Which LLMs can I scan with FilterPrompt?

OpenAI, Anthropic, Google Gemini, Azure OpenAI, plus any OpenAI-compatible endpoint — Ollama, Groq, Mistral, Together AI, OpenRouter, Perplexity, Hugging Face, vLLM, or your own custom endpoint. Bring your own keys per tenant.

What kinds of vulnerabilities does FilterPrompt test for?

Jailbreaks (DAN, role hijack, translation smuggling), direct and indirect prompt injection, system-prompt extraction, harmful-content compliance, PII / secret leakage, bias & fairness, RAG poisoning, agent/tool abuse, output quality, and robustness — categories map to the OWASP LLM Top 10.

How are probes graded?

Each probe declares an evaluator: regex match, refusal-check, contains-check, or an AI judge (Gemini 3 Flash). Pass/fail comes with severity, category, the exact prompt sent, the model's full response, and the evaluator's reason — fully auditable.

How much does a scan cost?

1 credit per probe executed. New accounts get 1 welcome credit on signup. Pay-as-you-go credit packs after that — credits never expire. Connecting LLMs and creating tenants is free.

What Is an LLM Vulnerability Scanner? OWASP LLM Top 10, Prompt Injection & Real-Time Blocking (2026 Guide)

Q: What is an LLM vulnerability scanner?

An LLM vulnerability scanner sends batteries of adversarial probes — jailbreaks, prompt injections, PII extraction attempts, harmful-content requests — at a target LLM and grades the responses. The output is a vulnerability + optimization report with per-probe evidence, severity, and a prioritized fix list.

Pillar · 2025-07-12 · 14 min read · FilterPrompt Security Team

Complete 2026 guide to LLM vulnerability scanners — what they test, how they work, OWASP LLM Top 10 coverage, and how a real-time AI firewall blocks attacks the scanner finds.

An LLM vulnerability scanner is the AI-era equivalent of a traditional pen-test tool: it sends batteries of adversarial prompts at your large language model — jailbreaks, prompt injections, PII extraction attempts, harmful-content requests, RAG poisoning payloads — and grades the responses. The output is a vulnerability report telling you which attacks succeeded, how severe they are, and exactly what to fix. If you ship anything backed by an LLM, you need one.

This guide covers what an LLM vulnerability scanner actually does, the threat categories it has to cover, how scanners differ from AI firewalls (and why you need both), and what to look for when choosing one. By the end you'll know whether your stack needs a vulnerability scanner for LLM workloads, and how to deploy one in an afternoon.

What does a vulnerability scanner for LLM applications test?

A serious LLM vulnerability scanner covers every category in the OWASP LLM Top 10 — and several that aren't yet on it. The categories that matter in production today:

Prompt injection (direct and indirect) — the LLM equivalent of SQL injection
Jailbreaks — DAN, role hijack, translation smuggling, persona attacks
System-prompt extraction — leaking your hidden instructions
PII / secret leakage — emails, SSNs, API keys, internal IDs in responses
Harmful content compliance — bioweapons, malware, CSAM refusal robustness
Bias and fairness — demographic stereotyping in outputs
RAG poisoning — instructions hidden in retrieved documents
Agent and tool abuse — getting the model to call dangerous tools
Output quality and hallucination — factual robustness under stress

How does an LLM vulnerability scanner actually work?

Under the hood, every modern AI vulnerability scanner is the same five-stage pipeline: select a probe battery, send each adversarial prompt to your model, capture the response, run it through a tiered judge, then write a verdict with severity and evidence. The differences between vendors live in two places: the size and quality of the probe library, and the sophistication of the judge.

The probe library

FilterPrompt ships with several hundred curated probes across all OWASP LLM Top 10 categories, including indirect-injection payloads, multi-turn jailbreaks, and translation-smuggling jailbreaks (asking the model to translate the malicious instruction often bypasses RLHF guardrails). The library is versioned — when a new attack pattern goes viral on social media, you don't wait six months for a model update; the probe lands in the next scanner release.

The tiered judge

A naive scanner just pattern-matches 'I cannot' and calls everything else a fail. Real scanners use a multi-stage cascade that combines deterministic checks with AI-based grading. FilterPrompt's proprietary detection engine layers fast deterministic stages with an AI-based final tier using probe-specific rubrics.

LLM vulnerability scanner vs AI firewall: difference and why you need both

A vulnerability scanner is offline testing — you run it before deploying, on a schedule, or in CI. An AI firewall for LLM traffic is online enforcement — it sits in front of every live request and blocks attacks in real time. They solve different problems and you need both.

Scanner finds the holes — firewall plugs them while you patch the model
Scanner runs once a week — firewall runs on every request
Scanner gives you a CVSS-style report for SOC 2, ISO 27001 and EU AI Act audits — firewall gives you live block logs for incident response

FilterPrompt is the only platform that does both simultaneously: scan and block from a single dashboard, sharing the same probe library, the same threat taxonomy, and the same severity model. When the scanner finds a new failure mode at 2pm, the firewall is blocking the same pattern at 2:01pm. No competitor does this today.

What an LLM security testing tool report should contain

After every scan you should get, at minimum:

Per-probe pass/fail with severity (critical / high / medium / low)
The exact prompt sent and the model's full response
The judge's reasoning for the verdict — auditable
Category aggregation mapped to OWASP LLM Top 10
A severity-weighted overall score (not a naive pass-rate)
A prioritized fix list — system-prompt patches, guardrail rules, refusal templates
Diff vs. the previous scan so regressions stand out

Pricing model: what to expect

Most LLM vulnerability scanners bill per probe executed because that's the only unit you can predict and control. FilterPrompt charges 1 credit per probe, gives every new account a free first scan, and credits never expire. Connecting LLMs and creating tenants is free.

How to choose a vulnerability scanner for LLM workloads

Does it cover the full OWASP LLM Top 10 — including indirect injection and agent abuse?
Can it test your actual provider (OpenAI, Anthropic, Gemini, Azure, Ollama, vLLM, custom)?
Is the judge tiered with auditable reasoning, or is it a single black-box classifier?
Does it diff scans across runs so regressions surface immediately?
Can the same vendor also enforce live blocking (AI firewall), or is it scan-only?
Does it integrate with CI so you fail builds on regressions?

Try it yourself

Sign up at filterprompt.io — your first full vulnerability scan is free, no credit card required, and you can scan any LLM you can connect via API. Most teams find a critical-severity finding in the first scan. Run it before your next release.