Configuring LLM to validate LLM tests

Configure AppScan to dynamically test Large Language Model (LLM) features in your applications for risks such as sensitive information disclosure, prompt injection, data exfiltration, tool abuse, and content policy violations. Target chat endpoints, retrieval-augmented generation (RAG) pipelines, and other LLM components, then review reproducible findings with LLM interaction history and remediation guidance.

Setting

Details
LLM configuration enabled Use the toggle to enable or disable LLM scanning for applications with integrated LLMs.
Configure OpenAI To scan and report LLM risks, you must configure OpenAI endpoint and API key. For more information, see Configuring Azure OpenAI.
Record LLM sequence
Record LLM sequence Navigate to your LLM service URL. Enter "test" as the prompt and submit. You can add additional prompts as needed. When you are finished, stop the recording. You can record with the AppScan embedded browser. If you encounter issues, you can use an external browser, provided you have enabled it via Tools > Options > Use external browser:
  • AppScan browser (recommended)
    • Record without logging in
    • Log in and then record
  • External browser (selected browser's name)
Edit the sequence AppScan automatically detects the roles: Prompt, Submit and Response fields.
  • Prompt: The input text that a user submits to an LLM.
  • Submit: User action that sends a prompt to the LLM (for example, clicking Send or pressing Enter).
  • Response: LLM’s output captured by AppScan for analysis.

    If AppScan fails to detect these fields, error message is displayed. Click edit the sequence and fix the playback and then click Apply. You can then click Run analyze to automatically detect the roles.

    For example, if the submit action was not recorded, you can fix the playback as follows:
    1. Click Edit the sequence and right-click the Prompt action and click Add a send key action after the selected item > Enter and then click Apply.
    2. Click Run analyze. You can see the Submit action is detected automatically and the playback works fine.
Run analyze After you fix the playback you can Run analyze to automatically detect the roles.
Log in before sequence play By default AppScan applies this checkbox when you select the Log in and then record option.
Advanced options
Connected to a database
Provide the table name connected to the database to fully map and test the LLM service’s database attack surface. AppScan uses this information to simulate injection attacks and identify vulnerabilities that could allow unauthorized data access.
  • Table name