We red-teamed the full stack — identity, API access, data objects, storage links, AI orchestration, and operational controls. This case study focuses on the AI attack surface and the adjacent weaknesses that can turn one model request into a multi-step breach.
By maliciously steering the PPT generation workflow, we obtained generated decks containing detailed internal API, infrastructure, and architecture narratives. This is an AI-specific over-disclosure failure: the model can become a high-speed recon assistant when retrieval and disclosure boundaries are under-constrained.
Generated outputs included structured internal knowledge such as API endpoint families, authorization models, scope names, rate-limit descriptions, architecture-layer narratives, and cloud-secret reference conventions. The content was delivered in reusable artifacts, not isolated one-line responses.
Multiple independently generated presentation outputs showed the same pattern of internal-knowledge packaging. Together they demonstrate that malicious prompting can extract high-value system context useful for follow-on attacks.
Root cause pattern: prompt controls focused on direct leakage prevention, but retrieval and output governance still allowed over-broad internal context packaging. This creates an attack chain from AI generation to reconnaissance acceleration.
This did not eliminate other risks. In the same engagement, we also confirmed 100 KB+ PPT payload acceptance (cost-abuse) and a separate cross-tenant report retrieval path with 3,491,517 bytes exposed. AI security here required both model-centric and full-stack controls.
Beyond the confirmed cross-tenant exposure, multiple paths produced confirmed or partial results where AI workflows depended on weak surrounding controls: request-schema trust, tenant-context integrity, stage-to-stage contamination, and missing cost safeguards.
Large AI workload requests, including a 1,000-user bulk brief and a 100 KB+ presentation context payload, were accepted with HTTP 200. The run found no effective generation quota or payload gating on these paths.
A burst of 20 concurrent persona generation requests all succeeded with HTTP 200. The endpoint showed no visible per-user throttling under concurrent pressure.
A generation request that injected a different tenant_id in the body produced output referencing the other tenant's account context, suggesting body-level routing influence inside the orchestration layer.
Multiple AI endpoints accepted injected fields like role, is_admin, tenant_id, and bypass_quota without rejection. Acceptance does not prove exploitation, but it does prove insufficient schema enforcement.
A canary token inserted upstream appeared in a downstream generation stage, confirming that poisoned context can traverse stage boundaries inside the AI workflow.
Prompted presentation generation produced outputs containing internal API and architecture detail (including route families, auth patterns, and infra conventions). Separate delimiter-based extraction probes also returned boundary-drift signals. Together these indicate a practical AI-enabled reconnaissance path.
Most scenarios were blocked. That distinction matters: this was not a case of zero security. It was a case where baseline controls existed, but AI-specific and AI-coupled paths still left exploitable gaps.
Algorithm confusion variants and claim-escalation token tests returned unauthorized responses, indicating correct signature validation.
Base64, URL-encoded, homoglyph, zero-width, and ROT13 variants did not trigger canary disclosure, which is a meaningful positive control.
Telemetry noise and event-forgery attempts were rejected, limiting the risk of unauthenticated signal pollution.
Admin, debug, GraphQL, and version-drift probes produced 403 or 404 responses instead of accidental exposure.
Cross-tenant AI copilot session replay attempts were blocked, suggesting object ownership checks were present on those routes.
An SSRF-style probe through a persona LinkedIn field was rejected as invalid input rather than fetched server-side.
The evidence supports findings and recommendations, not verified closure. The remediation roadmap is therefore structured around full-chain risk reduction for AI systems.
Enforce server-side ownership checks for every generated artifact lookup, especially before issuing pre-signed URLs or returning cached report objects.
Reject unknown fields, strip privilege-style parameters, and ensure body-level routing data cannot override path-level or token-derived tenant context in generation workflows.
Rate limit generation endpoints, enforce per-tenant/per-user quotas, and set maximum safe payload envelopes before cost or latency spikes become attacker primitives.
This category covered cross-tenant report access, namespace drift, AI session ownership, request-field privilege injection, and JWT confusion. It produced the strongest confirmed breach in the run.
This category tested direct and obfuscated prompt injection, system prompt extraction, SSE response behavior, and cross-stage contamination through chained generation workflows.
This category probed malformed requests, generated artifact leakage, classification drift, and metadata exposure. Most tests did not produce material disclosure.
Telemetry event forgery and noise-masking scenarios were attempted and rejected, indicating meaningful protection on observability inputs.
This category showed the clearest operational gap: expensive AI generation paths accepted large and concurrent workloads without observable throttling or quota gates.
Five chained scenarios were executed to test whether small weaknesses compound into bigger failures. One chain showed canary propagation; the others were blocked or degraded.
This assessment pattern is for builders and security leaders responsible for multi-tenant AI systems, generated customer artifacts, and enterprise buyer assurance.
Research reports, briefs, presentations, copilots, generated profiles, or any object whose business value comes from AI output tied to customer data.
Especially where compliance artifacts exist already, but runtime AI behavior, orchestration, and tenant isolation have not been adversarially tested.
If a customer or attacker can trigger expensive LLM workflows without guardrails, the issue is both security and operations.
The output is actionable evidence: confirmed findings, blocked controls, and a remediation roadmap aligned to enterprise scrutiny.
If your product depends on AI-generated customer artifacts, tenant isolation, or expensive generation pipelines, we can test the places a standard VAPT will miss.
Book a 20-min fit callWorking with a limited number of design partners.