Are We Summoning a New Class of Cyberthreats?


Posted on by Ilkin Javadov

Few recent technological advancements have few recent technological advancements have been as transformative in extending our access to and processing of information as LLMs extending our access to and processing of information, like LLMs [especially those equipped with Retrieval-Augmented Generation (RAG)]

Instant insights, better assistants, fluid connections to internal knowledge — this all feels like a step change. But under the surface, there’s a rising concern: are we unlocking a new door to a new breed of cyberthreats?

The logic of LLMs isn’t deterministic like traditional software. These models generate responses based on probabilities, patterns, and subtle context cues—which makes them unpredictable. And unpredictability in security is always a red flag.

In a recent red-team exercise, we tested a RAG-based system linked to an internal knowledge base. By injecting carefully crafted but seemingly benign text into the retrieval layer, we were able to influence what the model retrieved—and how it responded. The result? It disclosed architectural details that no prompt should have triggered. There was no vulnerability in the code, no misconfigured access control. It was a quiet leak, engineered through context.

Attacks like these don’t leave behind traditional indicators. No malicious IPs, no suspicious scripts. Just language—used in a way the model wasn’t designed to defend against. And that’s the issue. We’re dealing with semantic vulnerabilities now, not just technical ones.

These new systems create a different kind of attack surface. Instead of exploiting memory or code, attackers are exploiting relevance, ambiguity, and assumptions. Context poisoning, subtle prompt chaining, and inference-based leaks are no longer theoretical. They’re real and increasingly effective.

The problem is our current security tools aren’t equipped to detect or stop this. Firewalls can’t see how a model reasons. SIEMs can’t log hallucinated output. Even red-teamers have to rethink their approach—because breaking an LLM isn’t about access, it’s about influence.

If we want to secure the future of AI, we need to treat LLMs not just as tools, but as active entities in our threat models. That means new layers of defense: prompt firewalls, context sanitization, and real-time monitoring of model behavior. It also means embracing AI-specific red teaming—not to break the system, but to understand its limits before someone else does.

We’re not just building smarter systems. We’re summoning something entirely new—something powerful, unpredictable, and, if left unchecked, dangerous.

Let’s not wait for the first major AI-driven breach to take this seriously. The threats are already here. The only question is whether we're paying attention.

Contributors
Ilkin Javadov

Senior Penetration Tester, G&G Consultancy

Hackers & Threats Machine Learning & Artificial Intelligence

Artificial Intelligence / Machine Learning hackers & threats

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC™ Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs