u/Emergency_One_3557

What is LLM penetration testing and which vendors offer it as a managed service?

been seeing "llm penetration testing" come up more in security conversations at work and just trynna understand what it covers before committing to any vendor.
from what i can tell it's not just running prompts at a model and seeing what breaks. thou the part that worries me most is the agent surface, tool calls firing with more access than the task needs, or the agent getting talked into an action by an indirect prompt injection buried in retrieved content. then there's also sensitive data leaking out the other side, not from anything the base model memorized but from the retrieval context or whatever the agent can reach.
what i can't tell though is how much of this is manual red teaming vs automated scanning, or whether you can get llm security testing as an ongoing managed service rather than a one-time engagement.
we've got a couple of internal llm tools, yes a rag assistant and an agent wired into some internal apis, and i want to know how exposed we are to this stuff before something goes wrong, not after.

my question is if you've had an llm pen test done or run one yourself, what did it surface that your regular appsec or api review missed?

reddit.com
u/Emergency_One_3557 — 5 days ago

Where do you draw the line between fully onboarding a legacy app into IAM and accepting it as a documented exception?

After our last access review, we started trying to tighten up identity across the whole application estate, not just the modern SaaS that already speaks SAML/OIDC, but the older stuff too. And the pricing model is actively working against us. "Enterprise SSO" has started to feel like a tax bracket. For modern SaaS, you pay extra just to flip SAML on. For legacy apps, you pay again, in engineering time or extra tooling, just to make them visible to the IdP at all.

The genuinely painful part is the long tail. Custom, legacy, and internal apps that don't talk SAML/OIDC, don't have a decent connector, and definitely don't show up in your IGA the way the slideware promised. You can wrap some of them in identity-aware proxies or ZTNA-style access, but that still doesn't fix provisioning, deprovisioning, or access reviews. They stay partially managed at best, which is precisely where the risk hides.

Right now we're juggling three worlds at once: IdP-native SSO for the well-behaved apps, reverse proxies or ZTNA for some legacy web apps, and a pile of disconnected desktop and thick clients where auth is still local or bolted onto ancient LDAP. For a subset of those, the only "governance" we have is manual access tracking in spreadsheets, because there's no realistic path to refactor them this year.

So here's my real question for anyone who's pushed past the low-hanging SaaS. Where did you draw the line between "we invest the time to fully onboard this legacy app into the IAM stack" and "we accept it as an exception with documented manual controls"? What actually made an app worth the full onboarding cost versus signing off on the risk?

reddit.com
u/Emergency_One_3557 — 6 days ago

I think this is something no one really talks about enough, but applying for scholarships is way more repetitive than I expected.

I've applied to 7 so far over the past couple of weeks, and I feel like I've told the same story about myself 7 different times.

Every application asks some variation of the same questions. Tell us about your background. Your goals. Why you deserve this. How this will impact your future.

At first, I tried to write everything fresh, but that got exhausting quickly. So I started reusing answers, which helped a bit, but even then I still spend around 30 40 minutes per application editing and adjusting everything to fit the prompt.

And after doing that a few times, something weird happens. Your answers start to feel less genuine. Not because you are lying, but because you've rewritten them so many times that they start sounding robotic.

I'll read something I wrote and think this sounds like what they want to hear, not this sounds like me.

It's also mentally draining in a different way. It's not hard work, it's just repetitive work that slowly wears you down.

I don't mind putting in effort, but it feels like there should be a more efficient way to reuse your information instead of constantly reworking the same content.

How do you guys deal with this without losing your mind or your authenticity in the process?

reddit.com
u/Emergency_One_3557 — 2 months ago