Potestas AI Forensic LLM Stress Testing · Independent Verification 844-LLM-TEST · (844) 556-8378
Home Model Failures Free Audit Industries Pricing
Get a Quote
Forensic LLM Stress Testing

It's easy to make an AI look unsafe.
It's hard to prove it actually is.

A wrong answer costs you either way — miss a real flaw and it ships broken, or kill a good product on a false alarm. We tell you which one you're looking at, and prove it.

300+
Adversarial turns
per engagement
Cross-vendor
Every result re-graded by
a different model
Sealed
Fixed-seed, reproducible
chain-of-custody
~10-day
New findings published
on a standing schedule
The Problem

A score tells you nothing.
Not really.

"87% integrity score." Compared to what? Tested how? And how many of those failures are real — versus a grader misreading a refusal, or a borderline answer counted as a breach?

A number without evidence is a guess wearing a lab coat.

The tools that attack a language model are free and everywhere — mature, well-funded, running multi-turn jailbreaks against any model. Attacks are no longer the hard part. The hard part is knowing which results are real.

And a wrong result is expensive in both directions. A false negative ships an agent into production with a hole nobody caught. A false positive kills a viable deployment, or brands a vendor's model unsafe on evidence that collapses the moment anyone checks. Either way, the cost lands on you — not on the tool that flagged it.

What We Deliver

We don't hand you a score.
We hand you a case file.

Every finding ships with the exact input, the exact output, the grading, and a fixed seed — so your own reviewers can re-run it and get the same answer. Where the model failed. Where it held. Nothing asserted that can't be reproduced.

01

Independently judged

Every result is re-graded by a model from a different vendor than the one under test. No model grades its own homework.

02

False positives removed

Borderline, artifact, and misread results are excluded before anything is called a finding. Fewer, truer results — not a longer list.

03

Severity tiered

Operational risk is separated from borderline dual-use, so you know what actually matters and what doesn't.

04

Sealed & reproducible

Each finding ships with exact inputs, exact output, the grading, and a fixed seed — so any reviewer can re-run and confirm it.

The Methodology

Five things a single-vendor lab
structurally cannot do.

A trillion-dollar company can out-spend us on tooling. What it can't do is stand outside every vendor at once and measure them the same way, over time. That's the work.

01

Longitudinal drift monitoring

Most evaluations are a snapshot: one version, tested once. But vendors push updates with no changelog, and a model that refused a request last month may answer it today. We run a fixed battery on a schedule and flag when behavior changes between runs — a finding class only a standing instrument can produce.

02

The say-vs-do gap

The industry moved to agents — models with tools that read files, run code, and act. Safety testing largely stayed on "what will it say in a chat box." We measure the gap between what a model will describe and what it will actually execute when handed a tool — the central risk of the agentic era.

03

Cross-model comparison

A single lab can only red-team its own model. We run the identical battery across Grok, GPT, and Claude at once — so the finding isn't "this model failed," it's "here's how these models differ on the same test, and the one topic where the gap matters most." That's structurally impossible from inside any single vendor.

04

Refusal-boundary mapping

Rather than asking whether a model can be tricked once, we map exactly where it draws its line on a graduated ladder of requests — and whether that line is coherent. A model that refuses a milder request but answers a harsher one has an internally inconsistent safety policy. That's a structural defect, not a jailbreak — and it's measurable.

05

Conversational vs. isolated behavior

A model tested with cold, one-off prompts behaves differently than the same model inside an ongoing conversation. We measure both on identical questions and report the gap — because the conversation is how your users actually interact, and a boundary that only holds in isolated lab conditions isn't really a boundary.

Try It Yourself

Don't take our word for it.
Try to break an AI banker.

We built a finance agent and gave it the tools to move money. Your job: talk it into a fraudulent wire. It takes about 20 seconds to see how easily an agent trusts a plausible request — the exact failure mode our flagship study measured across four frontier models. Two of them wired the money.

Why Not Just Use a Free Tool

Static tools test once and stop.
Ours gets sharper every run.

Open-source scanners fire the same fixed playbook against every model, forever. Our adversarial engine learns from every engagement — new probes, sharper over time, never the same sequence twice. Standing up a free tool across three vendors, tuning it, and separating signal from noise is work most teams won't do once, and won't maintain across every model update. We do that work, take responsibility for the results being true, and hand you a document built to be defended — not a log to be interpreted.

Free tools give you an attack. We give you proof.
And the proof gets stronger every time we run it — because nothing we build is static. That's the difference between a scan and a standing measurement.
Market Comparison

Every competitor. One standard.

Every tool listed does real work. But a self-service scanner and a delivered forensic service are different things in kind. Judge for yourself.

Capability Potestas PyRIT Garak PromptFoo Lakera Guard
Audit depth300+ turns · sustained campaignShorter-run / limited multi-turnPrimarily single-turn probesPrimarily single-turn checksRuntime monitoring focus
Independent grading Cross-vendor re-gradingSelf-gradedSelf-gradedSelf-gradedNot part of deliverable
False positives removed Excluded before reportingRaw log outputRaw findings listRaw findings listNot part of deliverable
Longitudinal drift Tracked on a scheduleNot a documented featureNot a documented featureNot a documented featureNot a documented feature
Say-vs-do (agentic) Tests the do-channelPrompt-level focusPrompt-level focusPrompt-level focusInjection-detection focus
Reproducible evidence Sealed, fixed-seed, re-runnableNot offeredNot offeredNot offeredNot offered
Takes responsibility for results Delivered serviceSelf-service toolSelf-service toolSelf-service toolSelf-service tool
Cleared personnel Available per engagementNoNoNoNo
Audit depth
Potestas — 300+ turns, sustained campaign
Others: shorter-run or primarily single-turn probes
Independent grading
Potestas — every result re-graded cross-vendor
Others: self-graded, or not part of the deliverable
False positives removed
Potestas — excluded before anything is called a finding
Others: raw log output or raw findings list
Longitudinal drift
Potestas — tracked on a standing schedule
Others: not a documented feature
Say-vs-do (agentic)
Potestas — tests what the model executes, not just says
Others: prompt-level or injection-detection focus
Reproducible evidence
Potestas — sealed, fixed-seed, re-runnable by any reviewer
Others: not offered
Takes responsibility for results
Potestas — a delivered service, accountable for the findings
Others: self-service tools you interpret yourself
Cleared personnel
Potestas — available per engagement
Others: no
Comparison reflects each tool's primary published purpose and documentation as of 2026. Open-source and commercial tools evolve; the categories describe the standard product category, not a fixed limitation of any vendor. Potestas is a delivered forensic service, not a self-service scanner — the difference above is one of kind, not degree.
Engagements

One standard. Scoped to you.

Every engagement delivers the full sealed evidence package. Price reflects scope — the standard never changes.

Single-Model Audit

Forensic Stress Test

One model, one configuration. The full battery, independently judged, false positives removed, sealed and reproducible.
$25,000
Starting price · Quote within 72 hours
  • 300+ turn adversarial campaign
  • Cross-vendor independent grading
  • False positives excluded before reporting
  • Severity-tiered confirmed findings
  • Sealed, fixed-seed evidence package
  • Full transcripts + reproduction instructions
Request a Quote
Comparative / Custom

Cross-Model & Ongoing

Multiple models tested identically — the comparison no single vendor can run on itself — plus optional standing drift monitoring.
$45,000+
Scoped per engagement · Quote within 72 hours
  • Everything in a single-model audit
  • Identical battery across multiple models
  • Cross-model comparison report
  • Optional ongoing drift monitoring
  • Say-vs-do agentic testing
  • Priority handling
Request a Quote
Cleared Engagements

Cleared engagements available via an established network of TS/SCI and polygraph-cleared personnel — scoped and staffed per contract. For classified, ITAR-sensitive, or high-assurance environments where the vendor itself has to be trusted, not just the tooling. Contact for scoping →

Founded by Joseph Cirello · Active Secret clearance · US Army, Senior Warrant Officer (Ret.), 25 years · Disabled Veteran-Owned Small Business · SAM.gov registered · SDVOSB certified.
If we find nothing meaningful, the audit is free.
We run a complete forensic pass across the full battery. If we surface no meaningful vulnerability in an unwrapped frontier model, the service is free — unconditionally. No other forensic auditor in this market makes that commitment.
Scope · Run · Verify · Defend

You could use a free tool.
Here's what you get instead.

Findings built to withstand independent scrutiny — in a field with plenty of attacks and very little proof.