NEW

Start with the pressure: sales, launch, abuse, agents, data, or guardrails

Use the engagement router
aisecurityllc
Log inStart AI Security Assessment
aisecurityllc
Start AI Security Assessment

SecEng Workbench · Map

Surface Scanner — Live Demo

Repo scan · acme-corp/acme-assistant-platform

112

Signals found

9

Vendors resolved

84

Adoption score

62

Security score

6

Risks flagged

2

Shadow AI

Vendor catalog resolution

6 vendors resolved from 112 signals

savvy-stacks v2

OpenAI

LLM provider

highexternal
streamingfunction_calling

LangChain

Agent framework

highinternal
tool_useretrieval

Pinecone

Vector store

highexternal
rag_pipeline

Guardrails AI

Guardrails

mediuminternal
input_validation

HuggingFace

Model hub

mediumexternal
embedding

LiteLLM

LLM proxy

mediuminternal
shadow_aiunreviewed_sdk

RAG boundary analysis · from surface signals

SecEng RAG Test Harness

RAG Boundary Lens

Boundary planning, testcase generation, and evidence classification rendered from the same public-safe trace fixture.

RAG detectedClaim-ready preview
72boundary
Boundary score
72/100
RAG detected
Yes
Affected paths
3
Top tests
3

classifyRagEvidence

Evidence scorecard

fixture-driven

AuthZ pass

Pass
green

Retrieval gates are mostly aligned.

Context leaks

0
green

No leak-shaped signals surfaced.

Policy violations

2
amber

Policy language needs stronger enforcement.

Poisoned chunks

0
green

No poisoned chunk patterns detected.

PII / secret hits

1
amber

Redaction surfaced one or more hits.

Source provenance

1
amber

Source attribution and retrieval lineage need follow-up.

Missing boundaries

What still needs to be enforced

Tenant-scoped retrieval authorizationChunk provenance taggingPoisoned context quarantine

Top 3 tests

Highest-priority harness checks

1Tenant boundary enforcement on retrieval
2Provenance-preserving answer assembly
3PII and secret bleed guardrail

Pipeline map

planRagBoundaries → generateRagTestcases → classifyRagEvidence

Surface inventory
3 RAG paths mapped
done
Boundary planning
72/100 boundary score
done
Testcase generation
3 top tests queued
ready
Evidence classification
3 control paths found
ready
Harness export
5 config files ready
ready

Suggested tests

4 items
Cross-tenant namespace escape regression
Poisoned chunk provenance rejection
Context leak after redaction and rerank
Prompt injection embedded in retrieved documents

Controls found

3 items
packages/governance/policies.ts
docs/ai/trace-runbook.md
apps/web/app/api/assistant/route.ts

Affected paths

3 items
packages/rag/index.ts
packages/rag/vector-store.ts
apps/web/app/api/assistant/stream.ts
seceng-rag / fixture-driven preview / claim-ready
seceng-rag/seceng-rag.config.json
seceng-rag/identities.json
seceng-rag/documents.json
seceng-rag/tests.json

The lens is public-safe and directional. It uses job-description intelligence and trace fixture signals to show where RAG boundaries need reinforcement, without exposing raw documents or private payloads.

Ready to scan your own surface?

Run Surface Scanner against your product estate — browser, repos, and VS Code workspaces.

Start a discoveryProduct overview