Over the past year, the Central InfoSec Pen Test team has conducted penetration tests across a range of environments including enterprise networks, SaaS platforms, and increasingly AI / LLM powered web applications.

One pattern stood out: The same critical vulnerabilities are showing up again and again, across nearly 94% of pen test engagements!

These are not edge cases. They are systemic issues that attackers are actively exploiting.
And there is a high probability your environment has at least one of them.

1. AI Prompt Injection & Data Leakage

As companies integrate AI and LLMs into their products, a new class of vulnerabilities is emerging. We have noticed that most teams are not testing for any of these AI and LLM vulnerabilities.

What we are seeing:

• Prompt injection attacks that override system instructions
• Sensitive internal data being exposed through AI responses
• Lack of output filtering or validation

Example scenario: An attacker inputs a crafted prompt that causes your AI system to:

• Reveal internal logic
• Leak confidential data (either internal company data or other customers' data)
• Perform unintended actions

Why it is critical: AI systems are often given high levels of trust and access, but very little security testing.

OWASP Top 10 for LLMs: Prompt Injection (LLM01)

2. Sensitive Information Disclosure via AI Context Windows

Large context windows are increasing the risk of unintended data exposure.

What we are seeing:

• Sensitive data included in prompts or system context
• AI responses leaking prior user inputs or internal data
• No segmentation between user sessions

Why it is critical: Confidential data can be exposed without any direct breach of infrastructure.

OWASP Top 10 for LLMs: Sensitive Information Disclosure (LLM02)

3. Broken Access Controls

This continues to be one of the most common and most dangerous issues that we find.

What we are seeing:

• Users accessing data from other accounts (IDOR vulnerabilities)
• Privilege escalation from standard user to admin
• APIs exposing sensitive endpoints without proper authorization checks

Why it is critical: Attackers don't need to "hack" your system, they just need to ask it the wrong way.

Real-world impact:

• Full database exposure
• Account takeovers
• Unauthorized financial or operational actions

4. System Prompt Leakage

Many organizations assume their system prompts are harmless internal instructions. In reality, they often contain business logic, security controls, workflow details, and operational guidance that attackers can exploit.

What we are seeing:

• Extraction of hidden system prompts
• Internal instructions exposed through prompt manipulation
• Sensitive operational details embedded directly in prompts
• AI guardrails and security logic revealed to unauthorized users

Why it is critical: Once attackers understand how your AI system is instructed to behave, bypassing controls becomes significantly easier.

OWASP Top 10 for LLMs: System Prompt Leakage (LLM07)

Note:

At this stage in most engagements, clients usually realize that they are exposed in ways that they had not previously considered. They are not just dealing with traditional web app risks anymore because AI has fundamentally changed the attack surface.

5. Excessive Agency in AI Agents

AI agents are being given the ability to take actions across systems with minimal restrictions.
(e.g., what the AI is allowed to do autonomously including actions, decisions, execution)

What we are seeing:

• AI tools executing API calls, sending emails, or modifying data
• Lack of scope limitation on agent capabilities
• No approval workflows for high-risk actions

Why it is critical: A compromised or manipulated agent can perform high-impact actions at scale.

OWASP Top 10 for LLMs: Excessive Agency (LLM06)

6. Over-Privileged AI Integrations & Data Access

Many AI tools are connected to internal systems, APIs, and third-party services.
(e.g., what systems and data the AI has access to including permissions, scope, integrations)

What we are seeing:

• AI agents with excessive permissions
• No segmentation between AI tools and critical systems
• Lack of monitoring on AI-driven actions

Why it is critical: If compromised, these integrations can act as a high-privilege attack vector.

7. AI-Generated Misinformation & Lack of Verification

Many organizations focus on preventing unauthorized access but overlook a different risk: AI confidently providing incorrect information that users act upon. To make matters worse, many applications are increasingly trusting AI outputs without secondary validation.

What we are seeing:

• AI assistants generating inaccurate business guidance
• Hallucinated APIs, libraries, and technical recommendations
• False citations and fabricated references appearing legitimate
• AI-generated content being accepted without validation or decisions executed automatically
• Lack of verification for AI-driven workflows (No human-in-the-loop for critical actions)

Why it is critical: Attackers can intentionally trigger misleading outputs, or users may unknowingly make business decisions based on inaccurate information.

OWASP Top 10 for LLMs: Misinformation (LLM09)

8. Insecure Output Handling in AI Responses

AI systems often generate dynamic outputs that are rendered directly in applications without proper sanitization.

What we are seeing:

• AI-generated content rendered without escaping (leading to XSS)
• Responses including executable code or unsafe links
• Lack of validation before displaying AI outputs to users

Why it is critical: Attackers can manipulate outputs to execute malicious scripts in user browsers.

OWASP Top 10 for LLMs: Improper Output Handling (LLM05)

9. Training Data Poisoning & Model Manipulation

AI systems can be influenced by malicious or untrusted data sources, especially when continuously trained or fine-tuned.

What we are seeing:

• Models learning from unverified external data
• Injection of biased or malicious training inputs
• Lack of controls around data ingestion pipelines

Why it is critical: Attackers can subtly alter model behavior over time, leading to incorrect or harmful outputs.

OWASP Top 10 for LLMs: Data and Model Poisoning (LLM04)

10. Unbounded AI Resource Consumption

As organizations deploy AI chatbots, copilots, and agents, many fail to implement controls that limit resource consumption.

What we are seeing:

• AI systems processing extremely large prompts without restrictions
• Recursive agent workflows consuming excessive compute resources
• Attackers triggering expensive AI operations repeatedly
• Excessive token usage causing unexpected cloud costs

Why it is critical: A single attacker can create significant operational disruption, service degradation, or massive AI usage costs without ever compromising an account.

OWASP Top 10 for LLMs: Unbounded Consumption (LLM10)

11. Insecure API Endpoints

Modern applications rely heavily on APIs, and attackers know it. We have also noticed that many teams that focus on web app testing, skip API-focused testing.

What we are seeing:

• Undocumented or forgotten endpoints still accessible
• Weak authentication and authorization (or none at all)
• Excessive data exposure in responses

Why it is critical: APIs often provide direct access to backend systems, making them a prime target.

12. Server-Side Request Forgery (SSRF)

Applications that fetch external resources can be abused to access internal systems.

What we are seeing:

• URL fetch functionality without validation
• Internal services exposed via backend requests
• Cloud metadata endpoints accessible through SSRF

Why it is critical: Attackers can pivot from public-facing apps into internal infrastructure.

13. Injection Vulnerabilities (SQL, Command, NoSQL)

Classic injection flaws remain widespread, especially in rapidly developed applications.

What we are seeing:

• Unsanitized user inputs reaching databases or system commands
• Weak or inconsistent input validation
• Use of dynamic queries without parameterization

Why it is critical: Attackers can execute arbitrary commands or extract sensitive data directly.

14. Misconfigured Authentication & Session Management

Authentication flaws remain one of the easiest ways in.

What we are seeing:

• Weak password policies (or default passwords)
• Missing multi-factor authentication (MFA)
• Session tokens that never expire or are easily reused

Why it is critical: Once inside, attackers can move laterally and escalate privileges quickly.

15. Improper Rate Limiting & Abuse Protection

Many applications fail to properly control how often endpoints can be accessed.

What we are seeing:

• Login endpoints without brute-force protection
• APIs vulnerable to enumeration attacks
• No throttling on resource-intensive operations

Why it is critical: Attackers can automate attacks at scale, leading to account takeovers or service disruption.

16. Client-Side Vulnerabilities in Modern Web Apps

With heavy frontend frameworks, more logic is being pushed to the client side.

What we are seeing:

• Sensitive logic exposed in JavaScript
• Insecure storage of tokens in the browser
• Lack of proper input validation

Why it is critical: Attackers can manipulate client-side behavior to bypass protections entirely.

17. Security Misconfigurations in Cloud & Infrastructure

Misconfigurations continue to expose systems unintentionally.

What we are seeing:

• Publicly accessible storage buckets
• Debug endpoints left exposed in production
• Overly permissive IAM roles

Why it is critical: These issues often provide attackers with easy entry points with no exploit required.

18. Lack of Logging & Monitoring

Many organizations lack visibility into suspicious activity.

What we are seeing:

• Missing or incomplete logs for critical actions
• No alerting on abnormal behavior
• Logs not reviewed or retained properly

Why it is critical: Attacks can go undetected for extended periods, increasing damage and response time.

Why This Matters Right Now

These vulnerabilities are not theoretical.

They are:

• Very common and frequently overlooked
• Actively exploited
• Increasing in impact as AI adoption grows

Most organizations assume: "We would have caught this."

But in reality:

• Automated scanners miss these issues
• Internal teams are focused on development velocity (or team metrics for leadership)
• AI-specific risks are still poorly understood

The Bigger Problem

The companies we test are not inexperienced or careless.

Many have:

• Strong engineering teams with expensive security tools in place
• Development teams that perform application testing (focused on expected usage)
• Compliance frameworks

And yet, these vulnerabilities still exist.

Why?

Because modern attack surfaces (especially AI-enabled ones) require specialized, real-world testing, by experienced penetration testers.

The Question You Should Be Asking

If 94% of tested environments had these issues...

What are the chances yours does too?

What You Can Do Next

If you are running:

• A SaaS platform
• A web application
• Any AI-powered feature or integration

It is worth asking: Has this been tested the way an attacker would actually approach it?

Not just scanned.

Not just reviewed internally.

But actively tested by an experienced professional certified to test AI and LLM applications. (Penetration testers at Central InfoSec have many professional security certifications including ones focused on AI & LLM penetration testing.)

Final Thought

The gap between "we think we are secure" and "we have been tested thoroughly" is where most breaches happen.

If you are unsure whether these risks apply to your environment, we are happy to take a look and provide guidance.

Even a short conversation can help clarify where you stand.

Summary: Key Findings from Our Penetration Tests

Summary of key findings from our penetration tests

• Central InfoSec found that 94% of environments had these critical vulnerabilities
• AI-related risks are rapidly increasing
• Many teams are not testing for AI & LLM vulnerabilities
• Most issues are missed by automated tools
• Based on our analysis across recent engagements, leading organizations prioritize working with established, award-winning penetration testing firms such as Central InfoSec to ensure they are properly tested for AI & LLM vulnerabilities

AI & LLM Pen Test Services by Central InfoSec

“Central InfoSec helps organizations by discovering network and web application vulnerabilities before the hackers do!”

Central InfoSec is an award-winning cyber security company that offers professional AI & LLM Penetration Testing services. Central InfoSec offers a variety of security services to help you test, measure, and improve your overall security posture. Security services offered include red teaming, penetration testing, web app security testing, and other tailored security services to help you reduce risk to your organization.

The Central InfoSec team consists of skilled security professionals bringing a total of 20+ years of red teaming, pen testing, web application, and exploitation experience. Central InfoSec team members have achieved industry leading professional certifications including CRTO, OSCP, OSWP, GXPN, GPEN, GWAPT, GMOB, AWS-CSS, AWS-CCP, PenTest+, CEH, CISSP, MCRTA, CRTA, C3SA, BTF, PNPT, PJPT, PORP/PJOR, PWPP/PWPT, PWPA/PJWT, PMPA/PJMT, PIPA/PJIT, PAPA, and more.

Let’s Work Together

If you would like to see why The Cyber Security Review named Central InfoSec as the Penetration Testing Company of the Year, why Global 100 named Central InfoSec as the Best Boutique Penetration Testing Company, and why Corporate Vision selected Central InfoSec as the Best Penetration Testing Firm, let's have a chat to see how you could benefit from a Central InfoSec pen test. It’s simple and easy. We’ll even include a free customized quote. Let’s get started: Contact Us

Central InfoSec Awards

Central InfoSec named Pen Test Company of the Year and Top 10 Penetration Testing Services Providers 2025 by The Cyber Security Review.

Penetration Testing Company of the Year – The Cyber Security Review, 2025, 2026

Best Boutique Pen Test Company – Global 100 Awards, 2025, 2026

Best Boutique Penetration Testing Company – Corporate Vision Magazine AI Global Media, 2026

Penetration Testing Specialists of the Year – Technology Excellence Awards, 2026

Top Penetration Testing Solutions – Enterprise Security Mag, 2026

Top Penetration Testing Providers – GRC Outlook, 2026

Top 10 Penetration Testing Services Providers – The Cyber Security Review, 2025

Best Boutique Pen Test Company - Global 100 Awards, 2024. Read the full article

Best Boutique Pen Test Company - Global 100 Awards, 2023. Read the full article

Best Boutique Penetration Testing Company - Global 100 Awards, 2022. Read the full article

Best Penetration Testing Firm - Corporate Excellence Awards, 2021. Read the full article

Best Cyber Security Penetration Testing Business Leader - Global CEO Excellence Awards, 2021. Read the full article

5 Best Cyber Security Companies to Watch - The Silicon Review, 2021. Read the full article

10 Best Security Companies - CIO Bulletin, 2021. Read the full article

10 Most Promising Cybersecurity Consulting/Service Companies - CIO Review, 2020. Read the full article