Before testing, define the boundaries:
| Question | Why It Matters |
|---|
| What model(s) are in scope? | Different models have different vulnerability profiles |
| Is the system prompt in scope for extraction? | Some clients consider this IP |
| Are tool/plugin integrations in scope? | Indirect injection testing requires this |
| What data sources does the AI access? | Defines indirect injection surface |
| Are other users' sessions in scope? | Multi-tenant testing needs explicit authorization |
| What constitutes a successful attack? | Define success criteria up front |
| Is automated testing permitted? | Volume-based tests may trigger rate limits |
| Are production systems in scope or staging only? | Risk tolerance for live systems |
| Tier | Scope | Tests Included |
|---|
| Tier 1: Basic | Chatbot interface only | Jailbreaking, system prompt extraction, basic injection |
| Tier 2: Standard | Chatbot + tool integrations | Tier 1 + indirect injection, tool abuse, data exfiltration |
| Tier 3: Comprehensive | Full application stack | Tier 2 + RAG poisoning, multi-tenant isolation, API security |
| Tier 4: Pipeline | ML pipeline access | Tier 3 + data poisoning, model supply chain, training infra |
- Maximum query volume per hour/day
- Approved jailbreak categories (content policy only vs. harmful content)
- Data handling for any PII or sensitive data extracted
- Incident escalation procedures
- Communication channels and check-in schedule