SecEng Map · Labs
SecEng RAG Test Harness Analyzer
Paste your RAG pipeline config as JSON and get deterministic security findings — no LLM required. Checks retrieval authorization, tenant isolation, provenance, over-retrieval, and document poisoning controls.
- • Retrieval authorization: authorization-aware retrieval, user context, document-level ACL
- • Tenant isolation: shared index risks, application-only filtering weaknesses
- • Document provenance: source trust, content hash, staleness policy
- • Over-retrieval: chunk limits, sensitive context exposure
- • Export findings as JSON or Markdown
10 security rules
Across 6 categories
Structured JSON input
Paste pipeline config directly
OWASP LLM Top 10
LLM02, LLM06 mapped
No LLM calls
Fully deterministic
Load example pipeline
Pipeline configuration
Pipeline
Name
Owner
Description
Environment
Retrieval Policy
Authorization-aware
Retrieval filters enforce user/tenant permissions
Tenant-scoped
Retrieval is scoped to the requesting tenant
Metadata filtering
Metadata fields constrain vector search
Source trust filtering
Filters out untrusted or unverified sources
Provenance required
Retrieved chunks carry origin metadata
Max chunks
Staleness policy
Vector Store
Provider
Index / collection name
Tenant isolation mode
Access control mode
Metadata filter fields
Comma-separated field names used in authZ filters
Encryption at rest
Stores sensitive data
Stores customer data
Next step
Need a full RAG security review?
We assess RAG pipelines end-to-end: retrieval design, authorization architecture, tenant isolation, prompt injection defenses, and evidence for compliance.