Multi-agent scanning for indirect prompt injection. ·Aligned with OWASP LLM Top 10, NIST AI RMF, ISO/IEC 42001, EU AI Act Annex III
Pre-launch · prompt-injection scanning · for B2B SaaS

Your scanner checks if you can be hacked. EverHarden checks the attack surface you own — your AI features and your user-generated content — for the hidden payloads an agent will execute.

We fetch your site as ChatGPT, Claude, Copilot, Perplexity, and Googlebot in parallel — then surface hidden prompts, cloaked content, and adversarial alt-text that traditional scanners miss.

Got it. We'll run a manual scan and reply within 48 hours.
Prefers email? Email hallo@everharden.com directly · View sample report (PDF, 6 pages)
No signup required Free first scan Sample report: PDF · 6 pages · no email required
Pilot scan + remediation guidance: €2,500 ≈ $2,750 · ≈ £2,150 Continuous monitoring: €800/month ≈ $880 · ≈ £680 Pricing details →
scan / acme-corp.com / run #4019 · sample analyzing
Chrome baseline · clean
ChatGPT-Atlas 2 hidden prompts
Claude-User scanning…
Copilot 1 cloaked block
Googlebot clean
# Sample findings CRITICAL · /products/checkout · zero-width Unicode in <meta name="description"> HIGH · /blog/post-417 · 1px-font instruction targeting Copilot agent MEDIUM · /support · transparent ARIA-label imperative + 4 informational findings → Full report ready in 12s

The attacker pool just got 1000× bigger.

The IMF (May 2026) named the acceleration: AI tooling collapses the skill required to find and exploit vulnerabilities. The bar that kept most sites safe — that attackers had to be expert — is gone.

Indirect prompt injection is where this lands first, on the public web that AI agents read every day on behalf of their users. Single-fetch scanners can't see this attack class. Not because they're broken — because their architecture was built for a world where attackers were rare and expensive.

Source: IMF Blog, "Financial Stability Risks Mount as Artificial Intelligence Fuels Cyberattacks," 7 May 2026.

#1
OWASP-ranked risk for LLM applications, 2025–2026.
May 2026
The IMF flagged AI-enabled cyberattacks as a financial-stability concern, naming automated vulnerability discovery and lowered attacker skill thresholds as systemic risks.
Aug 2026
EU AI Act high-risk obligations begin applying. Indirect prompt injection falls under the Art. 15 robustness-and-cybersecurity surface — one that single-fetch scanners don't cover.
CVE-2025-32711
"EchoLeak" — Microsoft 365 Copilot prompt-injection vulnerability, disclosed and patched 2025.

Five agents. One pass. The diffs are the findings.

Traditional scanners fetch your site once and check headers and known CVEs. Indirect prompt injection hides in content that only specific AI user-agents see — so a single-fetch scanner is structurally blind to it.

01 / FETCH

Multi-agent render

We fetch your URL with full JS rendering as Chrome, ChatGPT, Claude, Copilot, Perplexity, and Googlebot — each in an isolated browser context.

02 / DIFF

Detect what's hidden

Any text present in one agent's render but absent from baseline Chrome surfaces as a candidate. Zero-width Unicode, 1px fonts, transparent ARIA, canvas-rendered text, off-screen elements.

03 / CLASSIFY

LLM-judged severity

Each candidate goes to a frontier model that classifies it as benign, suspicious, or malicious — with attack-class taxonomy, evidence excerpt, and a one-line fix.

Three real attacks your scanner saw as clean.

Each example below is a publicly documented IPI attack pattern from 2026 security research. Traditional scanners returned green lights. Visitors using AI browser agents had their tools hijacked.

VECTOR · HTML COMMENT

$5,000 PayPal exfiltration via a single hidden comment

An HTML comment block instructed agent assistants to initiate a payment to an attacker-controlled PayPal.me address when summarizing the page for the user.

Source: Forcepoint research, April 2026
VECTOR · 1PX FONT

Backup folder deletion via Copilot

Adversarial instructions in 1px-font text — invisible to humans, fully readable to crawlers — directed an AI coding assistant to remove backup directories during a routine context fetch.

Source: Forcepoint research, April 2026
VECTOR · ACCESSIBILITY LAYER

API key exposure through ARIA labels

Imperatives hidden inside accessibility metadata were processed as instructions by an AI agent, which then dictated a stored API key into a chat response.

Source: Forcepoint research, April 2026

Same site. Different verdicts.

We ran a known-IPI test page through a leading traditional scanner and EverHarden in parallel. Same URL, fundamentally different scope. Results illustrative; full methodology in our research notes (on request).

Traditional scanner · pass

0 critical findings

  • SSL/TLS configured correctly
  • Security headers present (CSP, HSTS, X-Frame-Options)
  • No outdated CMS versions detected
  • No known CVEs matching software fingerprints
  • No malware signatures in scanned content
EverHarden · 4 critical

Hidden adversarial content found

  • Zero-width Unicode injection in meta description
  • 1px-font instruction targeting Copilot user-agent
  • Transparent ARIA-label imperative on /support
  • Cloaked content served only to Perplexity bot
  • Canvas-rendered prompt outside visible DOM

Why the difference: the traditional scanner did its job correctly. Its job is single-fetch enumeration of known vulnerability classes — TLS, headers, CVEs, OWASP Top 10. That job doesn't include comparing how five AI agents render the same page differently. Different tools. Different attack surfaces. Both required.

The diff is the demo. The corpus is the moat.

A five-agent diff is reproducible. What compounds is the payload corpus behind the classifier — a growing library of real-world IPI techniques plus ongoing threat-intel, so detection improves as the corpus grows. A one-off scanner can't keep pace.

CORPUS v1.0

12 documented IPI techniques

Zero-width Unicode, 1px-font text, white-on-white, off-screen positioning, canvas-rendered text, SVG title/desc, JSON-LD injection, transparent-ARIA imperatives, HTML-comment imperatives, display:none, noscript, and user-agent cloaking — each a reproducible payload you can inspect on the public test corpus.

THREAT INTEL

The corpus keeps growing

New real-world payloads from ongoing research feed the classifier as they're found. Every technique we document widens the gap a single-fetch scanner can't close.

What EverHarden doesn't claim to solve

The IMF describes AI-enabled cyberattacks as a systemic financial-stability concern. EverHarden addresses one specific attack surface within that broader landscape: indirect prompt injection on public web content.

We don't scan binaries. We don't audit your internal AI training pipelines. We don't make claims about your financial infrastructure or core banking systems. We scan what AI agents read on the public web — and we make that attack surface visible.

For everything else, you need other tools. We'll tell you which ones.

On the roadmap

Today every scan is run and delivered manually — we reply within 48 hours. Two automations are in build, labelled honestly as roadmap, not shipping:

Q3 2026

Self-serve scan → instant report

Submit a URL and get the report back automatically, without the 48-hour manual turnaround. In build; the manual path stays the default until this is live.

Q3 2026

Publish-time UGC scanning

For platforms hosting user-generated content: every new listing, review, or post scanned before it can hijack an agent — continuous, not just periodic re-scans. The monitoring path for content that changes daily.

Get your site's first scan free.

Free first scan manual. Pilot and continuous monitoring available — see pricing.

Email hallo@everharden.com →
No mailing list · No tracking · Direct reply within 48h