Series-B Fintech
Adversarial review of an LLM-powered customer support agent with read access to internal customer records, plus a cloud configuration review of the supporting AWS account.
Demonstrated full PII exfiltration via indirect prompt injection through a third-party knowledge-base document, and identified a cross-account IAM trust path that broadened the blast radius. Architecture redesigned to isolate the planner from data-access tools and enforce per-customer scoping.
The client was about to launch an LLM-powered support agent that could read customer account history, transaction records, and KYC documents to answer support queries autonomously. They wanted the same kind of pre-launch security review they would commission for any new financial product.
Our adversarial review combined three attack categories: direct prompt injection, indirect prompt injection through documents the agent might retrieve, and tool-abuse chains using the agent's data-access capabilities. We also reviewed the AWS account hosting the agent infrastructure and the IAM trust relationships connecting it to the customer database account.
The most consequential finding was a full PII exfiltration chain: a malicious instruction embedded in a third-party knowledge-base article was retrieved, executed, and used to coerce the agent into emitting another customer's account history into a support reply. We worked with the client on a redesign that strictly separates the planner from the executor and enforces per-customer scoping at the data layer rather than relying on prompting.
The cloud review surfaced a cross-account IAM role trust that, while not directly exploited, would have significantly broadened the blast radius of any successful agent compromise. Both findings were remediated before launch.