The knowledge bases supporting AI assistants are now a growing attack surface. In fact, research presented at USENIX Security 2025 found that injecting just five carefully crafted documents into a knowledge base containing millions of entries was enough to manipulate an AI system’s responses with more than 90% success.
SecureFlag’s new RAG security labs give development teams hands-on experience identifying and mitigating the vulnerabilities specific to RAG-based systems, helping organizations reduce exposure before these risks reach production.
What Is RAG?
Retrieval-Augmented Generation (RAG) is a technique that connects an AI model to an external knowledge base. Instead of only relying on what a model learned during training, a RAG-powered application retrieves relevant documents or data at query time and uses them to generate a more accurate, context-aware response.
For example, an internal HR assistant can answer questions about specific company policies, while a support bot can reference product documentation rather than providing generic responses.
As organizations increasingly integrate RAG into internal tools and customer-facing systems, these attack paths are becoming more relevant in live environments.
RAG Security Risks
There’s no doubt that RAG is useful, but it also introduces new attack surfaces. When a RAG system retrieves content from a knowledge base and gives it to users, it creates security issues that don’t exist in traditional applications:
-
The knowledge base is a direct target for attackers: If an attacker can introduce malicious content into indexed documents, they can influence or distort AI-generated responses without modifying the model or application code.
-
Sensitive data is exposed through retrieval: Documents indexed for retrieval may contain information that should never reach end users. If the ingestion pipeline doesn’t filter that content before it reaches the index, the AI can inadvertently expose it.
-
Indirect prompt injection via retrieved content: Malicious instructions hidden inside documents can affect model behavior at runtime, such as overriding system rules or changing responses.
-
Injected payloads are delivered through AI outputs: If documents contain malicious scripts or HTML, those payloads can be returned in AI-generated responses and executed in a user’s browser.
Learning Security Through Practice
SecureFlag’s new RAG labs place developers in real development environments where they need to identify and remediate vulnerabilities firsthand.
The labs cover security flaws specific to RAG-based systems, including:
-
Personally Identifiable Information (PII) leaks through an AI knowledge base when data isn’t properly sanitized during ingestion.
-
Knowledge base poisoning in a RAG system that leads to malicious or unsafe assistant responses.
-
Phishing attacks made possible by manipulated content in a RAG knowledge base.
-
Cross-site scripting (XSS) delivered through indexed documents returned by a RAG assistant.
-
HTML injection that’s introduced during document ingestion, leading to unsafe content being processed by the model.
The new RAG labs are available as part of SecureFlag’s AI security training offering, alongside existing content that includes LLM security, agentic AI, secure prompting, and code review of AI-generated code.
Why Teams Need to Train on RAG Security
Attackers targeting RAG applications do not necessarily need access to application code, as the knowledge base itself becomes the entry point. A developer who understands injection flaws in traditional web applications may not immediately recognize the same class of risk appearing in a document ingestion pipeline.
Adding RAG-specific training to your secure development program helps your development teams identify and remediate RAG-related risks before they become incidents.
About SecureFlag Labs
SecureFlag’s Secure Coding Training Platform is built around hands-on learning, rather than sitting through slides or answering multiple-choice questions. Learners work through real scenarios that reflect how vulnerabilities are discovered and fixed in production.
The platform covers more than 70 technologies and thousands of labs, spanning everything from web application security to cloud infrastructure to AI systems.
