O Promptbook substitui um pentest?

Não. Ele ajuda a encontrar sinais e organizar a revisão. Validação de impacto, cadeia de exploração e confirmação de correção ficam no Pentest Manual.

Por que o Pentest Manual não fica em checkout comum?

Porque escopo, autorização, ambiente e risco operacional precisam ser avaliados antes da proposta.

Prompt injection in AI SaaS: when chat becomes attack surface

The problem starts when AI touches real data

AI-built SaaS moves fast: an agent writes code, a screen calls a model, users paste context, and the product promises automation. The weak point appears when the AI gets access to customer data, internal tools, files, integrations, or account actions.

Prompt injection is not just a malicious sentence. It is any untrusted input that tries to make the model ignore rules, expose data, call the wrong tool, or turn content into a command.

Review first

Chat connected to customer data, CRM, tickets, or documents.
RAG that mixes public documents, private data, and user uploads.
Agents calling functions, webhooks, databases, or automations.
Summaries that can include secrets, tokens, contracts, billing values, or personal data.
Prompt and response logs used for debugging, analytics, or training.

What Promptbook helps separate

Promptbook does not turn AI into a pentester. It forces better questions: what data enters, what tools AI can call, what output needs filtering, and where authorization risk exists.

If the signal touches customer data, billing, private files, or tools with real effects, the review needs to move from checklist to human validation.

AI in SaaS does not fail only in text. It fails when text receives permission, tools, and real data without enough control.

The problem starts when AI touches real data

Prompt injection is not just a malicious sentence. It is any untrusted input that tries to make the model ignore rules, expose data, call the wrong tool, or turn content into a command.

Review first

Chat connected to customer data, CRM, tickets, or documents.
RAG that mixes public documents, private data, and user uploads.
Agents calling functions, webhooks, databases, or automations.
Summaries that can include secrets, tokens, contracts, billing values, or personal data.
Prompt and response logs used for debugging, analytics, or training.

What Promptbook helps separate

Promptbook does not turn AI into a pentester. It forces better questions: what data enters, what tools AI can call, what output needs filtering, and where authorization risk exists.

If the signal touches customer data, billing, private files, or tools with real effects, the review needs to move from checklist to human validation.

AI in SaaS does not fail only in text. It fails when text receives permission, tools, and real data without enough control.