Documentation

Everything you need to know about Shield LLM — attack methodology, scoring, scan presets, and more.

Getting Started

Shield LLM is a CLI that performs automated security testing on AI chatbots. Follow these steps to get started:

1
Install the CLI
Install Shield LLM globally with npm: `npm install -g @shield-llm/cli`.
2
Initialize the config
Run `shield-llm init` to generate a shield.config.json describing your chatbot endpoint.
3
Authenticate
Run `shield-llm login` to authenticate with your dashboard, or set an API key in shield.config.json.
4
Run your first scan
Run `shield-llm scan` to launch a security audit against your chatbot. Results stream to your dashboard.

CLI Tool

Scan chatbot APIs directly from the command line: REST endpoints, SSE streaming, custom HTTP shapes. The CLI is a thin client. Authentication, the attack catalogue, judging and scoring all live on the backend (SaaS or self-hosted License). New attacks reach existing CI installations on the next scan, with no upgrade.

Installation

npm install -g @shield-llm/cli

# Or use without installing:
npx shield-llm scan --help

Quick Start

# 1. Authenticate (SaaS or License instance)
shield-llm login --key sk_shield_xxx

# 2. Generate a config for your chatbot
shield-llm init

# 3. Run a scan
shield-llm scan -c shield.config.json

# 4. (CI mode) JSON to stdout, status to stderr, exit-code policy
shield-llm scan -c shield.config.json --ci --min-score 75

Commands

Command	Description
shield-llm login --key '<'sk_shield_...'>' [--api-url '<'url'>']	Authenticate against the SaaS (default) or a self-hosted License instance via --api-url.
shield-llm init	Interactive wizard. Generates a shield.config.json for an HTTP chatbot endpoint (URL, method, auth, body template, response field, preset).
shield-llm scan [options]	Run a security scan. Pulls the plan-filtered attack catalogue from the backend and routes responses through the server-side judge.
shield-llm report '<'scanId'>' [--output json\|markdown]	Fetch a stored scan report from the dashboard for audit trails, Slack post-mortems, or CI artifacts.
shield-llm validate [-c '<'path'>']	Validate a shield.config.json without sending any traffic.
shield-llm tests [--remote]	List custom tests from the local config and/or your dashboard.
shield-llm attacks [--severity '<'level'>']	List bundled attack payloads (informational; the live catalogue served to scans lives on the backend).
shield-llm presets	List bundled preset definitions with their attack counts.
shield-llm logout	Remove stored credentials from ~/.shield-llm/credentials.json.

Scan Flags

Flag	Description
-c, --config <path>	Path to shield.config.json (default: ./shield.config.json)
-e, --endpoint <url>	Target chatbot HTTP endpoint URL (overrides config)
--auth <type>	Auth type: none, bearer, api-key, oauth2
--token <value>	Bearer token or API key value (use $ENV_VAR for secrets)
--auth-header <name>	Custom auth header name (default: X-API-Key)
--response-field <path>	Dot-notation path to response text (e.g. response, choices[0].message.content)
--request-body <json>	JSON body template with {{prompt}} placeholder
--preset <name>	Scan preset: dev, quick, owasp, standard, full
--system-prompt <text>	System prompt to prepend before each attack
--system-prompt-file <path>	Path to a file containing the system prompt
--crescendo	Include multi-turn escalation (Crescendo) attacks
--load-custom-tests	Fetch active custom tests from the dashboard
--eu-ai-act	Show EU AI Act compliance assessment after the scan
--compliance-threshold <n>	Fail if compliance score is below n (0–100)
--min-score <n>	Minimum score threshold (0–100)
--fail-on-critical	Fail if any CRITICAL vulnerability is found
--ci	CI mode: JSON to stdout, status logs to stderr, no spinner
-o, --output <format>	Output format: json, markdown, sarif, pdf
--output-file <path>	Write the report to a file instead of stdout
--no-progress	Suppress the progress spinner
--api-url <url>	Backend API URL override (defaults to the URL stored at login)

Configuration File

Create a shield.config.json in your project root. The CLI auto-discovers it, or pass -c path explicitly.

Your chatbot has a POST endpoint that takes a message and returns a response.

{
  "endpoint": {
    "url": "https://api.mycompany.com/chatbot",
    "request": {
      "body": { "message": "{{prompt}}" }
    },
    "response": {
      "field": "response"
    }
  }
}

{{prompt}} — replaced with the attack payload. {{history}} — replaced with conversation turns (for stateless multi-turn).

$ENV_VAR syntax resolves values from environment variables (e.g., tokens, secrets).

Architecture: thin client

Each scan walks through four steps. The CLI never holds an LLM key, never decides what is vulnerable, and never bundles the attack catalogue: the backend is the single source of truth.

1
Authenticate
shield-llm login stores an API key (SaaS) or license key + URL (self-hosted) in ~/.shield-llm/credentials.json. Every subsequent call carries the Bearer token.
2
Fetch the attack catalogue
GET /api/cli/attacks?preset=… returns the attacks the user's plan is allowed to run, plus an optional set of custom tests. Bundled attacks act as an offline fallback only when the backend is unreachable.
3
Send attacks to the target
For each attack, the CLI POSTs the prompt to the configured endpoint (HTTP, SSE, multi-turn). The target only sees a request shaped like its production traffic.
4
Backend judges & persists
Captured responses go to /api/cli/evaluate. The backend runs regex + LLM judge using its own credentials, scores the run, persists it to the dashboard, and returns the verdict. The CLI prints the result and exits.

Output Formats & CI/CD

Format	Description
json	Full scan report with thresholds. Default format.
markdown	Human-readable table report for documentation.
sarif	GitHub Security tab integration. Maps vulnerabilities to SARIF results.
pdf	Printable report with OWASP breakdown and remediation advice.

Exit codes: 0 passed · 1 threshold violation · 2 config or auth error · 3 runtime or network error. Use --ci to send JSON to stdout and status logs to stderr so CI logs stay parseable.

GitHub Action example:

- uses: ./.github/actions/shield-llm-scan
  with:
    api-key: ${{ secrets.SHIELD_LLM_API_KEY }}
    config: shield.config.json
    preset: owasp
    min-score: 75
    fail-on-critical: true
    output-format: sarif

How It Works

Shield LLM runs from your environment, testing chatbots through their HTTP endpoint — no SDK or code changes required.

1. Install

Install the Shield LLM CLI and point it at your chatbot endpoint.

2. Scan

Shield LLM sends attack prompts to the chatbot endpoint and captures responses in real-time.

3. Report

Get a detailed security report with severity ratings, OWASP mappings, and remediation advice.

Attack Categories

Shield LLM's test suite is mapped to the OWASP LLM Top 10, the industry standard for AI/LLM security risks.

LLM01

Prompt Injection

Manipulation of LLMs through crafted prompts, causing unintended actions. This includes direct injections that override system prompts and indirect injections embedded in external content.

32 tests

LLM02

Sensitive Information Disclosure

LLMs may reveal confidential data in responses, including PII, system internals, proprietary algorithms, training data, or other sensitive information.

18 tests

LLM03

Supply Chain

Risks from compromised third-party models, training data, or components such as those from model registries and external data sources.

8 tests

LLM04

Data and Model Poisoning

Tampered training data can impair LLM models, leading to responses that compromise security, accuracy, or ethical behavior.

5 tests

LLM05

Improper Output Handling

Occurs when LLM output is accepted without scrutiny, exposing backend systems. Can lead to XSS, CSRF, SSRF, privilege escalation, or remote code execution.

5 tests

LLM06

Excessive Agency

LLM-based systems may undertake actions leading to unintended consequences. The issue arises from granting too much functionality, permissions, or autonomy.

20 tests

LLM07

System Prompt Leakage

System prompts containing sensitive instructions, credentials, or operational logic can be exposed through crafted inputs, error messages, or agent-to-agent communication.

2 tests

LLM08

Vector and Embedding Weaknesses

Vulnerabilities in RAG systems and embedding-based methods that can be exploited to inject harmful content, manipulate outputs, or access sensitive information.

15 tests

LLM09

Misinformation

LLMs can produce false or misleading information that appears credible, including hallucinations and biased outputs. Overreliance without verification amplifies this risk.

6 tests

LLM10

Unbounded Consumption

Overloading LLMs with resource-heavy operations can cause service disruptions, increased costs, and denial of service.

7 tests

Scoring Methodology

Shield LLM uses Weighted Impact Scoring to calculate a security score from 0 to 100. Critical vulnerabilities have a much larger impact than minor findings.

Score = 100 × (1 − ObservedPenalty / TotalWeight)

Severity Weights

Severity	Weight	Examples
CRITICAL	10	System prompt leaks, indirect injection, sensitive data extraction
CRESCENDO	7	Multi-turn escalation attacks that build trust before exploiting
COMBO	6	Multi-technique attacks combining multiple bypass methods
HIGH	5	Jailbreaks, encoding bypasses, social engineering recon
MEDIUM	2	False authority, legal/financial advice, capability probing
LOW	1	Minor information disclosure, low-impact findings

Grade Thresholds

90 – 100

Excellent — Minimal vulnerabilities detected

75 – 89

Good — Some minor issues found

60 – 74

Moderate — Several vulnerabilities need attention

40 – 59

Poor — Significant security gaps

0 – 39

Failing — Critical vulnerabilities present

Scan Presets

Choose a scan preset based on your needs. Each preset runs a curated set of attacks optimized for different use cases.

Dev Mode

3 tests

Fast feedback loop for development. Tests jailbreak, system prompt leak, and roleplay jailbreak.

Quick Scan

7 tests

Rapid assessment covering top critical and high-severity attacks. Good for routine checks.

OWASP Coverage

10 tests

One representative test per OWASP LLM Top 10 category. Ideal for compliance checks.

Standard Scan

39 tests

Comprehensive OWASP coverage. Recommended for production chatbots.

Full Scan

74 tests

All 74 MVP attacks + 5 multi-turn crescendo attacks. Maximum coverage for critical assessments.

Custom Tests

Define your own security test scenarios tailored to your chatbot's specific use case and compliance requirements.

Create a Custom Scan

Navigate to Custom Tests in the sidebar. Create a new scan and give it a descriptive name.

Add Test Cases

Define individual test cases with a prompt, expected behavior, severity level, and detection patterns.

Run from the CLI

Your custom scans appear alongside the built-in presets in the CLI. Pass --custom '<'id'>' to shield-llm scan to run them against your chatbot.

Frequently Asked Questions

Which chatbots does Shield LLM support?

Shield LLM works with any AI chatbot exposed over HTTP — ChatGPT, Claude, custom chatbots built with frameworks like Langchain, and enterprise chatbot deployments. The CLI talks to your chatbot endpoint directly via shield.config.json.

Does Shield LLM send data to external servers?

The CLI runs locally in your environment. Prompts are sent directly to your chatbot endpoint — no data passes through our servers unless you opt in. The only server communication is sending scan summaries to your Shield LLM dashboard for reporting, and optional LLM-based evaluation for nuanced vulnerability detection.

How does the scoring work?

Shield LLM uses Weighted Impact Scoring. Each test has a severity weight (CRITICAL=10, HIGH=5, etc.). The score is calculated as: Score = 100 × (1 - ObservedPenalty / TotalWeight). This means critical vulnerabilities have a much larger impact on the score than medium or low findings.

What is the difference between regex and LLM evaluation?

Shield LLM uses a hybrid evaluation approach. First, regex pattern matching quickly detects obvious vulnerability indicators. Then, an LLM judge analyzes ambiguous responses for nuanced detection (e.g., partial compliance, subtle information leaks). This two-stage approach maximizes both speed and accuracy.

Can I add my own test scenarios?

Yes! Custom Tests let you define your own attack prompts, detection patterns, and evaluation criteria. This is useful for testing domain-specific vulnerabilities or compliance requirements unique to your organization.

Is Shield LLM free?

Shield LLM offers a free tier with core scanning capabilities. Premium plans include advanced features like LLM evaluation, PDF report generation, and custom test management. See our pricing page for details.

How do I scan my own API endpoint?

Use the CLI with the -e flag: shield-llm scan --demo -e https://your-api.com/chat. For full configuration including authentication, custom headers, and request body templates, create a shield.config.json file. The CLI auto-detects SSE streaming responses.

Can I use Shield LLM in CI/CD pipelines?

Yes! The CLI outputs SARIF format for GitHub Security tab integration. Use shield-llm scan -o sarif --min-score 75 --fail-on-critical to fail builds when vulnerabilities are found. A ready-made GitHub Action is also available.

Ready to secure your AI chatbot?

Get Started Free