Surface Agent active
Brand Agent hunting
Identity Agent active
Supply Chain scanning
Dark Web monitoring
Prediction scoring
OWASP Top 10 for LLM Applications
genai.owasp.org →The ten most critical security risks for applications built on large language models. As organisations deploy AI across their operations, these are the attack surfaces adversaries are already exploiting.
LLM01
Prompt Injection
Crafted inputs that override an LLM's instructions, causing it to leak data, execute unintended actions, or bypass safety controls. Both direct injection and indirect injection through external content.
Strix angle: Our agents are architecturally isolated from the data they scan. They observe and correlate signals without accepting instruction from external inputs, eliminating the prompt injection surface.
LLM02
Sensitive Information Disclosure
LLMs revealing confidential data from their training set, system prompts, or connected data sources. Includes PII leakage, proprietary information exposure, and credential disclosure through model outputs.
Strix angle: Our Dark Web Agent monitors for your organisation's sensitive data surfacing in leak markets and forums, whether the source is an AI system or a traditional breach.
LLM03
Supply Chain Vulnerabilities
Compromised training data, poisoned pre-trained models, vulnerable plugins, and tampered model registries. The AI supply chain introduces new dependency risks that traditional security tooling does not cover.
Strix angle: Our Supply Chain Agent extends monitoring to AI dependencies: model repositories, training data pipelines, and third-party AI services your organisation relies on.
LLM04
Data and Model Poisoning
Adversaries manipulating training data or fine-tuning datasets to embed backdoors, biases, or vulnerabilities into models. The effects can be subtle and persistent, surviving across model versions.
Strix angle: Strix uses multi-agent correlation rather than single-model classification. Poisoning one model does not compromise the consensus across six independent agents.
LLM05
Improper Output Handling
Trusting LLM output without validation. When model responses are passed directly to backends, browsers, or other systems, they become vectors for injection, XSS, SSRF, and privilege escalation.
Strix angle: Our Surface Agent detects exposed application endpoints where LLM outputs interact with backend systems, flagging misconfigurations before they become exploitable chains.
LLM06
Excessive Agency
Granting LLM-based systems too many permissions, too broad access, or too much autonomy. When an AI agent can execute code, access databases, or call APIs without proper constraints, compromise of the LLM means compromise of everything it can reach.
Strix angle: Strix agents operate on the principle of least privilege. Each agent has read-only access to its intelligence domain. They observe and report. They do not execute actions on your infrastructure.
LLM07
System Prompt Leakage
Adversaries extracting the system prompt of an LLM application through carefully crafted queries. Leaked prompts reveal business logic, security controls, API structures, and sensitive configuration details.
Strix angle: Our reconnaissance agents scan for exposed AI endpoints, leaked configuration files, and API documentation that reveals system prompt patterns or internal agent architectures.
LLM08
Vector and Embedding Weaknesses
Attacks on retrieval-augmented generation systems through poisoned embeddings, manipulated vector databases, or adversarial documents that hijack RAG retrieval to inject malicious context.
Strix angle: As organisations adopt RAG architectures, we monitor for exposed vector database endpoints, unsecured embedding APIs, and data sources that could serve as injection points.
LLM09
Misinformation
LLMs generating false, misleading, or fabricated content that appears authoritative. In security contexts, this means false threat reports, incorrect remediation advice, or hallucinated vulnerability details that waste response time.
Strix angle: Every Strix advisory is cross-verified across multiple agents and validated against real-world signals before reaching your team. No single model output becomes an alert without corroboration.
LLM10
Unbounded Consumption
Denial-of-service through resource exhaustion: flooding LLM endpoints with expensive queries, triggering excessive token generation, or exploiting recursive tool calls that spiral compute costs.
Strix angle: Our Surface Agent identifies exposed AI endpoints and model-serving infrastructure that lack rate limiting, authentication, or usage controls before attackers weaponise them.
MITRE ATT&CK and ATLAS
atlas.mitre.org →MITRE ATT&CK catalogues adversary tactics and techniques from real-world observations. MITRE ATLAS extends this to AI systems. Here are the techniques most relevant to what Strix monitors.
Reconnaissance
TA0043
Gathering information to plan an attack. Scanning for open ports, enumerating subdomains, harvesting email addresses, and identifying technology stacks. Every attack begins here.
Strix runs the same reconnaissance continuously on your assets, finding what attackers would find before they get the chance.
Resource Development
TA0042
Setting up infrastructure for an attack: registering lookalike domains, acquiring credentials, creating phishing kits, and staging C2 servers. This happens days or weeks before the attack itself.
Our Brand Agent detects lookalike domain registrations and phishing infrastructure the moment it appears, during the preparation phase.
Initial Access
TA0001
The first foothold: phishing, exploiting public-facing applications, using valid accounts obtained from credential dumps. This is where preparation meets execution.
Credential monitoring and exposed-service detection reduce the attack surface available at this stage. Fewer open doors, fewer ways in.
Credential Access
TA0006
Stealing account credentials through brute force, credential dumping, keylogging, or purchasing them from dark web markets. Credentials are the most traded commodity in underground forums.
The Identity Agent monitors breach dumps, paste sites, and closed Telegram channels for credentials tied to your domain in near real time.
ATLAS: ML Supply Chain Compromise
AML.T0010
Adversaries compromise ML model supply chains by poisoning training data, injecting backdoors into pre-trained models, or tampering with model registries and pipelines.
Supply chain monitoring extends to AI dependencies. We watch for anomalous changes in vendor infrastructure that could signal a compromised pipeline.
ATLAS: LLM Prompt Injection
AML.T0051
Crafting inputs that cause large language models to ignore their instructions, leak system prompts, or execute unintended actions. Affects any organisation deploying LLM-powered tools.
As an AI-native platform, Strix architecturally isolates agent reasoning from external inputs. Our agents observe, they do not accept instruction from the data they scan.
ATLAS: AI Model Theft
AML.T0044
Extracting proprietary models through API abuse, side-channel attacks, or direct theft of model weights. Valuable for competitors or for crafting adversarial attacks against the model.
Exposure monitoring detects when model endpoints, API keys, or development infrastructure are inadvertently made public.
ATLAS: Evade ML Model
AML.T0015
Crafting adversarial inputs that cause ML models to misclassify or fail silently. Used to bypass AI-powered security tools, content moderation, and fraud detection systems.
Strix uses multi-agent correlation rather than single-model classification. Evading one agent does not evade the pattern across all six.
Agentic AI in security
Agentic AI systems operate autonomously, making decisions and taking actions without waiting for human instruction at each step. In cybersecurity, this changes the tempo of both attack and defence. Here is how we use it.
Always-on reconnaissance
Traditional scanning runs on a schedule. Once a quarter, once a month if you are diligent. Agentic systems run continuously, rediscovering your attack surface every cycle. The gap between scans is where attackers operate. We close it.
Multi-agent correlation
Six specialised agents operate in parallel across different intelligence domains: surface, brand, identity, data, supply chain, and prediction. No single agent sees the full picture. The correlation layer does. That is where weak signals become actionable intelligence.
Threat forecasting
Agentic AI does not just detect what has happened. It scores adversary behaviour patterns and predicts what is likely to happen next. A new lookalike domain, a freshly leaked credential, and a staging server appearing on your surface is not three separate alerts. It is one attack being prepared.
Analyst-level depth at machine scale
A human analyst investigates perhaps thirty alerts a day with real depth. An autonomous agent surfaces thirty thousand events in the same window, triages them, and escalates only what matters. The analyst's time goes to judgement, not enumeration.
Language and context awareness
Global threat feeds miss regional nuance. Our agents are trained on Balkan-specific threat patterns: Albanian-language phishing, regional infrastructure reuse, local sector targeting. Generic tools see noise. We see the signal.
Human in the loop where it matters
Agentic does not mean unsupervised. The agents flag. The analyst decides. Every advisory issued, every escalation raised, every brief delivered is reviewed by a human before it reaches you. Autonomy in detection, human judgement in response.
What you can do today
You do not need a security operations centre to start reducing your exposure. These are the highest-impact actions for organisations in the Western Balkans, ordered by effort.
01
Know your surface
Run subdomain enumeration against your own domains. Check certificate transparency logs for certificates you did not request. Scan your public IPs for services that should not be there. If you do not know what is exposed, you cannot protect it.
02
Check your credentials
Search breach databases for your domain. If employee credentials appear, force a password reset and enable multi-factor authentication everywhere. Credential reuse is the single most exploited vulnerability in the region.
03
Kill the defaults
Change every default password. Remove every default page. Disable every service you are not actively using. Default configurations are the lowest-hanging fruit for automated scanners, and they are the first thing any attacker checks.
04
Monitor your brand
Search for newly registered domains similar to yours. Check for certificates issued for your brand name on infrastructure you do not own. Phishing infrastructure is assembled in the open days before the attack. The signals are visible if you look.
05
Audit your vendors
Ask your third-party providers about their security posture. Check if their domains appear in breach data. A vendor compromise is your compromise. Supply chain risk is not abstract in a region where the same few providers serve multiple sectors.
06
Automate what you can
Manual checks do not scale and they do not sustain. If you cannot hire a full security team, use tooling that watches continuously. That is what Strix was built for: autonomous, always-on exposure management for organisations that cannot afford to look away.
See where you stand.
We run a free Exposure Brief for SMEs and non-profits in the Balkan region. Passive scans only. No commitments. Results in 24 hours.
Request Brief
We run a free Exposure Brief for SMEs and non-profits in the Balkan region. Passive scans only. No commitments. Results in 24 hours.