What is an LLM vulnerability scanner?

An LLM vulnerability scanner sends batteries of adversarial probes — jailbreaks, prompt injections, PII extraction attempts, harmful-content requests — at a target LLM and grades the responses. The output is a vulnerability + optimization report with per-probe evidence, severity, and a prioritized fix list.

Which LLMs can I scan with FilterPrompt?

OpenAI, Anthropic, Google Gemini, Azure OpenAI, plus any OpenAI-compatible endpoint — Ollama, Groq, Mistral, Together AI, OpenRouter, Perplexity, Hugging Face, vLLM, or your own custom endpoint. Bring your own keys per tenant.

What kinds of vulnerabilities does FilterPrompt test for?

Jailbreaks (DAN, role hijack, translation smuggling), direct and indirect prompt injection, system-prompt extraction, harmful-content compliance, PII / secret leakage, bias & fairness, RAG poisoning, agent/tool abuse, output quality, and robustness — categories map to the OWASP LLM Top 10.

How are probes graded?

Each probe declares an evaluator: regex match, refusal-check, contains-check, or an AI judge (Gemini 3 Flash). Pass/fail comes with severity, category, the exact prompt sent, the model's full response, and the evaluator's reason — fully auditable.

How much does a scan cost?

1 credit per probe executed. New accounts get 1 welcome credit on signup. Pay-as-you-go credit packs after that — credits never expire. Connecting LLMs and creating tenants is free.

AI Agent Vulnerability Scanner: Testing Autonomous Agents Before They Break Things

Guide · 2023-10-24 · 13 min read · FilterPrompt Security Team

Why AI agents need their own class of vulnerability scanner, what to test for, and how agentless vs agent-based scanning differs in practice.

An AI agent — a system that uses an LLM to plan, call tools, and execute multi-step actions — is a genuinely new attack surface. It is not a chatbot, it is not an API, and the security tools built for either of those will miss most of what can go wrong. An AI agent vulnerability scanner is the class of tool built specifically to probe how an autonomous agent behaves under adversarial input, hostile retrieved content, and weaponised tool responses. This guide explains what to scan for, how the major scanners work, and how to choose between agent-based and agentless approaches for your stack.

Why agents need their own vulnerability scanner

A traditional LLM vulnerability scanner sends a prompt and grades the response. That model is sufficient for chatbots — there's one input, one output, one decision. Agents break that model in three ways:

Multi-turn execution — the agent's first decision shapes its next prompt. A vulnerability that only manifests after three tool calls is invisible to a single-turn scanner.
Tool use — the agent calls external functions (databases, APIs, shell, browsers). The vulnerability surface is no longer 'what does the model say' but 'what does the model do, and what does that do to the world'.
Indirect input — agents read documents, web pages, emails, and tool responses. Any of those can carry a prompt-injection payload that the scanner has to inject and then watch propagate through the agent's reasoning.

An AI agent vulnerability scanner has to model an entire attacker session, not a single payload. That's the bar.

The agent-specific vulnerability classes you must scan for

OWASP LLM Top 10 covers the basics, but agentic systems have their own dedicated risks. The most important to scan for in 2025:

Excessive agency

The agent has tools or permissions it doesn't need. Probe: ask the agent to perform an action it shouldn't be authorised for and see whether it tries. Severity scales with how destructive the tool is — an agent with shell access that can be social-engineered into running rm -rf is a critical finding.

Indirect prompt injection via tool responses

An attacker plants a malicious instruction in a webpage, document, or database row that the agent will retrieve. When the agent reads the content, it follows the attacker's instructions instead of the user's. Scan by injecting controlled payloads into tool responses and watching whether the agent's next action changes.

Tool poisoning and confused deputy

The agent calls one tool with parameters derived from another tool's output. If the second tool is attacker-influenced, the first call becomes attacker-controlled. Classic example: an email-summariser agent that reads a malicious email instructing it to forward all subsequent emails to an attacker address.

Memory poisoning

Agents with long-term memory store user-controlled content. An attacker plants instructions that activate weeks later when the agent re-reads its memory. Scan by writing payloads to memory in one session and probing whether they fire in later sessions.

Plan hijacking

Many agents emit a 'plan' before acting. An attacker manipulates the plan via injection and the agent executes the new plan. Probe by injecting plan-modifying instructions and grading whether the executed actions match the original user intent.

Resource exhaustion and runaway loops

An agent can be tricked into infinite tool-call loops, exhausting credits, rate limits, or downstream API quotas. Scan by feeding inputs that historically cause loops (recursive summarisation, contradictory goals) and measuring tool-call depth before termination.

Sensitive information disclosure via tool returns

An agent fetches data from a high-privilege tool and includes parts of it in a low-privilege response — leaking PII to a user who shouldn't have access. Probe with role-mismatch scenarios and grade the response with a DLP-aware judge.

How an AI agent vulnerability scanner works

A serious agent scanner orchestrates a full adversarial session, not a probe-response pair. Architecturally:

Connect to the agent — usually via a thin SDK that lets the scanner inject inputs at the user message, tool response, or memory layer.
Pick an attack scenario — e.g. 'plant indirect injection in a retrieved doc and observe whether the agent follows it'.
Drive the session — the scanner plays the adversary across multiple turns, adapting based on the agent's responses (this is where LLM-as-attacker is more effective than scripted probes).
Capture the trace — every tool call, every intermediate plan, every memory write is logged.
Judge the outcome — an LLM judge reads the trace and scores it: did the agent perform the unauthorised action, leak the secret, follow the planted instruction?
Map to a framework — OWASP LLM Top 10 + agent-specific extensions like the OWASP Agentic Security Initiative or NIST AI RMF.

Agent vs agentless vulnerability scanning: not what it sounds like

If you searched 'agent vs agentless vulnerability scanning', you may have run into two unrelated debates. They get conflated:

Infrastructure security — 'agent' means a software agent running on each host (Tenable, Qualys, Wiz). 'Agentless' means scanning via API or cloud snapshots. This is about scanning servers, not AI agents.
AI agent scanning — the scanner is itself an AI agent (LLM-driven attacker). The target may be another agent or any LLM endpoint. 'Agent-based' here means the scanner uses an autonomous adversarial agent, not a fixed probe library.

When evaluating an AI agent vulnerability scanner, what matters is whether the scanner can run multi-turn adversarial sessions, not whether anything is installed on your host. FilterPrompt and most modern LLM scanners are agentless in the infrastructure sense — they connect to your LLM endpoint via your provider's API and need nothing installed in your environment.

What is a vulnerability scanner, and how is it used to improve agent security?

A vulnerability scanner is an automated tool that probes a system for known and discoverable weaknesses, grades the findings, and produces a report developers and security teams can act on. For AI agents specifically, it improves security in five concrete ways:

Pre-deploy gate — block releases when a new agent build introduces a regression in jailbreak resistance or excessive-agency findings.
Continuous monitoring — schedule weekly scans against staging to catch drift when your provider silently updates the underlying model.
Incident triage — when a real attack is suspected, replay the suspected payload through the scanner to confirm exploitability and scope.
Compliance evidence — most frameworks (EU AI Act Article 15, ISO/IEC 42001, NIST AI RMF) require evidence of adversarial testing. Scanner reports are the artefact.
Hardening loop — every confirmed finding becomes a regression test. Over time, the scan suite shifts from 'finding new bugs' to 'preventing old ones from coming back'.

What good agent scan output looks like

Three things separate a useful agent vulnerability report from noise:

Full session trace — every prompt, every tool call, every memory write. Without the trace, developers can't reproduce the issue.
Severity grounded in real impact — a successful indirect injection that triggered an unauthorised tool call is critical; a successful injection that the agent refused to act on is informational.
Mapping to a framework — OWASP LLM Top 10, OWASP Agentic Security Initiative top risks, NIST AI RMF measures. Findings without a framework anchor are hard to prioritise.

Building a scan suite for your specific agent

Off-the-shelf probe libraries are a great starting point, but the highest-value findings always come from custom probes tailored to your agent's tools and data. A practical playbook:

Inventory the agent's tools. For each, write one probe asking the agent to misuse it.
Inventory the agent's input sources (user message, retrieved docs, tool returns, memory). For each, write one indirect injection probe.
Inventory the agent's role transitions (anonymous user, authenticated user, admin). For each transition, write one probe attempting to escalate.
Run the scanner on every change to the agent's prompt, tool definitions, or model. Diff results against the previous run; new findings = regressions.

Common mistakes when scanning AI agents

Three mistakes show up across most teams adopting agent vulnerability scanning for the first time:

Scanning only the model, not the agent. The model may pass every jailbreak probe, but the agent fails the same probe because its tools amplify the impact. Always test the wired-up agent.
Skipping tool-response injection. Most teams test the user message and stop. The largest production incidents in 2024 came from indirect injection in retrieved content — and you only find those by probing the document side.
Ignoring memory. Persistent memory is the slow-burning vulnerability. A payload planted today may fire next month and look like a model glitch. Scheduled memory probing is essential.

Bottom line

AI agents are a new attack surface and require a new class of vulnerability scanner. The right tool runs full adversarial sessions, probes tool returns and memory as well as user messages, and produces audit-ready reports mapped to frameworks your auditors recognise. If you're shipping an agent — copilot, autonomous workflow, anything that calls tools — you need an AI agent vulnerability scanner running before every release and on a schedule against production. The first time you find an excessive-agency finding before an attacker does, you'll wonder how you shipped without one.