Early Access Now Open โ€” 79 of 300 spots remaining
26% FILLEDSecure your spot โ†’
About Orithos ยท Built by Antanox

We got tired of watching security teams discover AI vulnerabilities the wrong way.

Orithos is built by security engineers who have been on both sides of an AI security incident โ€” the side that finds the vulnerability during a scan, and the side that finds it during a breach. We built the scanner we needed when we were doing the scanning.

Built by
Antanox
Orithos is a product of Antanox
Our principles

Three things we refuse
to compromise on.

Security tooling earns trust through what it won't do as much as what it will. These are the design constraints we've built Orithos around.

๐Ÿ”
Agent-aware, not generic
Every probe is generated from your specific system prompt, tool manifest, and RAG configuration. A scanner that sends the same payloads to every agent is a marketing product. Orithos is a security product.
โš–๏ธ
No false positives at CRITICAL
A CRITICAL finding that turns out to be a false positive destroys trust. Our 3-tier judge pipeline exists for one reason: every CRITICAL reaching a security team is a confirmed, reproducible exploit path.
๐Ÿ“–
Open probe catalog
Our attack probe catalog is published openly. Security teams should understand what probes are being run against their agents, challenge the methodology, and contribute improvements. We show our work.
Methodology

How we designed
the scan engine.

The scan architecture is published. These are the design decisions that distinguish Orithos from generic LLM security tools.

01
Probes generated from agent configuration โ€” not templates
Your system prompt contains identifiers, constraints, and tool references that an attacker who extracts it will use in follow-on attacks. We extract those identifiers first, then build probes that reference them.
02
Session-isolated probe execution
Every probe runs in a clean session context. Multi-turn attacks depend on session state โ€” cross-probe contamination would produce false positives. Each probe is an independent interaction with your agent.
03
3-tier cascading judge pipeline
Tier 1 catches obvious violations. Tier 2 catches subtler ones. Tier 3 confirms every CRITICAL. Temperature 0 throughout. The pipeline is optimised for false-positive prevention at CRITICAL severity.
04
Map-Reduce finding architecture
Each finding is analysed independently in parallel (MAP), then a synthesis call assembles the unified output (REDUCE). This eliminates quality degradation that plagues single-call approaches and scales to any number of findings.
900+
targeted attack probes across 25 categories
3
judge tiers โ€” every CRITICAL is confirmed by top-capability model
<3%
CRITICAL false positive rate target across all scans
0
sessions shared between probe executions โ€” full isolation
73%
of production AI agents scanned have at least one CRITICAL finding unknown to the security team
Open probe catalog

The attack library
is public. Here's why.

Security through obscurity is not a security model. Making our probe catalog public means the security community can challenge our methodology, contribute new attack patterns, and verify our findings. The catalog is version-controlled and published on GitHub.

Orithos Attack Catalog
25 categories ยท 900+ probes
Published openly. Version controlled. Community contributions accepted.
25
CATEGORIES
900+
PROBES
v2.1
CURRENT VERSION
MIT
LICENSE
View catalog on GitHub โ†’
CAT-01Direct Prompt Injection183 probes
CAT-02Indirect Injection โ€” RAG147 probes
CAT-03Persona Jailbreak89 probes
CAT-04Encoding Obfuscation54 probes
CAT-05Hypothetical Framing62 probes
CAT-06Multi-turn Escalation94 probes
CAT-07System Prompt Leakage71 probes
CAT-08PII Extraction68 probes
CAT-09Credential Harvesting44 probes
CAT-10Tool Abuse โ€” Financial82 probes
CAT-11Tool Abuse โ€” External55 probes
CAT-12Privilege Escalation48 probes
CAT-13Data Exfiltration60 probes
CAT-14Goal Hijacking52 probes
CAT-15Adversarial Robustness77 probes
CAT-16RAG Memory Poisoning43 probes
CAT-17Identity Transparency38 probes
CAT-18Financial Bypass49 probes
CAT-19Medical Bypass41 probes
CAT-20Legal Bypass36 probes
CAT-21GDPR Violation33 probes
CAT-22Bias & Discrimination29 probes
CAT-23CBRN / Harmful Content18 probes
CAT-24Disinformation24 probes
CAT-25Resource Exhaustion12 probes
Community & standards

Frameworks we contribute to
and build against.

Credibility in security is earned through community participation. We contribute to the frameworks we implement.

Framework / CommunityOur roleHow Orithos uses itRelationship
OWASP LLM Top 10
2025 edition
Submitted findings data from 200+ production agent scans to inform the 2026 edition update.Every finding mapped to the specific OWASP LLM control it violates.Contributor
NIST AI RMF
AI RMF 1.0
Probe catalog mapped to GOVERN, MAP, MEASURE, and MANAGE functions.NIST control mapping included in all Team and Business tier exports.Fully mapped
EU AI Act
Regulation (EU) 2024/1689
Engaged with EU AI Office technical consultation process.Full Article 9, 13, 14, 15 evidence export in Business tier.Contributor
MITRE ATLAS
AI Threat Landscape
All 25 probe categories mapped to MITRE ATLAS TTP identifiers.Every finding card includes the MITRE ATLAS TTP for threat intelligence integration.Contributor
ISO/IEC 42001
AI Management System
Probe catalog aligned to Annex A controls.Annex A control mapping available in compliance export.Fully mapped
FS AI RMF
Financial Services AI Risk
Financial services sector probe pack developed with input from security engineers at regulated UK institutions.CTL-07, CTL-08, CTL-09 mapping in financial sector scan reports.Sector mapped
Our commitments

What we commit to
every customer.

Security companies earn trust differently. These are the commitments we make โ€” in writing, not in marketing copy.

๐Ÿ”“
Your agent config is yours
Your system prompt, tool schemas, and RAG source configurations are encrypted per-organisation, never used to train our models, and deleted within 90 days of your last scan.
Read the Data Processing Agreement โ†’
๐Ÿ“‹
Probe catalog is published openly
The attack probes we run against your agents are published on GitHub under MIT license. Any security engineer can review them, challenge them, or propose additions.
View on GitHub โ†’
โœ“
Every CRITICAL is human-reviewed during early access
Every CRITICAL finding confirmed by our judge pipeline is manually reviewed by a member of the Orithos security team before it reaches you.
See our judge pipeline methodology โ†’
๐Ÿ“Š
We publish our own scan statistics
The statistics on our homepage and in our research come from real scans, not synthetic benchmarks. Our methodology for calculating findings data is fully disclosed.
Preview: State of AI Security report โ†’

Scan your agents before a regulator โ€” or an attacker โ€” does it for you.

Early access spots remain. Security teams that establish their AI agent scanning programme now set the baseline before enforcement begins.

79 of 300 spots remaining