Skip to main content

Introduction to ZeroLeaks

ZeroLeaks is an autonomous AI security scanner that tests LLM systems for prompt injection vulnerabilities. It simulates real-world attacks to find security weaknesses before attackers do.

Why ZeroLeaks?

Your system prompts contain proprietary instructions, business logic, and sensitive configurations. Attackers use prompt injection to extract this data. ZeroLeaks simulates real-world attacks to find vulnerabilities before they do.

Installation

Get started with ZeroLeaks in your project using npm, yarn, pnpm, or bun

Quick start

Run your first security scan in under 5 minutes

API reference

Complete API documentation for runSecurityScan and createScanEngine

Attack techniques

Learn about the attack techniques and methods used by ZeroLeaks

Key features

ZeroLeaks uses six specialized agents:
  • Strategist: Selects attack strategies based on defense profile
  • Attacker: Generates attack prompts
  • Evaluator: Analyzes responses for leaks
  • Mutator: Creates variations of successful attacks
  • Inspector: Performs defense fingerprinting (TombRaider pattern)
  • Orchestrator: Coordinates multi-turn attack sequences
Systematic exploration of attack vectors with pruning. ZeroLeaks builds a tree of potential attacks, exploring promising branches while pruning unsuccessful paths to maximize efficiency.
Incorporates cutting-edge research including:
  • Crescendo: Multi-turn trust escalation
  • Many-Shot: Context priming with examples
  • Chain-of-Thought Hijacking: Reasoning manipulation
  • Policy Puppetry: YAML/JSON format exploitation
  • Siren: Trust-building manipulation sequences
  • Echo Chamber: Gradual escalation through agreement
Identifies specific defense systems in use (Prompt Shield, Llama Guard, etc.) and adapts attack strategies accordingly using the TombRaider dual-agent pattern.
Incorporates CVE-documented vulnerabilities and academic research, including:
  • CVE-2025-32711 (EchoLeak)
  • TAP (Tree of Attacks with Pruning)
  • PAIR (Prompt Automatic Iterative Refinement)
  • Best-of-N sampling
  • TombRaider jailbreak pattern
  • Skeleton Key guardrail bypass
  • System prompt extraction: Tests if attackers can extract your system prompt
  • Prompt injection testing: Tests if attackers can inject malicious instructions

Open source vs hosted

ZeroLeaks is available as both an open source package and a hosted service at zeroleaks.ai.
FeatureOpen sourceHosted (zeroleaks.ai)
PriceFreeFrom $0/mo
SetupSelf-hosted, bring your own API keysZero configuration
ScansUnlimitedFree tier: 3/mo, Startup: Unlimited
ReportsJSON outputInteractive dashboard + PDF exports
HistoryManual trackingFull scan history & trends
SupportCommunityPriority support
UpdatesManualAutomatic
CI/CD IntegrationIncluded
The hosted version provides a dashboard, scan history, PDF reports, and zero setup. Try it at zeroleaks.ai.

Tech stack

ComponentTechnology
RuntimeBun
LanguageTypeScript
LLM ProviderOpenRouter
AI SDKVercel AI SDK
ArchitectureMulti-agent orchestration

Attack categories

ZeroLeaks includes probes across 15+ attack categories:
  • Direct: Straightforward extraction requests
  • Encoding: Base64, ROT13, Unicode bypasses
  • Persona: DAN, Developer Mode, roleplay attacks
  • Social: Authority, urgency, reciprocity exploits
  • Technical: Format injection, context manipulation
  • Crescendo: Multi-turn trust escalation
  • Many-Shot: Context priming with examples
  • CoT Hijack: Chain-of-thought manipulation
  • Policy Puppetry: YAML/JSON format exploitation
  • ASCII Art: Visual obfuscation techniques
  • Injection: Prompt injection attacks
  • Hybrid: Combined XSS/CSRF-style attacks
  • Tool Exploit: MCP and tool-calling exploits
  • Siren: Trust-building manipulation sequences
  • Echo Chamber: Gradual escalation through agreement

Next steps

Install ZeroLeaks

Install the package and configure your API key

Run your first scan

Get started with a working example

Build docs developers (and LLMs) love

Get started for freeTalk to us