RiskVoid
DevSecOps for AI agents

Find the vulnerabilities in your AI agents before production.

RiskVoid analyzes the source of your LangGraph, LangChain and CrewAI agents. It maps every path from untrusted input to privileged tool call, builds the attack scenarios that chain those paths into real exploits, and flags every guardrail that's missing along the way.

Analyze your agentSee how it works
Built for
LangGraphLangChainCrewAI
The stakes

The agents your team is shipping are the new attack surface.

80% of companies running AI agents have had one take an unintended action in the last year. Runtime tools see the behavior after it happens. RiskVoid finds the code paths that make the behavior possible, before the agent ships.

80%
of organizations have had an AI agent take an unintended action.
Source: SailPoint, 2025.
$4.44M
average cost of a data breach globally. In the US the figure is $10.22M.
Source: IBM Cost of a Data Breach, 2025.
44%
of organizations have a security policy in place for AI agents.
Source: Technology sector survey, 2025.
Where we fit

Catch it in the pull request, not in production.

Runtime firewalls block attacks as they happen, after your agent has already been built with the vulnerability baked in. RiskVoid is the other half of the SDLC: we analyze the code so the vulnerability never ships.

Commit

Write agent code

Pull request

RiskVoid analyzes diff

Static graph of every prompt → tool path. Blocks merge on new criticals.

Pre-deploy

RiskVoid grades the build

Full adversarial analysis of the release candidate. Signed report attached to the build.

Runtime

Guardrails / firewalls

Blocks the request after the vulnerability is already in production.

Incident

Logs & post-mortem

RiskVoid · shift-left

Analyzes the source

  • Runs on every PR, before merge
  • Points at the exact file, line, and patch
  • Zero traffic impact, no inference hop
  • Fails the build when criticals slip in
Runtime guardrails

Filters live traffic

  • × Only catches attacks that reach production
  • × Adds latency to every single request
  • × Blocks the symptom, not the bug
  • × No fix, just a blocked response in the log

Use both. Runtime guardrails are a good backstop. RiskVoid makes sure they don't have anything to catch.

What RiskVoid finds

Every path from untrusted input to privileged tool.

Any string your agent reads (user messages, RAG context, tool outputs) can smuggle instructions. We graph those strings and flag the ones that can reach a dangerous sink.

Analyzed files
services/agent.py2
tools/refund.py1
graph.py
prompts/system.md
services/agent.py
tools/refund.py
graph.py
12 from langgraph.prebuilt import create_react_agent
13 from .tools import issue_refund, escalate
14
15 def handle_ticket(ticket_id):
16   ticket  = crm.fetch(ticket_id)        # untrusted
17   context = vector_db.search(ticket.body) # untrusted
18
19   agent = create_react_agent(
20     model="claude-sonnet-4",
21     tools=[issue_refund, escalate],22   )
23
24   return agent.invoke({25     "messages": [("user", ticket.body)],26     "context": context,27   })
Line 21–27: untrusted ticket.body and context reach issue_refund with no sanitizer in between.
Data-flow trace
source
ticket.body
crm.fetch() · untrusted
prompt
user message
agent.invoke() · line 25
sink · privileged
issue_refund()
no confirmation · no auth check
critical
RV-2048 · CWE-1427 · OWASP LLM01
Threat modeling

We build the attack scenarios for you.

Findings without context are noise. RiskVoid composes each weakness into an end-to-end scenario: who triggers it, what the agent does next, and which privileged sink it lands in. You see the full chain, not a stranded line number.

criticalScenario 01

Indirect prompt injection via RAG

  1. attackerPlants instructions in a document the agent will retrieve.
  2. agentRetrieves the document and inlines it into its prompt context.
  3. sinkCalls issue_refund() with attacker-chosen parameters.
Impact

Privileged tool invoked on behalf of an unauthenticated user.

highScenario 02

Tool-confused-deputy via shared session

  1. attackerSends a low-trust message that overlaps with an admin task.
  2. agentReuses an open admin session token while resolving the request.
  3. sinkWrites to admin-only resource without an authorization check.
Impact

Privilege escalation across user contexts within a single session.

mediumScenario 03

Cost-amplification loop

  1. attackerSubmits a recursive task that the planner cannot terminate.
  2. agentRe-enters the tool loop with no recursion_limit set.
  3. sinkRuns hundreds of model calls before the request is cut off.
Impact

Quota and provider-cost blowout. No data leak, but a real DoS lever.

Example findings

Every finding is reproducible & actionable.

File, line, proof-of-concept payload, and a suggested patch. Not a generic recommendation.

criticalRV-2048
Prompt injection via RAG

Untrusted retrieved docs reach issue_refund() with no confirmation

Retrieval context is concatenated into the agent's state. A poisoned document can issue tool calls with attacker-chosen parameters.

services/agent.py:21 · CWE-1427
highRV-1917
SSRF via HTTP tool

HTTP tool accepts arbitrary URLs; env vars reachable via code tool

No allowlist on http_get. Prompt-injected URLs can point at attacker hosts; os.environ is reachable via the code tool.

tools/http.py:41 · CWE-918
mediumRV-1703
Unbounded tool loop

Graph has no recursion limit; cost-amplification vector

LangGraph recursion_limit is unset. A single user turn can trigger hundreds of tool calls, blowing quota and provider cost.

graph.py:12 · RV-POLICY-04
What we detect

38 finding categories across 6 attack surfaces.

Mapped to OWASP LLM Top 10 and CWE. Every category produces reproducible findings with a file, a line, a payload, and a suggested patch.

Prompt and instruction injection

OWASP LLM01
  • Direct prompt injection in user input
  • Indirect injection via retrieved documents
  • Tool-output injection from upstream calls
  • System-prompt override through templated context

Privileged tool exposure

OWASP LLM06 · CWE-1427
  • Privileged sink reachable from untrusted source
  • Missing confirmation on destructive actions
  • Tool registered with no authorization check
  • Over-broad tool scopes (filesystem, shell, code)

Data exfiltration paths

OWASP LLM02
  • Secrets reachable from tool output back to model
  • Unscoped HTTP / fetch tools (SSRF, callback exfil)
  • PII forwarded to third-party services
  • Markdown / image rendering as exfil channel

Agent control flow

OWASP LLM10
  • Unbounded recursion in graph or planner
  • Missing checkpointer / interrupt boundaries
  • Conditional edges that bypass review nodes
  • Delegation chains across agents with no guardrail

Model and supply chain

OWASP LLM05 · LLM07
  • Hardcoded credentials in agent definition
  • Pinned model providers without fallback policy
  • Untrusted plugin / tool packages
  • Outdated framework versions with known CVEs

Operational hardening

RiskVoid policy
  • No structured logging on tool calls
  • No rate limiting on agent invocation
  • PII not redacted before model call
  • No grading or budget on adversarial test suite
EU AI Act · compliance

If your agent is Annex III, you have a deadline.

Under the EU AI Act, agents used for employment decisions, credit scoring, or access to essential services qualify as Annex III high-risk. The August 2026 deadline is the date by which your deployed system has to meet the risk management, documentation, and human oversight obligations. RiskVoid produces the artifact your auditors will ask for.

HR and talent agents.

Annex III, point 4.

Screening, ranking, promotion, and termination decisions fall under employment discrimination law across every Member State.

Fintech agents.

Annex III, point 5(b).

Creditworthiness evaluation and credit scoring require documented risk controls and residual risk disclosure.

Legal tech agents.

Annex III, point 8.

Agents involved in the administration of justice require documented oversight and the ability to explain outcomes.

Education and EdTech agents.

Annex III, point 3.

Admissions decisions, learning-outcome assessments, and exam conduct monitoring require documented fairness controls and a path for students to contest automated outcomes.

Insurance agents.

Annex III, point 5(c).

Life and health insurance risk assessment and pricing require documented bias controls and an explainable basis for every rating decision.

The product

Install the GitHub app. Get a dashboard.

Engineers see findings in their pull requests. Security and compliance leads see the full posture across every agent repo in the dashboard. Both views update in real time.

Install on GitHub

Read-only · org-scoped · 2 min

  1. 1
    Install RiskVoid on your org
    One-click install. Pick which repos we see; everything else stays invisible.
  2. 2
    We detect your agents
    LangGraph, LangChain, CrewAI imports and graph definitions are indexed automatically.
  3. 3
    Every PR gets a review comment
    New criticals block merge. Fixed findings close automatically on the next commit.
RV
riskvoid commented on #1284 · 2 min ago
1 new critical0 new highgrade: F ← D
New finding at services/agent.py:21: untrusted ticket.body can reach issue_refund(). Blocking merge per org policy.
View reportSuggest patch
riskvoid.io/dashboard · acme-corp
Organization posture

acme-corp

D
Critical3
High9
Agents14
PRs today7

Recent analyses

14 repos
F
acme/checkout-agent
main · 2m ago · PR #1284
1 crit
C
acme/support-copilot
main · 1h ago
3 med
A
acme/sales-researcher
main · 3h ago
clean

Pull request reviews.

The GitHub App runs on every PR, posts findings as inline comments, and can block merges that violate policy.

Security posture dashboard.

One view of every repo, every open finding, every policy violation, with trends by severity and by surface.

Policy controls.

Security leads set the bar once. The platform enforces it on every change, in every repo, without engineering having to opt in.

Notifications where you work.

Slack for the engineering channel, email digests for the security and compliance leads.

How the analysis works

Source in. Graph out. Findings opened.

RiskVoid never runs your code against live models. We reason about the agent's definition (its graph, its prompts, its tool registrations) and then drive a sandboxed replica with adversarial inputs.

Step 01

Clone & index

Read-only clone in an isolated sandbox. Framework imports are detected automatically.

Step 02

Build the graph

Every prompt, every tool, every edge. Untrusted sources and privileged sinks are tagged.

Step 03

Adversarial drive

Payloads across 38 categories run against a replica agent. Only reproducible hits become findings.

Step 04

Open the fixes

PR comments, suggested patches, Jira / Linear / Slack. You choose where findings land.

Supported frameworks

Deep support for the frameworks teams ship with.

Not a long list of logos. Native graph extractors for LangGraph, LangChain, CrewAI, and n8n: the frameworks behind the agents we see in the wild.

LangGraph

Native support
  • StateGraph & MessageGraph nodes parsed
  • Conditional edges traced through reducers
  • Prebuilt create_react_agent analyzed
  • Checkpointer & interrupt coverage

LangChain

Native support
  • LCEL chains & Runnable composition
  • Agent executors & tool registration
  • Retriever → prompt → LLM flow graphs
  • Custom @tool definitions

CrewAI

Native support
  • Crew, Agent & Task definitions
  • Delegation paths between agents
  • Tool inheritance across roles
  • Sequential & hierarchical process modes

n8n

Native support
  • Workflow JSON parsed node by node
  • AI Agent & LLM node inputs traced
  • HTTP, Code, and tool-call nodes graphed
  • Credentials and webhook exposure checks
FAQ

Everything you'd ask a security engineer on day one.

Do you need access to my production traffic?01
No. RiskVoid is source-static with a sandboxed adversarial harness. We clone your repo read-only and drive a replica of your agent with synthetic inputs. Production stays untouched.
How is this different from a runtime firewall?02
Runtime firewalls block requests as they arrive, after the vulnerability has already been written, reviewed, and deployed. RiskVoid analyzes the source to stop the vulnerability from shipping in the first place. Use both; they live in different parts of the SDLC.
How is this different from a general SAST tool?03
SAST tools understand functions; they don't understand prompts or tool graphs. RiskVoid builds a graph of every untrusted string that can reach every tool call: the attack surface unique to agents.
What's the feedback loop with my repo?04
Our GitHub App analyzes every PR. Each finding opens as a review comment with a suggested patch; merging the patch closes the finding automatically. Findings also mirror to Jira, Linear, or Slack.
Which severity scale do you use?05
Five levels (critical, high, medium, low, and informational), mapped to CVSS 3.1 and OWASP LLM Top 10. Overrides are configurable per repo.
How do you handle secrets in the sandbox?06
Real secrets never touch the sandbox. We substitute honeytoken credentials with the same shape and watch where they end up; any exfil attempt becomes a finding, not a breach.

Your agents have capabilities. Do you know their risks?

Install the GitHub app. Get your first analysis on your next PR.

Analyze your agent