Frequently Asked Questions

No. Traditional pentesting checks your locks. We check your personality. Most AI failures aren't code bugs; they are social engineering vulnerabilities inherent in the LLM. If your pentester doesn't understand high-contrast prompt injection, they are wasting your time.

No. We interact with your AI the same way a real user or attacker would — through the interface. We don't need credentials, backend access, or source code unless the engagement scope specifically calls for it.

Most standard security audits are completed within 5–10 business days from scope agreement. Larger or more complex deployments may take longer. We'll give you a clear timeline before work begins.

Zero disruption. Testing is conducted within agreed parameters using adversarial probes that look like normal user interactions. You keep shipping; we keep attacking.

You get a plain-English findings report with each vulnerability described in plain language, the exact attack that triggered it, a severity ranking, and a clear remediation recommendation. No jargon, no fluff. A sample report is on the homepage.

You take the findings to whoever manages your AI — your vendor, developer, or internal team. We can also assist with remediation directly depending on your engagement tier. After fixes are applied, a re-test is available to verify the vulnerabilities are closed.

Centuri is an investment in Permission to Ship. Our engagements are fixed-scope and outcomes-based. We don't bill hours; we deliver certainty. Contact us for a quote tailored to your deployment volume.

Yes. All engagement details, findings, and client information are strictly confidential. We do not share, publish, or reference client work without explicit written consent. See our Privacy Policy and Terms of Service for full details.

Yes — that's most of our clients. If you're using a third-party chatbot, a vendor-supplied AI assistant, or a no-code automation tool with an AI layer, we test it exactly as an end user would. You don't need to have built it yourself.

We run prompt injection, persona override, authority framing, social engineering, system prompt disclosure, cross-session data leak, workflow manipulation, and jailbreak attempts — among others. The exact test suite is scoped to your AI's role and capabilities.

Our assessments surface risks that are directly relevant to several major compliance frameworks. We don't certify compliance — but the findings give you documented evidence of due diligence on AI risk, which matters to auditors, legal teams, and boards.

• OWASP LLM Top 10 — Our test suite maps directly to the OWASP LLM Top 10, the industry-standard framework for large language model security. We cover prompt injection, sensitive information disclosure, insecure output handling, excessive agency, and overreliance, among others.
• HIPAA — For healthcare clients, we specifically test whether your AI can be manipulated into disclosing protected health information (PHI) or bypassing patient data boundaries — a documented HIPAA risk area.
• SOC 2 — Our assessments address the security and confidentiality trust service criteria. AI that leaks data or can be manipulated to bypass access logic is a direct SOC 2 concern.
• GDPR — We test whether your AI can be prompted to expose personal data it shouldn't — a data protection risk relevant to any business handling EU resident data.

If your team needs documentation of the specific tests run and findings for a compliance review, that is included in every engagement report.

Because you can't grade your own homework. Internal teams are incentivized to ship on time, not to find the one hallucination that costs you $10M. Centuri provides the independent 'Board-Ready' audit that stakeholders use to verify the risk.