Akto for LLM chat endpoints

LLM chat endpoints expose conversational interfaces that accept user input and return generated text. These surfaces are attractive for probing because they often process untrusted content and integrate with backend tools or data sources. The scanner evaluates these endpoints using a tiered set of adversarial prompts that probe for prompt extraction, instruction override, and data leakage while remaining read-only.

The scanner runs 18 adversarial probes across three scan tiers: Quick, Standard, and Deep. These probes test for system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration techniques, cost exploitation, encoding bypasses such as base64 and ROT10, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse patterns, nested instruction injection, and PII extraction.

Findings are mapped to OWASP API Top 10 (2023) and supplemented with remediation guidance tailored to LLM interactions, such as tightening system instructions, constraining output formats, and validating input schemas.

The scanner does not perform active exploits that modify model behavior beyond read-only probes and does not execute destructive payloads. It does not detect business logic flaws that require deep domain understanding, nor does it assess blind SSRF where out-of-band channels are needed.

Because the scanner relies on predefined probes, novel jailbreak techniques or domain-specific prompt workflows may not be fully evaluated. It does not replace a human red team or a specialized LLM security assessment for high-risk deployments.

Authenticated scans support Bearer tokens, API keys, Basic auth, and cookies. A domain verification gate ensures that only the domain owner can enable credentials, using DNS TXT records or an HTTP well-known file.

When credentials are provided, the scanner follows a strict header allowlist that includes Authorization, X-API-Key, Cookie, and X-Custom-* headers. This approach limits exposure while allowing assessment of protected chat endpoints.

Results are surfaced in the Web Dashboard, where findings can be triaged, tracked over time, and exported as branded compliance PDFs. The CLI provides JSON and text output for automation, and the GitHub Action can gate CI/CD pipelines when scores drop below configured thresholds.

For continuous monitoring, Pro tier schedules periodic rescans, highlights diffs between runs, and delivers email or HMAC-SHA256 signed webhook alerts. These capabilities help teams correlate findings with deployment changes and maintain a tighter security posture for LLM chat surfaces.