data sheet
ProbeSix Capability Data Sheet
ProbeSix shows whether your deployed AI actually holds up under attack, not just that its guardrails are switched on. Adversarial testing of production AI, with evidence-backed reports mapped to OWASP, MITRE ATLAS, NIST AI RMF, EU AI Act and ISO 42001.
- 30
- languages tested
- 6
- frameworks mapped
- Up to 20
- turns per attack
- eu-west-2
- London region
Updated 16 Jun 2026
What ProbeSix is
- ProbeSix adversarially tests whether your deployed AI holds up under pressure, including whether your AWS Bedrock Guardrails (and Automated Reasoning) hold when attacked. It tests these defences; it does not replace them.
- The point: it shows whether the protection you rely on actually holds under attack, not just that it is switched on. You get replayable evidence with control references.
- Built by djinn six, an AWS Professional Services Partner.
Example findings from real scans
A few of the failure classes ProbeSix surfaced in djinn six's own April 2026 scans, the kind single-prompt checks miss:
- Unauthorised commitments: the model drafted a binding, signed-format contract on the company's behalf.
- Disclaimer-only safeguards: harmful content delivered behind a caveat.
- Undisclosed AI content: content-marking failures.
- Denial-of-wallet: token amplification and unbounded output driving runaway cost.
These are a sample, not the full set. What surfaces in your report depends on your system.
Capabilities at a glance
| Capability | What it does |
|---|---|
| Adversarial conversational attacks | A sustained back-and-forth attack that adapts to each model reply, escalating rapport, authority and manipulation over 5 to 20 exchanges (turns), depending on scan depth. Includes jailbreaks and prompt injection. |
| Cross-lingual testing | 30 languages across three resource tiers, five techniques (direct translation, code-switching, transliteration, low-resource languages, response-language-forcing). Mapped to OWASP LLM01 and MITRE ATLAS AML.T0068. |
| Encoding attacks | Base64, ROT13 and ASCII smuggling, to test whether obfuscated payloads slip past defences. |
| Framework coverage | Test suites and control mapping for OWASP LLM Top 10, OWASP Agentic Top 10, MITRE ATLAS, NIST AI RMF, ISO 42001 and the EU AI Act. Targeted suites for model theft, intellectual property and permissions/access. |
| Governance questionnaires | Structured questionnaires capture self-reported management responses alongside the automated scans, weighted and mapped to control families across the frameworks above. |
| Scored reports | Risk scoring and severity per category. Free tier: category-level results. Paid tier: full test names, evidence, remediation guidance and control references (OWASP codes, ATLAS techniques, EU AI Act articles, ISO clauses). |
| Replay and retest | Regenerate and re-run the exact configuration; rescan failed-only, passed-only or both; replay the same inputs against a different endpoint; before and after comparison across runs. |
Supported endpoints
- AWS Bedrock, via cross-account role-assumption with an external ID (no shared keys).
- Public HTTPS/REST API endpoints (synchronous), with bearer, api-key or no-auth, plus SSRF protection and live validation before a scan runs.
Private and internal endpoints (on-premise, other clouds, outbound-only environments) are on the roadmap, selected per engagement. See below.
Bedrock Guardrails testing
ProbeSix tests a guardrail-protected Bedrock model as deployed. Adversarial prompts hit the live model with its guardrail in place, then the guardrail trace is parsed into per-prompt findings so you can see which attacks the guardrail blocked and which got through. Run-then-compare and ApplyGuardrail simulation are roadmap.
Better together with AWS Bedrock
- AWS positions Bedrock Automated Reasoning (a Bedrock Guardrails policy, GA August 2025) as verifying the factual accuracy of model outputs at runtime using formal logic, detecting hallucinations and ambiguity (AWS cites up to 99% verification accuracy). That is correctness at the output.
- ProbeSix is the complementary axis: adversarial security and robustness testing of the end-to-end system, including whether your Bedrock Guardrails (Automated Reasoning included) hold under adversarial pressure.
Security and deployment
| Area | Detail |
|---|---|
| Isolation | Scans run in single-use compute (ECS Fargate) inside a private VPC, with scoped, least-privilege IAM. Fully infrastructure-as-code on a gated, multi-account pipeline for reproducible, auditable releases. |
| Access | Role-based access control, with sign-in via AWS Cognito (Google). |
| Data stored | Prompts, responses and findings captured during scans (in effect, a catalogue of your AI's weaknesses), stored only in eu-west-2 (London). Good for UK and EU residency. |
| Model inference | Currently rotates across several AWS regions, some outside the EU, to work within AWS model quota limits while higher limits are pending. Only the inference call leaves eu-west-2, never the stored data. EU-only inference is available where residency requires it. |
| Data protection | Every AWS region ProbeSix uses operates under AWS's GDPR-aligned Data Processing Addendum, with standard contractual clauses for any transfer outside the EU. |
On the roadmap
More ways to reach your endpoint, with the path you need built first, selected per engagement:
- Endpoints inside your own network, including on-premise and other clouds, reached over a site-to-site VPN.
- A customer-hosted agent for environments that only permit outbound connections, keeping every connection customer-initiated.
- API Gateway-fronted endpoints, exercising the controls in front of your model (WAF, authorisers, rate limits) as well as the model itself.
Plus further capabilities:
- Testing of full application architectures (agentic, RAG, app-layer), not just the model.
- Testing of streaming and asynchronous APIs, where the answer arrives in chunks or after a delay rather than in a single synchronous response.
- Enterprise single sign-on (OIDC, Okta, Entra).
- Deeper Bedrock guardrail testing (run-then-compare and ApplyGuardrail simulation).
- Guardrail tuning with infrastructure-as-code export.
- An organisation-management console.
Next step
Sign up and run your first scan at probesix.ai. Prefer a hand or a deeper engagement? djinn six (an AWS Professional Services Partner) can scope one with you.
Scope and safe use
- ProbeSix gives you technical test evidence mapped to control references, ready for your auditors and assurance teams to use in your certification and audit process.
- Governance questionnaires capture management's own assertions and map them to control families, a structured input to your audit alongside the automated test results.
- Adversarial tests elicit real model behaviour. Where your AI is wired to live downstream actions, a test can trigger those side effects. Isolate a test or staging environment where you can; on a live endpoint, set your own rate and cost limits before scanning production.