Questions a prospect usually has.

The prompt and tool layer of your AI feature. Standard scope:

• Direct and indirect prompt injection across every untrusted input
• Jailbreaks and policy bypass — technique families, not the hot jailbreak of the week
• Data leakage — system prompts, retrieval indexes, training data, embedded credentials, other users' history
• Tool and agent abuse — coercing the model into invoking tools it shouldn't with arguments it shouldn't construct
• Output handling — XSS via assistant rendering, SSRF via agent fetches, prompt-to-SQL, prompt-to-RCE
• Prompt-layer supply chain — the system prompt, retrieval corpus, function specs, third-party tools

The exact attack surface is locked in during the scoping call and written into the SOW. Anything out of scope stays out of scope.

Most engagements take two to four weeks end-to-end. Roughly: a couple of days for the SOW, one to three weeks of hands-on testing depending on the surface, then about a week to write up the report. A targeted spot check on a single feature can wrap in a week; an enterprise engagement against an agent platform can run six.

Engagements are scoped per project — pricing depends on the surface, the depth of testing, and the report format you need. The scoping call is free; the SOW that follows it includes a fixed engagement fee with no hourly variability.

If pricing is the gating factor, say so on the intake form. I'll give you a defensible range before the call so you can decide whether to spend the 30 minutes.

A written report, hand-written from the test artifacts — not generated by an LLM. It contains:

• Executive summary suitable for handing to a customer's security team or a SOC 2 auditor
• Scope and methodology, so the report is independently verifiable
• Findings, each with severity, reproduction steps, evidence, and remediation guidance
• Risk-rated summary table
• One round of remediation re-testing on the originally identified findings, included in the engagement

Format is PDF by default. If your auditor wants a specific template, send it during scoping and we'll work to it.

Yes. A redacted sample is available on request after the scoping call — mention it on the intake form and I'll bring a copy. Samples aren't public because they contain residual context from real engagements that we'd rather not put into search results.

Preferred environments, in order: staging, a sandboxed production tenant, or production behind a feature flag scoped to a test account. Untargeted testing against live customer-serving production isn't something we run.

If staging meaningfully diverges from production (different model, different system prompt, different toolset), say so and we'll discuss a hybrid approach.

No. The methodology covers the prompt and tool layer regardless of which model you call. Frontier model, open-source local model, fine-tuned, distilled, hosted via vendor API or self-hosted — the attack surface that matters for your business is the same.

Yes — agents and tool-using systems are squarely in scope, including MCP-style tool servers, function-calling boundaries, and multi-step agent loops. RAG systems get covered both at the retrieval layer (corpus injection, retrieval poisoning) and at the model layer (the prompt that consumes the retrieved context).

No — that's a different discipline and other firms specialise in it. Ferrok engagements stay focused on the AI feature's technical attack surface. If you need a broader red team, we can scope the AI portion and you can layer it under a wider engagement run by a generalist firm.

You hear about it the same day — you don't wait until the report. Critical findings are reported immediately with enough detail to start patching, and the formal writeup happens later. The SOW spells out the disclosure flow up front so there are no surprises.

Yes — mutual NDA is standard before scoping work begins, on either your paper or ours. Anything you share during scoping or the engagement stays confidential. The fact that the engagement happened isn't shared without explicit permission either.

Yes. The report is written specifically to be handed to a third-party security reviewer or auditor — that's typically the point of doing the engagement. Distribution rights are spelled out in the SOW; the standard terms allow internal use plus targeted disclosure to your customers and auditors under their existing confidentiality obligations.

Yes. The report is structured to cover the evidence a SOC 2 auditor would expect for the AI portion of your environment — scope, methodology, findings, remediation, retest. Most auditors accept it as third-party penetration testing evidence. If your auditor has a specific format requirement, send it during scoping.

If you want it. The engagement closes with the report and one round of remediation re-testing. Beyond that, ongoing security advisory work or larger remediation engagements are scoped separately. There's no obligation either way.

Fill out the intake form on the home page — it takes about two minutes. I respond within one business day to set up a 30-minute scoping call. There's no obligation after the call; if Ferrok isn't the right fit I'll tell you and point you somewhere that is.