Cinder Security
AI Red Team as a Service
click to ignite
Research Advisories Fracture Services CinderGuard Pricing Contact
AI Red Team as a Service

We break AI systems
before attackers do.

Offensive security testing for LLMs, chatbots, AI agents, RAG pipelines, and diffusion models. We find what's still burning when everyone thinks the fire is out.

Get a Security Assessment View Fracture ↗
Google VRP — 2 P2s Confirmed
Intigriti — Active Hunter
Huntr — Bounties Earned
GitHub Security Advisories
Google VRP — 2 Confirmed P2 Findings in Google AI Sample Repos GHSA-m4rw-22q2-87j8 — ModelEngine SSRF via Prompt Injection — CVE Pending GHSA-4fpw-hjmg-x4qr — LangGraph RAG Poisoning — CVSS 7.6 3 NVIDIA NeMo Guardrails Reports — Intigriti Triage Fracture — Autonomous AI Red Team Engine — MIT License OWASP LLM Top 10 Full Coverage + MCP Server Injection Cinder Security Acknowledged in ModelEngine fit-framework v3.6.4 Responsible Disclosure — All Findings Reported to Vendors Google VRP — 2 Confirmed P2 Findings in Google AI Sample Repos GHSA-m4rw-22q2-87j8 — ModelEngine SSRF via Prompt Injection — CVE Pending GHSA-4fpw-hjmg-x4qr — LangGraph RAG Poisoning — CVSS 7.6 3 NVIDIA NeMo Guardrails Reports — Intigriti Triage Fracture — Autonomous AI Red Team Engine — MIT License OWASP LLM Top 10 Full Coverage + MCP Server Injection Cinder Security Acknowledged in ModelEngine fit-framework v3.6.4 Responsible Disclosure — All Findings Reported to Vendors
// The Problem

AI is everywhere.
AI security is nowhere.

Organizations are deploying AI at unprecedented speed. But most have zero offensive security testing for their AI systems. The attack surface is massive and growing.

$4.8B
Global AI Red Teaming market in 2025 — projected $28.6B by 2034
88%
AI agents fail to reach production — most ship untested
97%
Attack success rate via fine-tuning backdoors on GPT-4 class models
<5%
Of companies deploying AI have done any offensive security testing
$6
Cost to fully compromise a model through fine-tuning API attacks
// Impact by the Numbers

Research that ships.

Every number below is a real finding, a real vendor notified, a real patch shipped.

0
GitHub Security Advisories Published
2026
0
Google VRP P2 Confirmed
Google AI repos
0
Active Vulnerability Research Cases
CSR-2026-*
0
Vendors Notified Under Responsible Disclosure
2026
0
Vendor Security Acknowledgments
fit-framework v3.6.4 ↗
0
OWASP LLM Top 10 + Emerging Vectors
Full coverage
// Research Findings

Vulnerabilities we've disclosed.

Real-world findings from active research on production AI systems. All responsibly disclosed to vendors. All with reproducible proof-of-concepts.

CSR-2026-002
ModelEngine / fit-framework
SSRF via Prompt Injection — LangChain RequestsGetTool(allow_dangerous_requests=True) with no URL filtering enables cloud metadata exfiltration via IAM credential theft at 169.254.169.254.
Critical ✓ Patch live — CVE pending
GHSA-m4rw-22q2-87j8 ↗ 🛡️ Vendor Acknowledgment ↗
CSR-2026-007
LangGraph / LangChain
Indirect prompt injection via RAG poisoning — a single poisoned document hijacks a ReAct agent's tool calls, enabling persistent instruction injection across all subsequent interactions.
High — CVSS 7.6 ✓ Public advisory
GHSA-4fpw-hjmg-x4qr ↗
CSR-2026-011
Google AI Sample Repository
Four confirmed attack vectors via unauthenticated UVICORN_HOST exposure in a Google-published AI sample repo. P2 confirmed by Google VRP.
P2 Confirmed ✓ Google VRP accepted
CSR-2026-009
Google AI Sample Repository
Unauthenticated endpoints enabling memory poisoning, data deletion, and file watcher injection in a Google ADK + Gemini agent. Re-escalation to P2 submitted.
P2 Escalation ⏳ Re-classification pending
CSR-2026-003
Insightify
Azure OpenAI API credentials exposed in plaintext config + allow_dangerous_code=True — enabling API key theft and arbitrary code execution via a single prompt.
Critical ⏳ Disclosure in progress
Active Research
NVIDIA NeMo Guardrails + Others
Ongoing vulnerability research across AI guardrail systems, MCP servers, and multi-agent frameworks. Multiple reports in triage on Intigriti. Additional advisories pending.
In Progress ⏳ Coordinated disclosure
// Public Advisories

Security Advisories.

Published GitHub Security Advisories, Google VRP findings, and CVEs from Cinder Security research.

AdvisoryCSR IDTargetTypeSeverityStatus
GHSA-m4rw-22q2-87j8 CSR-2026-002 ModelEngine fit-framework SSRF + Prompt Injection Critical Patch Live — v3.6.4 ↗
GHSA-4fpw-hjmg-x4qr CSR-2026-007 LangGraph / LangChain RAG Poisoning 7.6 High Public
Google VRP #492510724 CSR-2026-011 Google AI Sample Repo Unauthenticated Exposure P2 P2 Confirmed
Google VRP #491682094 CSR-2026-009 Google AI Sample Repo Memory Poisoning + Auth Bypass P2 (escalation) Escalation Pending
CVE pending CSR-2026-002 ModelEngine fit-framework CVE Assignment Critical MITRE Pending
🛡️ Vendor Acknowledgment
"We would like to thank Cinder Security (Esteban Ramos) for responsibly disclosing the critical SSRF vulnerability in the FEL LangChain plugin (CSR-2026-002)."
— ModelEngine Group, fit-framework v3.6.4 View Release ↗
// Open Source Tool
MIT License

Fracture — autonomous AI red team engine.

An open-source CLI framework for automated offensive testing of AI systems. Fracture runs structured attack campaigns — fingerprinting, extracting system prompts, poisoning memory, and escalating privileges through multi-turn psychological manipulation. Campaign registry, shadow replay, and full control center included.

cinder-security/fracture
MODULES
fingerprint
extract
memory
hpm
ssrf
retrieval_poison
obliteratus
campaign
shadow_replay
v1.0.0-cli · Phase 4 · Python · MIT
FRACTURE v1.0 — AUTONOMOUS AI RED TEAM ENGINE
// Services

Full-spectrum AI offensive security.

We don't just scan — we think like attackers. Every engagement is tailored to your specific AI stack and threat model.

⚔️

AI Penetration Testing

One-time security assessment of your AI systems. Every attack vector tested with reproducible proof-of-concepts, CVSS scores, and remediation guidance aligned to OWASP LLM Top 10.

One-time engagement
🔄

Continuous AI Red Teaming

Ongoing offensive testing as your AI evolves. Every model update, every new feature — we test it before your users find the gaps. Monthly retainer with prioritized findings via Fracture.

Monthly retainer
🖼️

Diffusion Model Safety

Pre-launch safety red teaming for image generation models. NSFW bypass, CSAM filter testing, prompt injection on negative prompts, embedding-space attacks, and adversarial suffix evasion.

Pre-launch assessment
🎓

AI Security Training

Hands-on workshops for engineering and security teams. Learn to think like an AI attacker — from HPM psychological manipulation to RAG poisoning and MCP server exploitation.

Workshop
// Autonomous Protection
New

CinderGuard — your AI red team on autopilot.

24/7 autonomous red teaming for companies running AI agents in production. Fracture + CinderBot running continuous attack campaigns against your stack, surfacing vulnerabilities before they ship.

Continuous Campaigns

Automated attack campaigns run 24/7. New vectors tested on every deployment.

Real-Time Alerts

Instant notification when a new vulnerability is found. Severity-rated with PoC attached.

Monthly Executive Report

Board-ready security posture report. Trends, risk scores, and remediation progress tracked over time.

No Internal Team Required

Built for 50–200 employee companies without dedicated AI security teams. We are your team.

OWASP LLM Compliance

Every finding mapped to OWASP LLM Top 10. Audit-ready documentation included.

Shadow Replay

Re-run historical attack sessions against updated models. Verify your fixes hold.

$2,500 – $4,500/mo
Based on number of agents and attack surface scope
Request CinderGuard Demo
// Pricing

Transparent pricing.
No surprises.

Clear engagements with clear deliverables. Every assessment includes a professional report and debrief.

Starter
$750
USD — one-time
AI Security Assessment
  • Up to 3 attack vectors tested
  • Reproducible PoC per finding
  • Professional PDF report
  • 30-min debrief call
  • Delivered in 5 business days
  • 50% upfront · 50% on delivery
Get Started
Recommended
Professional
$3,000
USD — one-time
Full AI Red Team Engagement
  • Unlimited attack surface scope
  • All OWASP LLM Top 10 vectors
  • Multi-agent attack chains
  • Executive + technical report
  • Remediation verification retest
  • 50% upfront · 50% on delivery
Contact Us
Recurring
CinderGuard
$2,500
USD/month — starting at
Autonomous 24/7 Red Team
  • Continuous Fracture campaigns
  • Real-time vulnerability alerts
  • Monthly executive report
  • Shadow replay on every update
  • Dedicated CinderBot agent
  • No long-term commitment
Request Demo

Payment via Wise · Bank transfer · All engagements require signed scope document · NDA available

// Attack Vectors

What we test.

The full attack surface of modern AI systems — from prompt-level exploits to infrastructure-level compromises.

Direct & Indirect Prompt Injection
Multi-turn Jailbreak Attacks
Psychological Manipulation (HPM)
System Prompt Extraction
RAG Pipeline Poisoning
Fine-tuning Backdoors & Data Poisoning
SSRF via AI Agent Tool Abuse
Tool & Function Call Hijacking
Multi-Agent Attack Chains
Model & API Key Extraction
Memory Poisoning in Persistent Agents
Guardrail & Safety Filter Bypass
MCP Server Injection
Diffusion Model Safety Evasion
Embedding-Space Adversarial Attacks
// Process

How we work.

A structured approach to finding what others miss.

01

Scope & Profile

Map your AI stack, identify attack surfaces, and define engagement rules.

02

Attack & Exploit

Execute targeted attacks across all vectors. Every finding includes a reproducible PoC.

03

Report & Remediate

Detailed security report with severity ratings, CVSS scores, and fix recommendations.

04

Verify & Harden

Re-test after fixes. Confirm vulnerabilities are resolved and defenses hold.

Ready to find out what's burning?

Get a free initial assessment of your AI security posture.

contact@cindersecurity.io