effectively remediated.

LLM security assessments are typically structured in tiers based on application complexity. A focused assessment covers a single LLM integration with limited tool access and no RAG pipeline, such as a chatbot or text processing function. This typically takes one to two weeks and is appropriate for applications entering production for the first time. A standard assessment covers a RAG-based application or an agent with moderate tool access, including retrieval authorization, tool permission, and data flow analysis. This takes two to three weeks and is the most common engagement type.

A complex assessment covers multi-agent systems, applications with extensive tool integrations, or deployments with multiple LLM components interacting across trust boundaries. This takes three to five weeks and requires significant upfront coordination to map the agent architecture and define testing boundaries. The tier determination is based on the architectural complexity of the application, not on the organization's size or the model being used. A Fortune 500 company with a simple chatbot needs a focused assessment. A startup with a multi-agent system needs a complex assessment.

Prerequisites for an effective engagement include access to the application in a representative environment, documentation of the system architecture including prompts, tool integrations, and data sources, a designated point of contact who can answer technical questions and provide clarification during testing, and clear rules of engagement specifying which systems are in scope and any actions that are off-limits. Organizations that have completed an AI governance program typically have all of these prerequisites ready. Organizations that have not may need a brief pre-engagement discovery phase to assemble the necessary documentation and access before testing can begin productively.