GitHub
Connected
Repositories
Workflows
Loading page...
General Analysis raises $10MStop guessing.
Modelus-east-12d agoReviewModelus-east-15d agoOKKnowledgeus-west-21h agoHigh riskRepoorg/general12h agoOKMCPeu-central3h agoHigh riskPermission12 roles2d agoHigh risk 
HIGHHIGHMEDIUMMEDIUMCRITICAL There are no patches.
Empirical AI security.
Stop guessing.
Start measuring.
General Analysis helps security teams adversarially test, harden, and observe AI agents in production.
01 / DiscoverLive view
Connected integrations01
Asset inventory02
Permission context03
Connected Integrations
Discovered Assets
· 6 of 297filter…
AssetTypeRegionSeenStatus
gpt-4o-mini
OpenAI
claude-3-5-sonnet
Anthropic
s3://prod-knowledge
AWS
monorepo-ai
GitHub
mcp · jira
AWS
iam · prod-vault
AWS
built by experts from
Tansive
How-To
Runtime defense against Supabase prompt injection
Tansive's blog builds on our research and implements a working defense against the Supabase MCP exploit using its open‑source AI‑agent runtime. The article recaps how an attacker's support‑ticket prompt tricked Cursor's AI into leaking the `integration_tokens` table, then demonstrates how Tansive enforces role‑based policies and input constraints to block such queries. Detailed examples show policies that restrict `execute_sql` capabilities, configure per‑role MCP endpoints and generate tamper‑evident audit logs.
Read
Simon Willison
Blog Feature
Exfiltration via the lethal trifecta
AI blogger Simon Willison flags a dangerous combination he calls the “lethal trifecta” – granting an AI agent access to private SQL data, exposing it to untrusted user content and giving it a way to communicate externally. He points to our Supabase MCP attack where a support ticket contained hidden instructions telling the model to read the `integration_tokens` table and insert the secrets back into the ticket, which the agent obediently did. The post is a warning that agents with `service_role` privileges and no sense of context boundaries can be tricked into exfiltrating entire databases.
Read
The Primeagen
Video Feature
Supabase prompt injection walkthrough
This video walks through our Supabase MCP exploit. A malicious support‑ticket instructs Cursor’s AI assistant to `SELECT` all rows from a sensitive `integration_tokens` table and `INSERT` them back into the ticket. Because the agent runs with a full `service_role` key that bypasses Row‑Level Security, it dutifully leaks every secret token. The walkthrough shows the attack flow and explains why untrusted inputs plus over‑privileged agents equal catastrophic data leaks.
Read
Weights & Biases
Case Study
Defending against prompt injection
Weights & Biases builds on our Supabase research to show how prompt‑injection attacks abuse the Model Context Protocol. It reproduces the exfiltration and then outlines layered defenses: issuing minimal‑scope credentials, using a gateway to enforce per‑table policies, running MCP servers in read‑only mode to eliminate write‑based exfiltration, filtering untrusted inputs and sandboxing model outputs. The article calls our post an outstanding piece of research and highlights why MCP servers must adopt defense‑in‑depth.
Read
GitHub
Open Source
The Jailbreak Cookbook repository
General Analysis’s open‑source "Jailbreak Cookbook" collects dozens of jailbreaks and prompt‑injection techniques along with unified infrastructure to run them. The blog post introducing it notes that we provide implementations for most listed jailbreaks in a single repo and supply full documentation for researchers and red‑teamers. It’s a reference library and playground for anyone building AI security tools.
Read
Together AI
Partnership
Stress‑testing open models with GA
Together AI announces a partnership with General Analysis to stress‑test open‑source language models. The post explains that GA’s programmable red‑teaming framework probes models across prompt‑injection, jailbreak and targeted‑failure scenarios, revealing concrete vulnerabilities and mitigation strategies. Running campaigns on Together’s high‑throughput inference API allows evaluations that process tens of billions of tokens, and GA’s open‑source library now natively supports Together’s endpoints.
Read
Apideck
Security Brief
The security landscape of MCP
Apideck’s industry‑insights blog surveys the state of Model Context Protocol security in 2025. It highlights real‑world vulnerabilities—prompt injection, tool poisoning, over‑privileged access and token leakage—and cites exploits observed in GitHub, Supabase and other servers. The post emphasises that attackers can hijack an AI’s behaviour, exfiltrate data or trigger malicious actions through MCP connections and explains how a new OAuth 2.0‑based specification aims to tighten authorization.
Read
Pomerium
Zero Trust
Lessons from the Supabase leak
Pomerium’s write‑up dissects our Supabase MCP incident as a classic confused‑deputy problem. An LLM agent running with the full `service_role` key ingested a malicious support message and executed the embedded SQL to select every row from the `integration_tokens` table and write them back to the ticket. Because Row‑Level Security is bypassed by service keys, no permission checks stopped the leak. The article urges using least‑privilege credentials, read‑only MCP servers and gateway‑enforced policies to prevent similar breaches.
Read
Composio
Playbook
MCP vulnerabilities every developer should know
Composio details multiple classes of MCP vulnerabilities and emphasises that simple guardrails aren’t enough. It warns that malicious tool descriptions can silently inject harmful prompts, many servers lack proper OAuth handling, supply‑chain risks are underestimated and real‑world failures like the Supabase lethal‑trifecta attack and Asana and mcp‑remote command‑injection flaws have already happened. The article encourages developers to vet third‑party tools and follow the new MCP security spec.
Read
Max Planck
Reference
Capability‑based scaling laws for LLM red‑teaming
Researchers at the Max Planck Institute model red‑teaming as a function of the capability gap between attacker and target models. Their study evaluates over 500 attacker–target pairs using LLM‑based jailbreak attacks and observes that more capable models are better attackers, while attack success drops sharply once the target’s capability exceeds the attacker’s. The paper derives a scaling law predicting attack success based on this capability gap and discusses how fixed‑capability attack models may become ineffective against future models.
Read
Oso
Blog Feature
Why LLM authorization is hard
Oso uses the Supabase exploit to explain why LLM authorization is challenging. It notes that the attack hinged on three issues: accepting untrusted input, conflating instructions with data and using an over‑privileged database account. The post argues that prompt‑injection detection is extremely hard and urges designers to narrow effective permissions and prevent AI agents from reading sensitive tables in the first place.
Read
Alpha Insights
Perspective
MCP servers: read‑only is non‑negotiable
Alpha Insights argues that MCP servers must default to read‑only. After the Supabase incident it notes that Supabase’s documentation now recommends read‑only mode by default and explains that 43 % of production MCP servers have command‑injection vulnerabilities. The article explains how MCP servers should act as views, not controllers: allowing only SELECT queries prevents attacks from dropping or modifying tables. It concludes that combining privileged access, untrusted input and an exfiltration channel—the lethal trifecta—creates a backdoor.
Read
ivision Research
Security Talk
AI gets a library card: security ramifications of MCP
ivision’s presentation on Model Context Protocol security explains that AI context consists of system prompts, conversation history, tool calls and user messages, and that mixing these channels can expose sensitive data. It highlights Simon Willison’s lethal‑trifecta framework—access to private data, external communication and untrusted content—and uses the Supabase ticketing example where a malicious message told an `execute_sql()` tool to fetch integration keys, completing all three elements. The talk urges practitioners to test MCP servers rigorously and avoid configurations that combine the trifecta.
Read
The CyberWire
Show Notes
FAIK Files episode notes on jailbreaks
Show notes for The CyberWire’s FAIK Files episode link to our technical breakdown of the iMessage Stripe exploit. In that attack, Claude was jailbroken to mint unlimited Stripe discount coupons; the podcast notes direct listeners to our General Analysis post for the full details.
Read
Continuous Red-Team
Trust by simulation.
Millions of adversarial attempts, benchmarking every agent and defense configuration in your stack.
Discover
Map every AI asset across your stack.
Connect GitHub, your LLM providers, and your cloud runtime. We extract every model, vector store, MCP server, agent, and credential. Each is scanned for common vulnerabilities and scored by risk.
Discover
01GitHub connected
02LLM providers connected
03Cloud runtime connected
24 assets · risk-scored
Data sources
LLM Providers
Connected
System prompts
Tool schemas
OpenAIAnthropicGoogle
Cloud & Runtime
Connected
Cloud logs
Identity & access
awsgcpk8s
Ingesting & normalizing
Securely ingesting and normalizing telemetry from your tools.
Discovered surface
Analyze
Audit your stack against AI security best practices.
Unsafe model defaults, over-privileged agents, unverified MCPs, lethal-trifecta paths. Run compliance checks against NIST AI RMF, OWASP, and other standards, or against your own internal policies.
Analyze
01Unsafe model from Hugging Face
02Unofficial MCP server
03Lethal trifecta path detected
18 findings · NIST + OWASP
Scan in progress
$ ga scan --workspace prod-ai --scope all
[12s] discovering model endpoints
[19s] mapping MCP tools and permissions
[26s] checking runtime exposure
Coverage14%
Risks identified
normalized scan
Unsafe model from Hugging Face
mistralai/Mixtral-8x7B-Instruct-v0.1
Risky model detected: DeepSeek
deepseek-ai/deepseek-chat
Unofficial MCP server
mcp://community-weather-server
Over-permissive tool schema
filesystem.write + external_request
Lethal trifecta path detected
Prompt injection · Tool misuse · Data exfiltration
0 risks foundView all risks
Red-team
Run adversarial attacks against your agents.
Hundreds of simulations across prompt injection, tool misuse, sensitive retrieval, and multi-step exploit chains. Driven by post-trained attacker models that adapt to your defenses.
Red-team
01Prompt injection
02Tool misuse
03Sensitive retrieval attempt
7 exploit chains confirmed
Attack simulation
$ ga redteam --target support-agent --scenario exfiltration
360 generated campaigns across models, MCPs, and runtime permissions
Attempts
42
Paths
7
Exploit path
confirmedPrompt injection
support ticket
Tool misuse
untrusted MCP
Data access
private KB
Exfil attempt
blocked egress
Injected policy override recovered from ticket body
Agent selected untrusted MCP server with network access
Sensitive retrieval attempted before outbound tool call
Remediate
Experiment until the configuration holds.
Combine guardrails, observability, system prompt hardening, identity management, and other controls. Re-run red-team experiments against each variant. Empirically drive attack success rate down.
Remediate
01Guardrails + identity scoping
02+ System prompt hardening
03+ MCP allowlist
ASR: 42% → 0%
Control experiment
$ ga remediate --apply-controls --validate-asr
replaying confirmed exploit chains against hardened configuration
Baseline ASR
42%
Final ASR
0%
Control experiment
holdsCustom Guardrails Training
red-team examples
trained
System Prompt Hardening
constraints + refusals
hardened
Identity Management
least privilege
scoped
Observability
traces + alerts
active
Attack success rate
ASR 42% -> 0%
42%
0%
01Our Thesis
There are no patches.
Only attack success rates.
Software's behavior is bounded by its code, so a bug can be located and patched. Agents operate over an input space too vast to enumerate, so failures emerge statistically and cannot be patched out, only measured and driven down. Risk becomes empirical: an attack success rate.
02Principles
- 01
Empirical, not assumed
Models trained for average-case performance fail in adversarial production. The only useful signal is an attack success rate measured against your threat model.
- 02
Optimize, don't invent
Guardrails, classifiers, prompts, model choice, harnesses. The remediation tools already exist. The real work is finding the configuration that holds for your application.
- 03
Infrastructure, not opinion
Each defensive configuration has its own tradeoffs, and there is no one-size-fits-all solution. We give your team the infrastructure to run experiments, benchmark configurations, and iterate.
03What we ship
We don't ship a recommended configuration. We ship the infrastructure to find yours.
Each configuration gets benchmarked against millions of adversarial attempts. Your team iterates until the numbers meet your policy.
A configuration is every lever that affects security: input and output classifiers, prompt-level defenses like spotlighting and structured queries, the underlying model, and the harness around the agent.
We sweep across them with grid and Bayesian search, benchmark against any compliance framework you target (OWASP LLM Top 10, NIST AI RMF, MITRE ATLAS, or your own threat model), and rank what moves the number.
Sweep sweep_2410.b3·Target cs-agent-v2·Engine bayesian-opt
Last run 14m ago
| Config | Guardrail | Prompt | Model | N | Δ | ASR ↓ |
|---|---|---|---|---|---|---|
| baseline | — | none | gpt-4o | 980,432 | — | 0.0% |
| exp-a | prompt-guard-2 | spotlight | gpt-4o | 980,118 | −32.4 pp | 0.0% |
| exp-bDeployed | prompt-guard-2 | spotlight+ih | claude-opus-4.5 | 960,851 | −50.1 pp | 0.0% |
| exp-c | regex | spotlight | gpt-4o | 950,294 | −16.6 pp | 0.0% |
| exp-d | prompt-guard-2 | struq | claude-sonnet-4 | 961,421 | −45.3 pp | 0.0% |
Failure categoriesdeployed config · cs-agent-v2 · n=960,851
- Prompt injection41%
- PII leakage22%
- Tool misuse19%
- Jailbreak18%
Status: idle·Throughput: 1.2k/s·Next sweep: 06:00 UTC·Attempts logged: 4,832,116
LatestWork
Newsletter
Get the next research note.
Short updates on agent attacks, red-team methods, runtime guardrails, and production AI security.
Occasional updates. Unsubscribe anytime.