AI Security
I'm Pranav Saji, Head of AI Security at Symosis Security in the San Francisco Bay Area. I help enterprises secure AI and large language model systems - from prompt injection and agentic-AI threats to Model Context Protocol (MCP) security and AI red teaming.
Securing large language model applications against the OWASP LLM Top 10 - prompt injection, data leakage, insecure output handling, and model abuse.
Threat modeling autonomous AI agents: tool abuse, the lethal trifecta, excessive agency, and turning untrusted text into remote code execution.
Defending the AI tool-integration layer against tool poisoning, supply-chain attacks, and malicious MCP servers.
Hardening retrieval-augmented generation pipelines, vector databases, and the data that feeds enterprise AI.
Adversarial testing of AI systems to surface jailbreaks, injection paths, and failure modes before attackers do.
Translating the EU AI Act, executive orders, and emerging regulation into practical controls for high-risk AI systems.
In-depth analysis on the AI and LLM threat landscape by Pranav Saji.
Simon Willison named the pattern: an agent with private data access, exposure to untrusted text, and a way to send data out is exploitable by design. EchoLeak and GeminiJack turned that pattern into working attacks against Microsoft 365 Copilot and Google Gemini Enterprise. The fix is not a better prompt. It is removing one leg of the triangle.
Microsoft just traced two prompt injections in Semantic Kernel all the way to host-level code execution. One prompt launched calc.exe. Another wrote a payload to the Windows Startup folder and escaped the container sandbox. The takeaway is blunt: your LLM is not a security boundary, and the tools you expose define your attacker's reach.
One company torched roughly $500 million in AI spend in a single month, and the scary part is not the number. It is that nobody noticed until the invoice landed. An agent with no spending guardrail is the same design flaw as an agent with no access guardrail.
Two vulnerability classes disclosed in the last two weeks broke nearly every major AI coding agent at once. SymJack makes the approval dialog lie. TrustFall removes the human entirely. The problem is not one product. It is the trust model the whole category shares.
On June 2 the White House signed an order asking AI labs to submit frontier models for pre-release testing of their advanced cyber capabilities. You do not build an evaluation pipeline for a capability you think is hypothetical. The order is an admission. Enterprise defenders should read it as one.
Year one of an AppSec program feels productive: scanners deploy, champions emerge, dashboards impress leadership. Then around month thirteen the energy dissipates, the backlog stops shrinking, and the program hits a wall. Here is why it happens and how to plan for it.
MCP tool poisoning has gone from theoretical research to documented supply chain incidents affecting hundreds of thousands of deployments. With CVE-2025-54136 exposing remote code execution in Cursor IDE and confirmed registry poisoning across 9 of 11 MCP platforms, this is the most urgent unresolved attack surface in enterprise AI. Here is what it is, what has already happened, and how to actually defend against it.
The EU AI Act is now in full enforcement. If your AI system touches EU data or EU users, the obligations are real and the penalties are severe. Here's a practical breakdown of what compliance actually requires for high-risk AI deployments.
Deepfake-enabled fraud has moved from a theoretical concern to a category of attacks enterprises are actively defending against. Here's the current threat landscape, the real-world incidents that define it, and the detection and prevention strategies that actually work.
Large language models have fundamentally changed the attack surface for enterprise security. From prompt injection to model inversion, here's a practical breakdown of the threats that matter - and how to defend against them.
Retrieval-Augmented Generation has become the standard pattern for enterprise AI - but most teams are deploying it without understanding the security implications. Here's what's actually at risk and how to build RAG systems that are secure by design.
Pranav Saji is an AI security expert and AI Leader based in the San Francisco Bay Area. He is Head of AI Security at Symosis Security and a Machine Learning Consultant at LinkedIn, with over $50M in business impact across Fortune 500 clients and high-growth startups.
Pranav Saji specializes in LLM and application security, agentic AI security, Model Context Protocol (MCP) security, RAG pipeline security, AI red teaming, and AI governance. He publishes research on the LLM threat landscape and advises enterprises on deploying AI safely.
Pranav Saji is open to AI security collaborations, advisory roles, and speaking engagements. You can reach him through the contact page on pranav-saji.com or via LinkedIn.
Open to AI security advisory, collaborations, and speaking engagements.