Cecil Su
Director, Cybersecurity
As organisations embed artificial intelligence into critical business functions, the systems that make those decisions become targets in their own right. BDO's AI Security Testing service applies rigorous, hands-on adversarial testing to AI systems, machine learning models, and the infrastructure that supports them, so that vulnerabilities are identified and addressed before malicious actors can exploit them.
What BDO's AI Security Testing Covers
AI Security Testing is the systematic identification, exploitation, and remediation of vulnerabilities within artificial intelligence systems, machine learning models, and their supporting infrastructure. BDO combines established cybersecurity methodologies with techniques built specifically for AI-related attack vectors, including adversarial examples, model inversion attacks, data poisoning, and neural network backdoors.
Traditional penetration testing alone cannot address the security challenges unique to modern AI systems. BDO's AI Security Testing goes further, examining how input data can be manipulated to cause misclassification, how sensitive training data can be extracted through membership inference attacks, and how model APIs can be exploited to reveal proprietary algorithms. Left unaddressed, these risks compromise model integrity, undermine privacy protections, and put automated decision-making across critical business functions at risk.
Delivering this work requires deep technical grounding in machine learning architectures, training methodologies, and deployment patterns. BDO's security professionals draw on expertise in gradient-based optimisation, neural network topologies, and statistical learning theory to assess AI system vulnerabilities accurately and recommend appropriate countermeasures.
BDO's AI Security Testing Methodology
BDO applies a structured, staged methodology to every AI Security Testing engagement:
- Stage 1: Define Objectives – BDO establishes AI system security objectives aligned with business requirements, regulatory compliance, and the client's risk tolerance for its machine learning applications.
- Stage 2: Define Technical Scope – BDO maps the AI system architecture, including data pipelines, model training infrastructure, inference engines, and API endpoints, to establish clear assessment boundaries.
- Stage 3: Application Decomposition – BDO performs detailed decomposition of the AI application, identifying model types, training datasets, feature engineering processes, and deployment patterns that affect security posture.
- Stage 4: Threat Analysis – Drawing on AI-specific threat intelligence, BDO identifies relevant attack vectors, including adversarial examples, model extraction, data poisoning, and privacy inference attacks applicable to the client's AI systems.
- Stage 5: Vulnerability Analysis – BDO's security analysts examine AI system components for known vulnerabilities, misconfigurations, and architectural weaknesses that could enable the threats identified.
- Stage 6: Attack Modelling – BDO develops detailed attack scenarios specific to the client's AI implementation, including attack trees for model compromise, data exfiltration, and system manipulation.
- Stage 7: Risk and Impact Analysis – BDO quantifies the potential impact of successful AI attacks on business operations, regulatory compliance, and competitive advantage, to help prioritise remediation efforts.
AI Infrastructure Security Assessment
BDO's infrastructure testing covers the complete AI development and deployment lifecycle:
- MLOps Pipeline Security – Assessing continuous integration / continuous deployment systems for machine learning models.
- Model Registry Security – Evaluating version control systems, model storage, and access control mechanisms.
- Data Pipeline Assessment – Testing data ingestion, preprocessing, and feature engineering systems for vulnerabilities.
- Container and Orchestration Security – Securing containerised ML workloads and Kubernetes deployments.
Threat Model-Driven AI Risk Assessment
BDO's AI Security Testing engagements are grounded in the MAESTRO or PASTA threat modelling methodology, ensuring a systematic evaluation of machine learning systems:
- Business Context Analysis – Understanding the AI system's business objectives and identifying critical assets requiring protection.
- Technical Architecture Mapping – Comprehensive documentation of AI system components, data flows, and integration points.
- AI-Specific Threat Intelligence – Leveraging MAESTRO/PASTA's threat analysis framework to identify relevant adversarial machine learning attacks.
- Attack Surface Analysis – Systematic identification of AI system entry points and potential attack vectors.
- Risk Prioritisation – Quantifying the likelihood and impact of AI-specific threats using a risk analysis framework.
Advanced AI Attack Simulation
Building on the threat modelling foundations, BDO conducts sophisticated attack simulations tailored to each client's AI environment.
Prompt Injection and LLM Security
Large language models and generative AI systems require specialised security testing approaches:
- Prompt Injection Testing – Crafting malicious prompts that bypass safety filters and extract sensitive information.
- Context Manipulation – Exploiting context windows and attention mechanisms to influence model behaviour.
- Jailbreaking Assessments – Testing model alignment and safety mechanisms against adversarial inputs.
- API Security Testing – Evaluating ChatGPT, Claude, and custom LLM API implementations for vulnerabilities.
Hardening Reinforcement Learning Systems
Reinforcement learning systems require specialised testing methodologies due to their dynamic learning nature:
- Reward Hacking – Assessing whether agents can exploit reward functions to achieve unintended objectives.
- Policy Manipulation – Testing the robustness of trained policies against adversarial state modifications.
- Multi-Agent Security – Evaluating security in distributed reinforcement learning environments and game-theoretic scenarios.
- Safe Exploration Testing – Assessing safety mechanisms during agent training and deployment phases.
Privacy-Preserving AI Security
BDO's services include the assessment and implementation of privacy-preserving machine learning techniques:
- Differential Privacy – Implementing noise injection mechanisms to protect individual privacy in training data.
- Homomorphic Encryption – Enabling computation on encrypted data without decryption.
- Secure Multi-Party Computation – Facilitating collaborative learning without data sharing.
- Federated Learning Security – Securing distributed training while maintaining data locality.
Advanced AI Security Tools and Frameworks
Custom Attack Framework Development
BDO develops and deploys sophisticated tools for AI security assessment:
- Adversarial Example Generators – Custom tools for creating domain-specific adversarial inputs.
- Model Inversion Frameworks – Specialised software for extracting training data from deployed models.
- Gradient-Based Attack Tools – Implementing state-of-the-art optimisation techniques for model exploitation.
- Automated Vulnerability Scanning – Continuous monitoring systems for AI model security assessment.