GitHub
Connected
Repositories
Workflows
Loading page...
Secure AI Agents.
Find how your agents break.
Fix what matters.
General Analysis helps security teams adversarially test, monitor, and protect AI agents and systems in production.
Platform snapshot
Connected sources
GitHub, cloud, LLM providers
Discovered surface
Models, MCPs, KBs, tool schemas
Active review queue
High-risk agent paths surfaced
Connected Integrations
Discovered Assets
· 6 of 297filter…
AssetTypeRegionSeenStatus
gpt-4o-mini
OpenAI
claude-3-5-sonnet
Anthropic
s3://prod-knowledge
AWS
monorepo-ai
GitHub
mcp · jira
AWS
iam · prod-vault
AWS
built by experts from
Featured in
Tansive
How-To
Runtime defense against Supabase prompt injection
Tansive's blog builds on our research and implements a working defense against the Supabase MCP exploit using its open‑source AI‑agent runtime. The article recaps how an attacker's support‑ticket prompt tricked Cursor's AI into leaking the `integration_tokens` table, then demonstrates how Tansive enforces role‑based policies and input constraints to block such queries. Detailed examples show policies that restrict `execute_sql` capabilities, configure per‑role MCP endpoints and generate tamper‑evident audit logs.
Read
Simon Willison
Blog Feature
Exfiltration via the lethal trifecta
AI blogger Simon Willison flags a dangerous combination he calls the “lethal trifecta” – granting an AI agent access to private SQL data, exposing it to untrusted user content and giving it a way to communicate externally. He points to our Supabase MCP attack where a support ticket contained hidden instructions telling the model to read the `integration_tokens` table and insert the secrets back into the ticket, which the agent obediently did. The post is a warning that agents with `service_role` privileges and no sense of context boundaries can be tricked into exfiltrating entire databases.
Read
The Primeagen
Video Feature
Supabase prompt injection walkthrough
This video walks through our Supabase MCP exploit. A malicious support‑ticket instructs Cursor’s AI assistant to `SELECT` all rows from a sensitive `integration_tokens` table and `INSERT` them back into the ticket. Because the agent runs with a full `service_role` key that bypasses Row‑Level Security, it dutifully leaks every secret token. The walkthrough shows the attack flow and explains why untrusted inputs plus over‑privileged agents equal catastrophic data leaks.
Read
Weights & Biases
Case Study
Defending against prompt injection
Weights & Biases builds on our Supabase research to show how prompt‑injection attacks abuse the Model Context Protocol. It reproduces the exfiltration and then outlines layered defenses: issuing minimal‑scope credentials, using a gateway to enforce per‑table policies, running MCP servers in read‑only mode to eliminate write‑based exfiltration, filtering untrusted inputs and sandboxing model outputs. The article calls our post an outstanding piece of research and highlights why MCP servers must adopt defense‑in‑depth.
Read
GitHub
Open Source
The Jailbreak Cookbook repository
General Analysis’s open‑source "Jailbreak Cookbook" collects dozens of jailbreaks and prompt‑injection techniques along with unified infrastructure to run them. The blog post introducing it notes that we provide implementations for most listed jailbreaks in a single repo and supply full documentation for researchers and red‑teamers. It’s a reference library and playground for anyone building AI security tools.
Read
Together AI
Partnership
Stress‑testing open models with GA
Together AI announces a partnership with General Analysis to stress‑test open‑source language models. The post explains that GA’s programmable red‑teaming framework probes models across prompt‑injection, jailbreak and targeted‑failure scenarios, revealing concrete vulnerabilities and mitigation strategies. Running campaigns on Together’s high‑throughput inference API allows evaluations that process tens of billions of tokens, and GA’s open‑source library now natively supports Together’s endpoints.
Read
Apideck
Security Brief
The security landscape of MCP
Apideck’s industry‑insights blog surveys the state of Model Context Protocol security in 2025. It highlights real‑world vulnerabilities—prompt injection, tool poisoning, over‑privileged access and token leakage—and cites exploits observed in GitHub, Supabase and other servers. The post emphasises that attackers can hijack an AI’s behaviour, exfiltrate data or trigger malicious actions through MCP connections and explains how a new OAuth 2.0‑based specification aims to tighten authorization.
Read
Pomerium
Zero Trust
Lessons from the Supabase leak
Pomerium’s write‑up dissects our Supabase MCP incident as a classic confused‑deputy problem. An LLM agent running with the full `service_role` key ingested a malicious support message and executed the embedded SQL to select every row from the `integration_tokens` table and write them back to the ticket. Because Row‑Level Security is bypassed by service keys, no permission checks stopped the leak. The article urges using least‑privilege credentials, read‑only MCP servers and gateway‑enforced policies to prevent similar breaches.
Read
Composio
Playbook
MCP vulnerabilities every developer should know
Composio details multiple classes of MCP vulnerabilities and emphasises that simple guardrails aren’t enough. It warns that malicious tool descriptions can silently inject harmful prompts, many servers lack proper OAuth handling, supply‑chain risks are underestimated and real‑world failures like the Supabase lethal‑trifecta attack and Asana and mcp‑remote command‑injection flaws have already happened. The article encourages developers to vet third‑party tools and follow the new MCP security spec.
Read
Max Planck
Reference
Capability‑based scaling laws for LLM red‑teaming
Researchers at the Max Planck Institute model red‑teaming as a function of the capability gap between attacker and target models. Their study evaluates over 500 attacker–target pairs using LLM‑based jailbreak attacks and observes that more capable models are better attackers, while attack success drops sharply once the target’s capability exceeds the attacker’s. The paper derives a scaling law predicting attack success based on this capability gap and discusses how fixed‑capability attack models may become ineffective against future models.
Read
Oso
Blog Feature
Why LLM authorization is hard
Oso uses the Supabase exploit to explain why LLM authorization is challenging. It notes that the attack hinged on three issues: accepting untrusted input, conflating instructions with data and using an over‑privileged database account. The post argues that prompt‑injection detection is extremely hard and urges designers to narrow effective permissions and prevent AI agents from reading sensitive tables in the first place.
Read
Alpha Insights
Perspective
MCP servers: read‑only is non‑negotiable
Alpha Insights argues that MCP servers must default to read‑only. After the Supabase incident it notes that Supabase’s documentation now recommends read‑only mode by default and explains that 43 % of production MCP servers have command‑injection vulnerabilities. The article explains how MCP servers should act as views, not controllers: allowing only SELECT queries prevents attacks from dropping or modifying tables. It concludes that combining privileged access, untrusted input and an exfiltration channel—the lethal trifecta—creates a backdoor.
Read
ivision Research
Security Talk
AI gets a library card: security ramifications of MCP
ivision’s presentation on Model Context Protocol security explains that AI context consists of system prompts, conversation history, tool calls and user messages, and that mixing these channels can expose sensitive data. It highlights Simon Willison’s lethal‑trifecta framework—access to private data, external communication and untrusted content—and uses the Supabase ticketing example where a malicious message told an `execute_sql()` tool to fetch integration keys, completing all three elements. The talk urges practitioners to test MCP servers rigorously and avoid configurations that combine the trifecta.
Read
The CyberWire
Show Notes
FAIK Files episode notes on jailbreaks
Show notes for The CyberWire’s FAIK Files episode link to our technical breakdown of the iMessage Stripe exploit. In that attack, Claude was jailbroken to mint unlimited Stripe discount coupons; the podcast notes direct listeners to our General Analysis post for the full details.
Read
Agent Systems
Every action leaves a path.
General Analysis maps those paths before attackers do.
How It Works
Discover. Analyze. Red-team.
Discover
See every model, MCP, KB, tool, and permission in your stack
Connect cloud, code, docs, and agent infrastructure. We extract the full inventory of AI assets across your environment so nothing slips through the cracks.
Discover
01GitHub connected
02LLM providers connected
03Cloud runtime connected
24 models discovered
Data sources
LLM Providers
Connected
System prompts
Tool schemas
OpenAIAnthropicGoogle
Cloud & Runtime
Connected
Cloud logs
Identity & access
awsgcpk8s
Ingesting & normalizing
Securely ingesting and normalizing telemetry from your tools.
Discovered surface
Analyze
Catch AI-specific risks static checks miss
Unverified MCPs, autonomous agents holding production credentials, uncensored models, over-permissive IAM roles — surfaced with concrete evidence and mapped to OWASP LLM Top 10.
Analyze
01Unsafe model from Hugging Face
02Unofficial MCP server
03Lethal trifecta path detected
18 risks found
Scan in progress
$ ga scan --workspace prod-ai --scope all
[12s] discovering model endpoints
[19s] mapping MCP tools and permissions
[26s] checking runtime exposure
Coverage14%
Risks identified
normalized scan
Unsafe model from Hugging Face
mistralai/Mixtral-8x7B-Instruct-v0.1
Risky model detected: DeepSeek
deepseek-ai/deepseek-chat
Unofficial MCP server
mcp://community-weather-server
Over-permissive tool schema
filesystem.write + external_request
Lethal trifecta path detected
Prompt injection · Tool misuse · Data exfiltration
0 risks foundView all risks
Red-team
Find out what attackers can actually exploit
Launch hundreds of adversarial simulations against any agent system, with OWASP threat tags as targets. Watch in real time what your AI can be coerced into doing.
Red-team
01Prompt injection
02Tool misuse
03Sensitive retrieval attempt
7 exploit chains confirmed
Attack simulation
$ ga redteam --target support-agent --scenario exfiltration
360 generated campaigns across models, MCPs, and runtime permissions
Attempts
42
Paths
7
Exploit path
confirmedPrompt injection
support ticket
Tool misuse
untrusted MCP
Data access
private KB
Exfil attempt
blocked egress
Injected policy override recovered from ticket body
Agent selected untrusted MCP server with network access
Sensitive retrieval attempted before outbound tool call
LatestWork
Newsletter
Get the next research note.
Short updates on agent attacks, red-team methods, runtime guardrails, and production AI security.
Occasional updates. Unsubscribe anytime.