Edoardo Zatti, Zoran Gorgiev
Table of contents #
Summer is rolling in, and the team has been busy. This month’s release is a big one: four new features and improvements that extend Equixly’s testing capability into large language models, give you a clearer picture of your attack surface, and put the right report in the right reader’s hands.
As always, this update reflects the feedback you’ve shared and our broader vision for what a continuous offensive security platform should be.
Here’s what’s new in Equixly’s June update:
AI Red Teaming: Testing AI agents and systems against evolving attacksAttack Surface Graph: Your entire attack surface presented as one interactive pictureMore Discovery upgrades: Scheduled scans, MCP server detection, technology tagging, and natural-language authReports revamp: One scan, three reports, each built for a different audience
AI Red Teaming #
When an LLM sits behind your API, securing the API alone is no longer enough. The model itself is part of your attack surface, and it needs to be tested like one. This month, Equixly starts testing the language model too, not just the API around it.
A new AI section in Project Settings lets customers declare the LLM-backed endpoints they want red-teamed. Equixly then attacks and judges them automatically, so your tests on the model get sharper.
How customers set it up
Configuring an AI target takes three steps:
Add an AI target: Pick the LLM-backed endpoint from the project’s service inventory.Map prompt and answer: Mark where the attack prompt enters the request and where the model’s answer comes back in the response.Add context (optional): Describe how the model should behave, the guardrails it must never break, and its system prompt.
The context matters. The more Equixly understands about how the model is supposed to behave, the sharper both the attacks and the judging become.
What we test for
Once a target is set, Equixly attacks it automatically across the full set of LLM risk categories, then judges whether the model held up:
Prompt injection: Forces the model into generating malicious contentJailbreaks and guardrail bypass: Bypasses the model’s own rules and guardrailsSystem prompt leakage: Attempts to extract the target’s hidden system prompt.Misinformation: Makes the target produce false information, inside or beyond its contextExcessive agency: Pushes the model to act outside its context, for example by visiting external linksResource consumption: Sends progressively larger prompts to exhaust resources and measure degradation
You set your AI targets once at the project level, then test them continuously alongside the rest of your API security workflow.
Attack Surface graph #
Discovery can now visualize your entire attack surface as a single interactive graph. Every service, endpoint, and sensitive input appears in one picture, so you can see exactly what you’re exposing without scrolling through tables.
What it shows
The graph presents the customer’s attack surface at a glance. You can see services, endpoints, and the sensitive inputs they handle, all rendered as one connected view.
Why it matters
Spot exposure without reading a table: The shape of your attack surface is immediately visible, rather than buried in rows of data.Highlight sensitive inputs: Exposed PII, IBANs, passwords, and tokens are surfaced directly in the graph, so the places that handle sensitive data are obvious at a glance.
More Discovery upgrades #
Beyond the graph, Discovery picked up several more improvements this month:
Scheduling: Discovery scans can now run automatically on a recurring schedule, keeping your attack surface fresh with no manual re-runs to remember.MCP server detection: As your applications expose AI agent tooling over the Model Context Protocol, Discovery now detects those MCP endpoints during a crawl. It enumerates every tool each server offers, bringing your AI agent attack surface into scope automatically.Technology info: Every discovered host and endpoint is now tagged with its detected stack — language, framework, gateway, and auth provider (Nginx, Python, Laravel, Cloudflare, AWS, and so on). These details enable smarter test generation.Org-wide visibility: See every discovery scan across the whole organization in one place, giving security teams central oversight and the ability to track coverage across all projects.Natural-language auth: A new Natural Language authentication option in Discovery settings lets you describe your auth flow in plain text and skip the manual setup entirely.
Reports revamp #
The same test now produces three reports, each written for a different reader:
Penetration test report for security engineers: Full technical detail, reproduction steps and payloads, and remediation guidance per findingExecutive report for the CISO and leadership: Risk posture at a glance, with clear impact framing and no technical noiseAttestation letter for customers, auditors, and partners: A third-party-ready statement delivered as a clean, shareable PDF that supports vendor due diligence
The attestation letter is what prospects forward to their customers, turning Equixly into a procurement asset as well as a testing tool.
Closing thoughts #
Equixly’s June release pushes the platform forward on several fronts at once:
- Securing the language models behind your APIs
- A clearer, visual picture of your attack surface
- Smarter, more automated discovery, including the emerging MCP ecosystem
- Reports tailored to engineers, leadership, and third parties alike
As always, we’re building with your feedback in mind. Keep it coming, and we’ll keep shipping.
[
]
Edoardo Zatti
Technical Product Manager
With a master's degree in Theoretical Physics, Edoardo has established a robust analytical thinking and problem-solving foundation. During the final year of his studies, he taught an integration course at the university, refining his communication skills and kindling his passion for education. His academic journey took an exciting turn during his master's program as he ventured into the field of computer science through relevant courses. These courses sparked his interest in IT and led him to specialize in backend development, where he sharpened his skills through involvement in complex projects and practical experience in other Tech companies.
[
]
Zoran Gorgiev
Technical Content Specialist
Zoran is a technical content specialist with SEO mastery and practical cybersecurity and web technologies knowledge. He has rich international experience in content and product marketing, helping both small companies and large corporations implement effective content strategies and attain their marketing objectives. He applies his philosophical background to his writing to create intellectually stimulating content. Zoran is an avid learner who believes in continuous learning and never-ending skill polishing.