AI Application Testing: Securing the New Attack Surface
AI penetrating testing exposes prompt injection, data leakage, and business logic risks that traditional security testing can't detect.
Accurately Assessing Frameworks: Why Attack Type Matters for Your Security Program
May 12, 2026
BY MICHAEL BERARDI:
Senior Managing Consultant at Avertium
Vulnerabilities are commonly viewed through the lens of frameworks like MITRE ATT&CK and ranked by CVSS scoring, which are valuable tools. But when evaluating a CISO’s security program, important attack paths can be missed; either because a given test doesn’t cover them, the mapping and scoring doesn’t reflect real-world impact, or the work falls outside the engagement’s scope and budget.
Understanding why that gap exists starts with recognizing that not all attacks behave the same way.
deterministic Vulnerabilities: known, mappable, and still dangerous
Deterministic vulnerabilities are baked into code, configuration, or design. SQL injection, the absence of authentication, or a deprecated protocol exists regardless of user behavior or environmental conditions. They show up in framework mappings, receive CVE numbers, and are reliably found across assessment types.
A classic web application penetration test is a prime example of where deterministic findings surface. Testing from an attacker's perspective without the safety net of a WAF or other defensive layers provides genuine insight into an application's attack surface. The distinction worth noting here is that deterministic vulnerabilities tend to be discovered across multiple assessment types, but business logic vulnerabilities are different. Those are found through quality, manual penetration testing by someone who understands how an application is supposed to work and actively looks for ways to abuse it. AI or automated scans currently lack value in these areas in the marketplace.
Network penetration testing (internal and external) similarly discovers deterministic findings: examples include unpatched services, weak protocols, and misconfigured systems. Additionally, network testing also introduces the next category.
opportunistic attacks: timing, position, and probability
Some attacks require conditions to align. Man-in-the-middle attacks during a network assessment are a good example where success may depend on whether traffic is flowing at the right moment, whether a target protocol is actively in use, or whether the tester can establish an advantageous network position. The vulnerability class exists, but exploitation is conditional.
Social engineering campaigns operate in this space as well, and they push the opportunistic nature even further. An objective-based phishing engagement can have all the right ingredients: an aged domain with a strong reputation, a customized or rewritten Evilginx deployment, and a compelling pretext. But even if the payload bypasses initial controls, it still requires a human to open the email, answer the phone, or respond to the message. The attacker is betting on human behavior, which makes it inherently opportunistic. Low time-boxed penetration testing engagements compound this challenge in both network and social engineering testing, limiting the number of conditions that can be explored.
probabilistic attacks: the emerging variable
Testing large language models introduces a different problem entirely. A prompt injection attack that succeeds in one session may not reproduce consistently across others. The model's behavior is non-deterministic by design, responses vary based on phrasing, context, prior conversation state, and model internals. This stands in sharp contrast to a Deterministic vulnerability like SQL injection, where a confirmed payload works reliably. With LLMs, success rates, reproducibility, and scope of impact all lie on a spectrum, which creates unique challenges for both testers and defenders.
bridging the gap
The good news is, all three of these dimensions can be tested. Avertium achieves this with two focused offerings:
The Microsoft Adversary Assessment combines penetration testing with elements of adversary emulation drawn from red and purple team operations at a fraction of the time and cost of running both engagements separately. It's designed to help CISOs identify weaknesses across programs that leverage Entra ID, Azure, Microsoft 365, and on-premises Active Directory, assessing how those environments hold up against realistic attack chains, not just checklist findings.
In addition, the wave of agentic AI has made AI application penetration testing the newest focus when assessing an organization's attack surface. LLM-powered chatbots and search assistants are now commonly embedded within those applications, adding a probabilistic layer to an already complex risk profile. This new attack surface introduces a needed area of testing for findings that could impact an organization. Avertium's AI application assessments evaluate both traditional and emerging risks within an efficient, well-scoped engagement.
Avertium's Threat Labs (penetration testing) team brings nearly a century of combined experience to offensive security engagements. Whether the threat is an external actor targeting infrastructure, or the more challenging scenario of an insider threat, Avertium is here to help ensure the program a CISO has built is resilient against the full spectrum of how attacks actually behave.
You might also enjoy...