Defensive diagnostic of AI systems and infrastructure in production
I attack your LLM agents, RAG, MCP servers and infrastructure per OWASP LLM Top 10 — finding what classic pentesters miss.
Prompt injection, RAG poisoning, MCP tool poisoning, token bomb — vectors that aren't in Burp / Nessus
I run 10+ AI systems in production myself. Was a media-buyer with a $1.34M ad budget — saw the performance stack from the inside
Up to 20M ₽ + 3% of revenue in fines for PII leaks. From Jan 1, 2026 — 187-FZ KII blocks foreign software in banks / oil & gas / government
Three formats — from entry diagnostic to an ongoing retainer
Express to understand 'how bad is it', Full Audit for serious risks and compliance, retainer — because AI security changes every 4–6 weeks.
Express Security Diagnostic
Quick entry check: shortened checklist, one live attack, PDF with top-5 risks. Psychological filter before a full audit.
- 60-min discovery call: architecture, LLM/API, where PII lives
- 6-hour check against a shortened checklist
- Live demo of one attack (prompt injection or DNS/SSL/.env exposure)
- PDF 4–6 pages: top-5 to fix first, severity, commands/code
- 30-min debrief on the results
~3-4 out of 10 upgrade to Full Audit
Full Security Audit
Full red-team cycle across 4 domains: AI/LLM, infrastructure, FZ-152, business logic. 30–50 page report + live demo + 30 days Q&A.
- Full red-team cycle per OWASP LLM Top 10 (2025)
- 4 domains: AI/LLM 40% · Infra 25% · Data Privacy 20% · Business Logic 15%
- Final report 30–50 pages with evidence and compliance mapping
- Live demo of 1–2 highest-impact vectors on your environment
- 90-min readout session + 30 days Q&A on fixes
200–600k ₽ range depending on scope and number of AI agents
Continuous Security Engagement
AI security changes every 4–6 weeks. The retainer keeps your AI infrastructure in an up-to-date threat model between releases.
- Basic 40k: monthly re-scan, CVE alerts in Telegram, 2h Q&A
- Basic +: quarterly report on risk dynamics
- Pro 100k: + pre-release review of every AI feature (2/mo)
- Pro +: embedded 1 day/week in your team
- Pro +: threat-intel briefing, 24h SLA on critical issues
80% of clients move to a retainer after the Full Audit
19 check points across 4 domains
The checklist is built around risk, not 'easy to check'. OWASP LLM Top 10 (2025) is the foundation of the AI domain, classic infrastructure is the base, FZ-152 / 187-FZ is mandatory regulatory for RU legal entities, sector-specific is what we see in real ad accounts and e-com setups.
AI/LLM Security
OWASP LLM Top 10 (2025) — 8 checks
Direct prompt injection
Jailbreaks via role-play, multi-turn escalation, encoded payloads: base64 / unicode / ROT13
Indirect prompt injection (RAG / docs / webhooks)
Attack via data the model itself loads.
Ref: EchoLeak CVE-2025-32711, CVSS 9.3
System Prompt Leakage (LLM07:2025)
Extraction of system prompt with embedded keys or internal-API URLs
Excessive Agency (LLM06:2025)
An agent with write access does what it shouldn't.
Ref: CVE-2025-53773 GitHub Copilot RCE, CVSS 9.6
Unbounded Consumption / Cost-overflow (LLM10:2025)
Token bomb: $10k/mo burned with no cap. The attacker generates traffic until you go bankrupt.
MCP Server / Tool Poisoning
Attack via a third-party MCP server. Including the well-known 'thank you' issue.
Ref: CVE-2025-54136 · Claude Code CVE-2025-59536 · CVE-2026-21852 (Check Point Research)
Vector / Embedding Weaknesses (LLM08:2025)
Embedding inversion, membership inference, RAG poisoning via substituted documents in the vector DB
Sensitive Information Disclosure (LLM02:2025) + PII in logs
PII leak via model responses, log aggregators, error tracking. Synthetic client with realistic PII for verification
Infrastructure
6 checks for perimeter and dependencies
DNS / Email hygiene
SPF, DKIM, DMARC (often `p=none` — open invoice spoofing), CAA, DNSSEC
SSL / TLS configuration
SSL Labs target A+, HSTS preload, correct cipher suites, OCSP stapling
WAF / CDN review
Bypass via encoded payload, origin IP leak through DNS history / SSL cert / mail headers
Secrets management surface
`gitleaks` over history, API keys in client-side JS bundle, `.git/` exposed, .env in backup folders
Dependency CVE scan
npm / pip / go.mod / Cargo.lock against an up-to-date CVE database.
Ref: Shai-Hulud npm malware · Sonatype 454k+ malicious packages 2026
Backup + DR test
Actually restore from backup on staging. 60% of companies have a backup, ~30% can actually restore
Data Privacy / RU Regulatory
FZ-152 / 187-FZ KII / PII redaction
FZ-152 compliance
Geo storage (PII of Russian citizens on RU territory), sub-processors, RKN registry. 2026 fines: up to 20M ₽ + 3% of revenue. 6–18M ₽ for failing to report a breach in 24/72h
187-FZ KII readiness
From Jan 1, 2026 foreign software is prohibited in banks, oil & gas, telecom, government sector. Cursor / Claude / OpenAI = formal violation. Alternatives: GigaChat on-prem, YandexGPT, Continue.dev. Fine up to 500k ₽ + blocking
PII redaction in LLM prompts
Synthetic client with realistic PII, dump every prompt on the way to OpenAI / Anthropic. Verify regex filters against missed names, INN, phone, email, passport
Business Logic / Sector
Authentication and vertical-specific
Auth & session
Token storage (httpOnly vs localStorage), rotation, IDOR, webhook HMAC, replay protection, race conditions in payment flow
Media-buying / e-com specific
Cloaker probe, Keitaro fraud detection, pixel firing, CAPI integration with HMAC, IP-blocklist hygiene, fingerprint leak via third-party tags
Stats from real audits
Distribution of findings by severity. Critical in ~30% of companies is not a sales scare story — it's the average baseline of the 2025–2026 AI deployment market.
- OpenAI / Anthropic API key in the client-side bundle — 30 sec to extract, $50k overnight
- Indirect prompt injection enables data exfiltration (EchoLeak pattern)
- System prompt contains embedded keys or internal-API URLs
- PII sent to OpenAI without anonymization — up to 20M ₽ + 3% of revenue
- MCP server tool poisoning via invisible instructions in description
- No rate-limit on the LLM endpoint — token-bomb DoS
- DMARC in `p=none` mode — invoice spoofing from the company's address
- SSL Labs grade B/C, no HSTS preload
- Backup not tested for > 12 months
- Dependencies CVE older than 90 days, webhook without a signature
- CSP headers missing, exposed `.git/config`
- HSTS preload missing, verbose error messages
- X-Frame-Options not set, open referrer policy
Tier 2 deliverable — 30–50 pages with evidence and roadmap
The report is written to be readable both by a CEO and by the engineer who will fix it. Every finding comes with reproducible evidence and a specific command / code fix.
Executive summary
For CEO / CTO / board: risk overview, business impact, fix budget
Methodology
OWASP LLM Top 10 / 187-FZ / FZ-152 / CVE references — what was checked and why
Findings list
Each item: ID, severity, evidence (screenshot / curl command), impact, fix recommendation, verification method
Prioritized roadmap
Now / Next / Later — what to fix in the first 48 hours, in the first month, in the quarter
Appendix
Full logs, compliance mapping (FZ-152 / OWASP / ISO 27001), optionally video demo of attacks
4 client types the offer is calibrated for
I don't work with SMB < 1M ₽/mo revenue (no 200k budget), with personal projects, or with students. I don't dive into classic industrial IT without AI — that's Positive Technologies' field.
Technical founders of B2B SaaS 20–100 people
With an AI feature in the product under pre-IPO DD pressure. Investors ask about AI security — DD standard since 2025. Launched a chatbot / RAG, sometimes 'gives weird answers'. MCP servers without review.
1 leak = product death + personal liability for the founder
Performance agencies / media-buying houses ($500k–5M/mo)
AI tools accumulate conversion PII (FZ-152). Tracking systems leak via DNS history. CAPI without HMAC = fake conversions pass. Slava is one of you: he personally ran $1.34M ad budget in performance marketing.
1 ad account at $200k = a month down the drain
E-com 1000+ orders/mo with AI customer support
AI agent chats with customers — email / phone / address leaks to OpenAI. Voice bot jailbreak → 99% promo code. WB / Ozon + RKN actively audit since 2025.
Marketplaces block the selling account on breach
Government contractors / banks / fintech
From Jan 1, 2026: 187-FZ KII bans foreign software (Cursor / Claude / OpenAI = formal violation). Sales cycle 3–6 mo, FSTEC licenses required for deep pentests. Slava is an architect / consultant, not an FSTEC auditor. Only via a legal entity.
187-FZ trigger + long cycle = high ticket, low frequency
Narrow AI niche, not yet another generic pentest
I don't claim to replace Group-IB on perimeter / SIEM — we do different things. Comparison along the angle we work from:
Group-IB / Positive Technologies
Classic perimeter / SIEM / anti-APT, $7–11B market. AI-security block = marketing. From 1.5M ₽, full IT perimeter
Narrow AI niche, 200–600k ₽. Targeted vs full SOC
HackerOne / BugBounty.ru
Reactive crowd, no SLA, no accountability. You pay per finding separately
Proactive, single accountable expert. Report + recommendations + retainer. One contact
Solo pentesters on Avito
Classic — Burp / Nessus / nmap. Don't know OWASP LLM Top 10. Don't understand prompt injection
I run AI in production 24/7. I've seen prompt injection in live traffic, not in a PDF
Internal security teams
Enterprise IT (AD, perimeter, IDS). AI = gray zone, skills geared toward classical infra
External pair of eyes specifically for AI / automation. We complement, not replace the internal team
Why me — at the intersection of 4 niche tracks
A combination of experience that's hard to replicate: senior enterprise development + production AI operator + media-buyer with a large budget + RU regulatory literacy.
Real production AI operator
10+ AI systems in production 24/7. Seen failure modes from the inside: cost overflow during regime change, GMM stuck in edge cases, indirect injection from an RSS feed, MCP server crash in production
$1.34M performance marketing budgets
Was a senior media-buyer at Syndicate Group + SweepStakes. I know fraud patterns from the inside, tracking mechanics, CAPI security — not theory, but field practice
7 years of enterprise
Baltic Shipyard, IPL, Asertiva. I understand how security works at large companies with long approval processes — I can speak the same language as a CTO / CISO
OSINT / attacker-side experience
Through arbitrage / affiliate work — I know how the attacker side thinks. Cloaker bypass, fingerprint evasion, IP rotation — these are working tools, not an article on Habr
Reads RU regulatory
FZ-152, 187-FZ KII, FSTEC orders, RKN guidelines — I actually read them, not retell from agencies. I know where compliance ends and real security begins
Secure your AI infrastructure
Start with Express Diagnostic for 25,000 ₽ — in 1 business day you'll get a clear view of the top-5 risks and whether you need a full audit.
Аудит за 5 000 ₽ — с конкретным отчётом и сметой
Расскажу что внедрить в вашем бизнесе в первую очередь, какая будет окупаемость, и нужен ли вообще AI для вашей задачи (иногда — нет).
Или просто напишите свой вопрос — отвечу в течение 2 часов