RAG Pipeline Security Assessment
Testing Vector Store Access Control, Ingestion Pipeline Security, Indirect Prompt Injection via Retrieved Documents, and Document Corpus Integrity
Most RAG implementations retrieve documents based on semantic similarity — not authorization. If a user can query the assistant, they can potentially access any document in the corpus. The authorization model that protects documents in your file share, SharePoint, or database does not automatically transfer to the vector store.
This assessment provides a systematic, adversarial evaluation of your RAG pipeline — from document ingestion through retrieval to response generation. Every finding is demonstrated with a specific query and retrieved content, not theoretical risk. The output is a technical findings report, a RAG pipeline security architecture review, and remediation guidance specific to your retrieval infrastructure.
The assessment targets the retrieval layer — how documents are ingested, how they are stored and indexed, how access control is enforced (or not) at retrieval time, and how retrieved content can be weaponized through indirect prompt injection. Standard LLM application vulnerabilities are tested in the context of how the RAG pipeline creates or amplifies them.
Who This Is For
Ideal clients for this engagement.
The Problem
What this engagement addresses.
The RAG Authorization Gap
Documents in the source system have access controls — role-based, department-based, classification-based. The vector store typically has none. Every document is equally retrievable by every user, regardless of the access control that governed the original document.
Indirect Prompt Injection via Retrieved Documents
Malicious instructions embedded in documents in the corpus are retrieved and processed by the model as trusted context. The model follows injected instructions from a retrieved document without user awareness — a retrieval-specific indirect injection vector.
Ingestion Pipeline as Attack Surface
The document ingestion pipeline — parsing, chunking, embedding, indexing — is an attack surface. Malformed documents, adversarial metadata, and poisoned content injected during ingestion persist in the vector store and affect every future retrieval.
Metadata Filter Bypass
RAG implementations that use metadata filters for access control (department, role, classification) are only as strong as the filter enforcement. Query manipulation, filter bypass, and metadata spoofing can circumvent retrieval-time access controls.
Document Corpus Integrity
If an attacker can inject, modify, or delete documents in the corpus — through the ingestion pipeline, direct vector store access, or source system compromise — they control what the model retrieves and how it responds.
Cross-Tenant Data Leakage
Multi-tenant RAG deployments risk cross-tenant document retrieval if tenant isolation is enforced at the application layer rather than the vector store layer. Semantic similarity does not respect tenant boundaries.
Assessment Coverage
What we test — systematically.
Authorization model review, per-user and per-role retrieval boundary testing, metadata filter enforcement and bypass testing, cross-tenant isolation verification, and direct vector store access control assessment.
Document parsing and chunking security, adversarial document injection, metadata manipulation, embedding poisoning vectors, source authentication and integrity verification, and pipeline access control.
Query injection to alter retrieval behavior, semantic manipulation to force retrieval of specific documents, metadata filter bypass via crafted queries, and retrieval scope expansion attacks.
Crafted test documents with embedded instructions injected into the corpus (with authorization), retrieval-triggered instruction following, cross-document injection chains, and payload persistence testing.
Corpus injection scan (heuristic baseline), unauthorized document modification detection, document provenance and source verification, and integrity monitoring gap assessment.
Cross-authorization-boundary document retrieval, sensitive document extraction through targeted queries, chunk-level data leakage where partial document content crosses boundaries, and response attribution analysis.
End-to-end pipeline architecture review — embedding model selection, chunking strategy security implications, retrieval ranking manipulation, re-ranking bypass, and response generation guardrails.
Deliverables
What you receive.
Technical Findings Report
Every finding with risk rating, specific query or injection used, retrieved content and model response, business impact, and architecture-specific remediation guidance. Findings classified by responsible layer — ingestion pipeline, vector store, retrieval logic, access control, or response generation.
Executive Summary
Non-technical summary of overall risk level, top findings with plain-language business impact, authorization gaps, and priority remediations. Written for security leadership, product leadership, and board-level audiences.
RAG Pipeline Security Architecture Review
Structured review of the end-to-end RAG pipeline — document sources, ingestion workflow, embedding and indexing, vector store configuration, retrieval logic, access control enforcement points, and response generation. Annotated with trust assumptions and associated findings.
Remediation Guidance & Retest
Defense-in-depth controls per finding: vector store access control implementation, ingestion pipeline hardening, metadata filter enforcement, retrieval-time authorization, corpus integrity monitoring, and response sanitization. Retest of all Critical and High findings within 90 days, documented as a report addendum.
Methodology
How the engagement works.
Architecture Review & Threat Modeling
Week 1
- RAG pipeline architecture review — ingestion, embedding, storage, retrieval, generation
- Document source inventory and access control mapping
- Vector store configuration and authorization model review
- Metadata schema and filter enforcement analysis
- Testing plan development based on architecture and risk profile
Adversarial RAG Pipeline Testing
Weeks 1 – 3
- Vector store access control and authorization bypass testing
- Retrieval query manipulation and metadata filter bypass
- Indirect prompt injection via crafted test documents
- Ingestion pipeline security assessment
- Document corpus integrity scan (heuristic baseline)
- Cross-tenant and cross-authorization-boundary retrieval testing
- Data leakage through targeted retrieval queries
Reporting, Debrief & Retest
Within 5 business days of test completion
- Technical findings report delivery
- RAG pipeline security architecture review delivery
- Live debrief session with engineering and security teams
- Remediation retest after fixes (within 90 days)
Engagement Tiers
Scoped to your architecture.
Focused
Single RAG pipeline with a single document source and uniform access level. For knowledge assistants where all users should access all documents.
- Ingestion pipeline security assessment
- Indirect prompt injection via retrieved documents
- Document corpus integrity scan
- Technical findings report
- Executive summary
- Remediation retest
Standard
Single RAG pipeline with multiple document sources and/or access control requirements. Includes authorization boundary testing at the retrieval layer.
- Everything in Focused
- Vector store access control and authorization bypass testing
- Metadata filter enforcement and bypass testing
- Retrieval query manipulation testing
- RAG pipeline security architecture review
Complex
Multi-tenant RAG deployment, multiple vector stores, complex authorization model, or high-sensitivity corpus with regulatory access control requirements.
- Everything in Standard
- Cross-tenant isolation verification
- Extended depth across all assessment domains
- Red team objective-based component
- Regulatory access control compliance mapping
Prerequisites
- Access to the RAG application (staging or production as agreed in Rules of Engagement)
- RAG pipeline architecture documentation — document sources, ingestion workflow, vector store, retrieval configuration
- API access credentials for the RAG application under test
- Description of document access control model and user roles
- Authorization to inject test documents into the corpus (staging environment preferred)
Frequently Asked Questions
Common questions.
What is the RAG authorization gap?
Documents in your source systems (SharePoint, file shares, databases) have access controls. When those documents are embedded and stored in a vector store, the original access controls do not transfer automatically. The vector store retrieves by semantic similarity, not authorization. Without explicit retrieval-time access control, any user who can query the assistant can potentially retrieve any document in the corpus.
Does this test the underlying model (GPT-4, Claude)?
No. This assesses the retrieval pipeline — how documents are ingested, stored, retrieved, and delivered to the model. The attack surface is in your ingestion pipeline, vector store configuration, access control enforcement, and retrieval logic, not in the model itself.
How is this different from the LLM Application Security Assessment?
The LLM Application Assessment covers the application layer broadly — prompt injection, output handling, system prompt security. This assessment goes deeper on the retrieval infrastructure specifically — vector store access control, ingestion pipeline security, metadata filter bypass, corpus integrity, and retrieval-specific indirect injection. A RAG application could warrant both.
Do you inject test documents into our corpus?
Yes, with authorization. Indirect prompt injection testing requires injecting crafted test documents to verify whether the model follows embedded instructions from retrieved content. This is done in a staging environment or with explicit written authorization for production, and all test documents are removed after the assessment.
Every finding has a proof-of-concept?
Yes. Every finding includes the specific query used, the retrieved content, the model's response, and the business impact. Engineering teams can reproduce every finding directly. No theoretical risk statements.
Related Offerings
Often paired with this engagement.
LLM Application Security Assessment
Covers the individual LLM application layer — prompt injection, jailbreaking, output handling, and trust boundary testing. Foundation assessment for the model interaction surface that sits on top of the RAG pipeline.
Agentic AI Security Review
For agent systems that use RAG — covers inter-agent trust boundaries, tool authorization, memory system security, and human oversight mechanisms in addition to retrieval-layer concerns.
Secure AI Architecture & Threat Modeling
Design-layer review before the RAG pipeline is built — reference architectures, threat models, access control design, and retrieval guardrail specifications.
AI Governance Program Build
Governance framework for AI deployments handling sensitive data — policies, data classification, access control requirements, and compliance mapping for RAG systems.
Data Security & Classification Program
Data classification framework that feeds RAG access control — sensitivity labeling, handling requirements, and authorization policies that should govern retrieval.
Ready to discuss this engagement?
30-minute discovery call. We will discuss your application architecture, your specific concerns, and whether this assessment is the right fit.