Skip to content

Red-Teaming a Customer-Facing GenAI Assistant

Adversarial testing of a retail bank's customer-facing GenAI assistant before a national rollout.

Financial ServicesCritical prompt-injection paths closed pre-launch

Client profile

A retail bank preparing to launch a customer-facing generative AI assistant integrated with account and product systems.

The challenge

The assistant connected a large language model to sensitive customer data through a retrieval pipeline and several internal tools. Leadership needed independent assurance that it could not be manipulated into leaking data or taking unauthorised actions before a national rollout.

What we did

  • Mapped the full GenAI architecture, trust boundaries, and data flows.
  • Ran direct and indirect prompt-injection campaigns against the assistant and its retrieval pipeline.
  • Tested tool-calling and output handling for excessive agency and data leakage.
  • Benchmarked findings against the OWASP Top 10 for LLM applications.

What we found

  • Indirect prompt injection through retrieved documents could override system instructions.
  • Insufficient output validation allowed sensitive context to surface in some responses.
  • Tool permissions were broader than the assistant's actual use cases required.

The outcome

All critical and high findings were remediated and re-tested before launch. The bank shipped with hardened guardrails, least-privilege tool access, and a repeatable testing process for future model changes.

They tested our GenAI assistant the way an attacker would, not the way a checklist would. The findings changed how we ship.
Head of Security, Financial Services

Book a Free 60-Minute Briefing

A scoping discussion and threat-landscape overview with our ANZ specialists. No sales pressure.

Book a Briefing