Budget: 1200 USD Deadline: 8 days
For an AI-integrated web app, the assessment needs two parallel tracks. The first is standard web/API testing covering auth bypass, IDOR, SSRF and injection chains. The second is AI-layer testing against OWASP Top 10 for LLM Applications 2025. On the AI side, the vectors that matter most are prompt injection (direct and indirect via stored user content), system prompt leakage, excessive agency if the model calls tools/APIs, and vector/embedding weaknesses if you use RAG. I test with Burp Suite Pro for the web layer, manual adversarial prompting plus custom scripts for the AI layer. Deliverable: severity-rated report with reproducible PoC per finding and remediation steps prioritized by risk. What's the tech stack? Specifically interested whether the AI component has tool-calling or external data retrieval, since that determines how wide the AI attack surface actually is.