SecTor 2025 | Investigate & Respond to Attacks on GenAI Chatbots

The SecTor 2025 session, led by Airbnb senior engineer Alan Sto, examined how organizations can investigate and respond to attacks on generative‑AI chatbots. Sto framed the discussion around a practical incident‑response playbook, emphasizing the need to understand chatbot architecture, threat vectors, and the escalating risk as bots move from informational to action‑driven roles. Key insights included a three‑tier risk classification (low, medium, high), the critical importance of comprehensive logging—capturing user prompts, thread IDs, timestamps, model versions, and guardrail scores—and the deployment of layered defenses. Simple rule‑based filters were shown to be easily bypassed, prompting the use of LLM‑based judges that score inputs and outputs against policy criteria. Robust system prompts were recommended to give the model higher‑priority instructions, while monitoring score distributions and entropy helps surface covert bypass attempts. Sto illustrated these concepts with vivid examples: a New York City chatbot that inappropriately advised on “human meat” sales, a car‑dealer bot that accepted absurd offers, and a weather bot that began delivering Taylor Swift‑themed forecasts after malicious reinforcement‑learning feedback. He also highlighted a remote‑code‑execution exploit in the Vanna SQL‑to‑Python pipeline, where dynamically generated Plotly code was weaponized. The takeaway for enterprises is clear: chatbot incidents can quickly evolve from brand embarrassment to legal liability or system compromise. Building a dedicated playbook, instrumenting detailed logs, and applying both static and adaptive guardrails are essential steps to detect, contain, and remediate attacks before they impact customers or expose sensitive data.