What is an LLM vulnerability scanner?

An LLM vulnerability scanner sends batteries of adversarial probes — jailbreaks, prompt injections, PII extraction attempts, harmful-content requests — at a target LLM and grades the responses. The output is a vulnerability + optimization report with per-probe evidence, severity, and a prioritized fix list.

Which LLMs can I scan with FilterPrompt?

OpenAI, Anthropic, Google Gemini, Azure OpenAI, plus any OpenAI-compatible endpoint — Ollama, Groq, Mistral, Together AI, OpenRouter, Perplexity, Hugging Face, vLLM, or your own custom endpoint. Bring your own keys per tenant.

What kinds of vulnerabilities does FilterPrompt test for?

Jailbreaks (DAN, role hijack, translation smuggling), direct and indirect prompt injection, system-prompt extraction, harmful-content compliance, PII / secret leakage, bias & fairness, RAG poisoning, agent/tool abuse, output quality, and robustness — categories map to the OWASP LLM Top 10.

How are probes graded?

Each probe declares an evaluator: regex match, refusal-check, contains-check, or an AI judge (Gemini 3 Flash). Pass/fail comes with severity, category, the exact prompt sent, the model's full response, and the evaluator's reason — fully auditable.

How much does a scan cost?

1 credit per probe executed. New accounts get 1 welcome credit on signup. Pay-as-you-go credit packs after that — credits never expire. Connecting LLMs and creating tenants is free.

The AI Hacker: How AI Hacking Works, Who's Doing It, and How to Defend

Deep Dive · 2018-03-14 · 16 min read · FilterPrompt Security Team

A field guide to AI hacking in 2026 — what an AI hacker actually does, how attackers weaponise LLMs to hack people and systems, how defenders hack AI to make it safer, and the controls that hold up.

The phrase 'AI hacker' covers two very different people. One uses AI as a weapon — automating phishing, generating polymorphic malware, and probing systems faster than a human ever could. The other hacks AI itself — coaxing models into leaking data, jailbreaking guardrails, poisoning training sets, and turning autonomous agents against their owners. In 2026, both are now industries. This guide walks through what AI hacking actually looks like in production, how attackers and defenders both operate, and what your team has to ship to keep up.

What does 'AI hacker' actually mean?

Practitioners use the term in three overlapping senses, and conflating them leads to bad threat models.

Hacking with AI — using LLMs and ML to accelerate offensive operations against humans, networks, and applications. The target is classical; the attacker has new power tools.
Hacking AI systems — exploiting models, prompts, training pipelines, embeddings, and agents. The target is the AI itself, and the techniques (prompt injection, jailbreaks, model inversion, data poisoning) didn't exist five years ago.
AI security research — defenders who reverse-engineer model behaviour, build adversarial test suites, and red-team production deployments. Same skill set as the offensive side, different intent and disclosure path.

A serious AI hacking program — offensive or defensive — covers all three. Treating any one in isolation leaves obvious gaps.

Hacking with AI: what attackers actually do in 2026

AI has not invented new categories of cybercrime so much as collapsed the cost of executing the old ones. The shift matters because the volume and quality of attacks both go up, while the marginal cost per victim drops to near zero.

AI-generated phishing and vishing

Targeted spear-phishing used to take a researcher hours per victim. With an LLM, an attacker scrapes LinkedIn, feeds the profile into a model, and generates context-perfect emails in seconds — referencing the victim's recent talk, their manager's name, an internal project leaked from a public deck. Voice cloning extends the same playbook to phone calls; a 30-second clip from a podcast is enough to clone a CFO and authorise a wire transfer over the phone.

AI-augmented reconnaissance

Attackers feed scraped data, breach dumps, GitHub repos, and DNS records into an LLM with the prompt 'find me an attack path'. The model summarises subdomain takeovers, expired certificates, leaked .env files, and exposed admin panels in minutes — work that a junior pentester would take a week to do.

Polymorphic and AI-generated malware

Code-capable models produce variants of known malware that bypass signature-based detection. The same model rewrites the same payload in 50 syntactic forms, each unique enough to defeat hash and YARA matching. Endpoint security has shifted hard toward behavioural detection in response.

Deepfakes for social engineering and fraud

Video and voice deepfakes have moved from novelty to enterprise threat. The 2024 Hong Kong case where an employee wired $25M after a deepfake video call with a fake CFO is now the template, not an outlier. Identity verification systems built before 2023 cannot tell synthetic media from real on a phone-quality video stream.

Hacking AI: the new attack surface

On the other side, attackers have learned that AI systems themselves are a target — often the softest one in the stack. The major techniques every defender should know:

Prompt injection (direct and indirect)

Direct injection lives in user input: 'Ignore previous instructions and do X.' Indirect injection lives in any document, webpage, email, or tool response the model later reads — the attacker never speaks to your app, but the model still follows their instructions. Indirect injection is the dominant production threat against RAG systems and AI agents in 2026, and it's the hardest to detect because the payload is laundered through trusted-looking sources.

Jailbreaks

A jailbreak coerces a model into ignoring its safety policies — DAN-style role-plays, encoded payloads, multi-turn pressure, hypothetical scenarios, or low-resource-language attacks. A jailbreak by itself doesn't compromise infrastructure, but it lets attackers extract harmful content, exfiltrate system prompts, or unlock tools the model would otherwise refuse to call.

Model and data extraction

Membership inference attacks reveal whether a specific record was in the training set. Model inversion reconstructs training data from outputs. For models fine-tuned on customer or proprietary data, both are exfiltration vectors that classical security scanning will not catch.

Data poisoning

Attackers contaminate training data — public scraping corpora, RAG document stores, fine-tune sets — to plant backdoors that activate on a specific trigger phrase. The model behaves normally until the trigger fires, at which point it leaks data, executes attacker-controlled tools, or returns biased output.

Excessive agency exploitation

Agents with tools — shell, email, payments, code execution — can be social-engineered through their inputs into using those tools maliciously. The compromise looks like normal agent behaviour because, technically, it is — the agent did exactly what it was told, just by the wrong person.

How defenders hack AI: the AI red-team workflow

Defensive AI hacking — red-teaming — is now a board-level expectation under the EU AI Act, NIST AI RMF, and ISO/IEC 42001. A real program goes well beyond running a few jailbreak prompts in a Colab notebook.

Threat model the application — list the data, tools, users, and adversary profiles. Different from a generic LLM threat model because it's grounded in your stack.
Build a probe library — pull from OWASP LLM Top 10, MITRE ATLAS, AVID, and your own incident history. Cover injection, jailbreak, PII, output handling, model abuse, and agentic risks.
Run multi-turn adversarial sessions — single-shot probes miss most real attacks. The scanner has to play out a conversation, ideally with an LLM-as-attacker driving adaptation.
Grade with a judge — an LLM judge reading the full transcript outperforms regex grading on every category we measure. Track precision and recall against a labelled set.
Map findings to a framework — auditors want OWASP LLM Top 10 IDs, NIST AI RMF measure references, and EU AI Act Article 15 evidence. A finding without a framework anchor is hard to prioritise.
Close the loop — every confirmed finding becomes a regression probe. Over time the suite shifts from 'find new bugs' to 'prove the old ones stay fixed'.

What an AI hacker's toolkit looks like in 2026

Across both sides — offensive and defensive — the core toolkit converges. The same tools that let a red team test a model let a black hat attack one.

Prompt-injection libraries — published corpora of injection payloads, jailbreaks, and evasions. Garak, PromptBench, and the AVID database are the public references.
LLM-as-attacker frameworks — orchestrators that drive multi-turn adversarial conversations and adapt based on the target's responses.
Agent harnesses — frameworks that wrap a target agent so the attacker can inject inputs at any layer (user message, retrieved doc, tool response, memory).
Judges and graders — small fast LLMs that read transcripts and emit structured verdicts the rest of the pipeline can act on.
Reporting layers — that map raw findings to OWASP LLM Top 10, NIST AI RMF, and the regulator-of-the-week's preferred taxonomy.

Defending against AI hacking: the controls that actually hold

After two years of incidents, a small set of controls keeps showing up in post-mortems as either present-and-saved-us or absent-and-broke-us.

Layered prompt filtering on input — pattern rules for obvious injection phrases, ML scoring for novel ones, structural checks for encoded payloads.
Output-side filtering — scan for exfiltration patterns (markdown images to attacker-controlled domains, leaked system prompts, PII echo).
DLP redaction on both sides — never let customer PII reach the model provider, never let internal IDs reach the user.
Tool-call allowlisting — agents should be allowed to call only the tools they need, with parameter validation enforced outside the model.
Audit logs on every verdict — without forensic-quality logs you cannot reproduce, fix, or report incidents.
Continuous adversarial scanning — schedule scans against staging weekly to catch silent provider model updates.

Common myths about AI hacking

'Our model has guardrails, so prompt injection isn't a threat.' Vendor guardrails fail under indirect injection and multi-turn pressure. Treat them as one layer, not the whole defence.
'We don't use AI agents, so agentic risks don't apply.' Any LLM endpoint that calls a tool — even retrieval — has agentic surface. RAG is an agent with one tool.
'Red-teaming once before launch is enough.' Models drift, providers update underlying weights, and your prompts and tools change. Adversarial testing has to be continuous, like SAST and DAST already are.
'AI hackers only target big tech.' The opposite — small teams with weak controls and high-value data are the highest-EV targets, and AI lowers attacker cost enough to make them economical.

Hiring and skill-set: what an AI hacker actually knows

If you're hiring or upskilling, the field has stabilised around a recognisable skill stack: applied ML and prompt engineering, traditional appsec (because the LLM lives inside an app), red-team methodology, and policy literacy (OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, EU AI Act). Pure ML researchers without appsec instincts miss obvious bugs; pure pentesters without ML literacy miss the model-level ones. The most effective AI hackers we've worked with are appsec people who got fluent in LLMs, not the reverse.

Bottom line

AI hacking is no longer a research curiosity — it is a category of both offensive crime and defensive practice that mature security programs have to staff and tool for. The attackers are using AI to scale classical offensive operations, and they are also learning to hack the AI systems your team is rushing to ship. The defence is not magical; it's layered filtering, continuous adversarial scanning, framework-mapped reporting, and tool discipline on agents. Start with a real threat model, build or buy a scanner that runs multi-turn adversarial sessions, wire the findings into your CI, and treat every blocked exploit as a regression test you keep forever.