Authorized AI red teaming, RAG security testing, agentic workflow audits, and model supply-chain assessments for companies shipping production AI.
AI-native teams are deploying agents, RAG systems, memory layers, and model workflows at startup speed. Traditional security reviews rarely test the full trajectory: retrieval → tool call → memory update → action.
Cinder Security turns adversarial evidence into audit-ready findings, executive reports, and remediation guidance for teams deploying AI systems.
In May 2026, Cinder Security completed the AI challenge track in Hack The Box Global Cyber Skills Benchmark CTF 2026: Project Nightfall. These results are presented as controlled-environment evidence of technique viability, not as production vulnerability claims.
Controlled environment · Authorized testing · No production claims · Technique viability only
Public, vendor-visible AI security research handled through responsible disclosure. Operational exploit payloads and unsafe reproduction details are intentionally omitted from public materials.
Published security advisories and vendor-visible research from Cinder Security. Pending or non-public reports are excluded until they can be described accurately and safely.
| Advisory | CSR ID | Target | Type | Severity | Status |
|---|---|---|---|---|---|
| GHSA-m4rw-22q2-87j8 | CSR-2026-002 | ModelEngine fit-framework | SSRF + Prompt Injection | Critical | Patch Live — v3.6.4 ↗ |
| GHSA-4fpw-hjmg-x4qr | CSR-2026-007 | LangGraph / LangChain | RAG Poisoning | 7.6 High | Public |
An open-source CLI framework for safety-bounded offensive evaluation of AI systems. Fracture runs structured campaigns across RAG, agents, memory, tool use, and model workflows — producing evidence packages, severity mapping, and remediation guidance for authorized engagements.
cinder-security/fractureAuthorized testing for AI-native teams shipping agents, RAG pipelines, model workflows, and generative AI features.
One-time authorized assessment of your AI systems. Findings include reproducible evidence, severity mapping, and remediation guidance aligned to OWASP LLM Top 10.
Recurring safety-bounded testing as your AI evolves. Every model update, tool addition, and retrieval change can be evaluated before users encounter the failure mode.
Pre-launch safety evaluation for image generation models, including policy-bound prompt behavior, filter robustness, negative prompt handling, and adversarial-input resilience.
Hands-on workshops for engineering and security teams covering AI threat modeling, RAG security, tool-use risks, memory-state safety, and responsible disclosure workflows.
24/7 autonomous red teaming for companies running AI agents in production. Fracture + CinderBot running continuous attack campaigns against your stack, surfacing vulnerabilities before they ship.
Automated attack campaigns run 24/7. New vectors tested on every deployment.
Instant notification when a new vulnerability is found. Severity-rated with PoC attached.
Board-ready security posture report. Trends, risk scores, and remediation progress tracked over time.
Built for 50–200 employee companies without dedicated AI security teams. We are your team.
Every finding mapped to OWASP LLM Top 10. Audit-ready documentation included.
Re-run historical attack sessions against updated models. Verify your fixes hold.
Cinder Security works with AI startups and product teams deploying agents, RAG pipelines, model workflows, and generative AI features. Engagements are scoped privately, tested under explicit authorization, and delivered with executive-ready reporting.
Clear engagements with clear deliverables. Every assessment includes a professional report and debrief.
Payments are accepted only after written scope approval. All testing is authorized, defensive, and contract-bound. Stripe · bank transfer · NDA available.
The full attack surface of modern AI systems — from prompt-level exploits to infrastructure-level compromises.
A structured approach to finding what others miss.
Map your AI stack, identify attack surfaces, and define engagement rules.
Run safety-bounded adversarial tests across agreed vectors. Every finding includes evidence and business impact.
Detailed security report with severity ratings, AI-specific risk mapping, and fix recommendations.
Re-test after fixes. Confirm vulnerabilities are resolved and defenses hold.
Send us your scope. We will help you turn AI risk into a clear, authorized assessment plan.
contact@cindersecurity.io