No. We work at any stage – whether you are about to deploy your first AI agent and want to build it right, or you have a fleet of agents in production that have never been reviewed. The earlier we are involved, the cheaper the fixes.

Most penetration testing firms do not have practitioners who have built and operated AI agent systems at scale. They may offer AI pentesting as a line item, but the methodology is often surface-level prompt injection testing without understanding the agent’s actual tool access, identity model, or business logic. We assess the full stack – architecture, identity, prompt security, operational controls, and governance.

For a full assessment, yes – read-only access to the relevant codebases gives us the most accurate picture and enables automated first-layer analysis. For some engagements, architecture documentation and API access is sufficient. We discuss scope and access requirements in the discovery call.

LiteLLM, OpenAI API, Anthropic API, Google Vertex AI / Gemini, AWS Bedrock, Azure OpenAI, LangChain, LangGraph, CrewAI. On the gateway side: Cloudflare AI Gateway/Firewall, Prisma AIRS, NVIDIA NeMo Guardrails, Meta Llama Guard, Lakera, Prompt Security. We are framework-agnostic – the security principles are consistent across platforms.

OWASP AI Security Top 10, MITRE ATLAS, NIST AI Risk Management Framework, ISO 42001, and where relevant, ISO 27001, NIST CSF, PCI-DSS, and GDPR. We produce findings that map directly to the frameworks your compliance team already uses.

Yes. Post-assessment, we offer architecture design, pre-production review gate implementation, AI security gateway deployment, and ongoing advisory. Many clients start with an assessment and engage us to lead the remediation programme.

Yes – we have direct experience in financial services, fintech, and online trading operating under PCI-DSS, GDPR, ISO 27001, NESA, and CBUAE requirements. We understand that security recommendations need to be compliant recommendations.

Rapid Assessment: 2 weeks. Full Assessment: 4 weeks. Enterprise Programme: 6-8 weeks. These are calendar time estimates including kickoff, review, testing, and report delivery. All timelines are confirmed in scoping.