Abstract

Akto’s Open Source LM Security tool will solve the following problems

• Prompt Injection Vulnerabilities
• Overreliance on LLM Outputs
• Insecure Output handling in LLMs
• Sensitive data exposure via LLMs

On average, an organization uses 3+ LLM models. Often most LLMs in production will receive data indirectly via APIs. That means tons and tons of sensitive data is being processed by the LLM APIs. Ensuring the security of these APIs will be very crucial to protect user privacy and prevent data leaks.

Akto’s Open Source LLM Security Testing solution addresses these challenges head-on.

By leveraging advanced testing methodologies and state-of-the-art algorithms, Akto provides comprehensive security assessments for GenAI models, including LLMs. The solution incorporates a wide range of innovative features, including over 60 meticulously designed test cases that cover various aspects of GenAI vulnerabilities such as prompt injection, overreliance on specific data sources, and more.

Our tool Akto focuses on solving the above problems by providing:

1. Provide automated LLM Security tests:
2. OWASP LLM Top 10 coverage - Akto can automatically test LLM (exposed via APIs) for critical vulnerabilities like Prompt Injection, Sensitive Information Disclosure, etc.
3. Fully customizable test suite - This feature enables users to modify existing tests or create their own.
4. Combine with business logic - The tests can be invoked as part of the application workflow (e.g., post-login, after support ticket creation, etc.)
5. Automate in your DevSecOps pipeline:
6. Run tests through CLI - Developers and security engineers can execute these tests through a single-line CLI.
7. Integrate with CI/CD - You can also add Akto to your CI/CD pipeline to automate the entire testing process.
8. Use LLMs to test LLMs - You can also use suggestions and prompts from other LLMs to test your LLM

This tool will be very interesting for:

• Application Security teams - it’s a one stop shop of LLM Security testing. Tests like prompt injection, overreliance will be especially interesting for them.
• Blue teamers/infra security - Getting an automated LLM API inventory and getting alerts for any new sensitive APIs. They can also get a view of all sensitive PII data being shared across all their services and across all their LLM APIs.