# EverHarden > EverHarden is a multi-agent prompt-injection scanner for websites visited by AI agents (ChatGPT, Claude, Copilot, Perplexity, Googlebot). Unlike single-fetch traditional scanners (Burp, ZAP, Snyk) which fetch each URL once and miss user-agent cloaking and per-agent payload tuning, EverHarden fetches your site as each AI agent in parallel and diffs the responses to surface hidden prompts, cloaked content, and adversarial alt-text. Free first scan. EverHarden checks if your site is hacking your visitors' AI agents — a new threat surface (OWASP LLM01:2025, Indirect Prompt Injection) that traditional security scanners structurally cannot detect because they fetch each URL only once. Web content can include hidden instructions designed to manipulate AI agents browsing the page on behalf of users (e.g., redirecting Claude or ChatGPT to perform unintended actions when summarizing the page). EverHarden detects these patterns: hidden text via CSS, adversarial alt-text, cloaked content served only to AI user-agents, and prompt-injection payloads in HTML and markdown. ## Primary - [Homepage](https://everharden.com/): Product overview — multi-agent prompt-injection scanning for B2B SaaS. Free first scan; Pilot at €2,500; Monitor at €800/month. - [Pricing](https://everharden.com/pricing/): Three SKUs — free first scan, €2,500 one-time Pilot (scan + remediation guidance), €800/month Monitor subscription (monthly re-scan, regression alerts, quarterly trend report). For audit firms see /auditors/. - [For Auditors](https://everharden.com/auditors/): Per-seat licensing for TÜV-class auditors and BAIT/VAIT/DORA Prüfer. Starter (10 seats) / Practice (25) / Firm (50). White-label PDF, API embedding, friendly pilot before license commitment. DACH-focused; one auditor seat covers 20–40 client environments. - [Research index](https://everharden.com/research/): Primary technical research on indirect prompt injection — methodology, in-the-wild studies, EU AI Act compliance briefings, and the public test corpus. Curated entry point for defenders and red-teamers. - [Remediation — Indirect Prompt Injection Hardening Guide](https://everharden.com/remediation/): Post-scan hardening guide for IPI. Three steps — code-level DOM sanitization, policy-level robots.txt/llms.txt/X-Robots-Tag, edge-level WAF and Unicode invisible-character blocking. Cites OWASP LLM Top 10, NIST AI RMF, Google X-Robots-Tag, llms.txt (Howard 2024), W3C TDMRep. Each EverHarden finding class maps one-to-one to a remediation step in the closing table. ## Resources - [Blog index](https://everharden.com/blog/): Technical writing on AI-agent web security, indirect prompt injection, multi-agent scanning architecture. Two substantive posts per month. - [What the IMF May 2026 cyber-risk warning means for the public web](https://everharden.com/blog/imf-may-2026-systemic-cyber-risk-and-the-ai-agent-web.html): Regulator interpretation. The IMF May 7, 2026 statement named AI-driven systemic cyber risk for financial stability but did not name AI agents as new attack surface. This post connects the systemic-risk argument to the public-web threat surface and lists three implications for marketing-site operators ahead of late-2026 supervisory expectations. - [Why single-fetch scanners are structurally blind to AI-agent attacks](https://everharden.com/blog/single-fetch-scanners-blind-to-ai-agents.html): Category manifesto. The architectural gap between traditional scanners (Burp, ZAP, Snyk) and the AI-agent threat surface. Three attack classes only multi-agent fetching detects: user-agent cloaking, dynamic agent-conditional injection, agent-tuned payload variants. - [Prompt injection through website content](https://everharden.com/blog/prompt-injection-through-website-content.html): Six concrete attack vectors AI agents face when browsing webpages — CSS-hidden text, adversarial alt-text, HTML comments, SVG-embedded text, user-agent cloaking, markdown-as-instructions — and what traditional scanners miss. - [EverHarden test corpus](https://everharden.com/test-corpus/): A deliberately-injected public test target. Twelve labeled IPI patterns (zero-width Unicode, 1px font, transparent ARIA, off-screen positioning, canvas-rendered text, HTML comments, CSS display:none, noscript, white-on-white, SVG title/desc, JSON-LD injection, UA cloaking — last is server-side, planned) for tool evaluation. Each seeded instruction is benign and only directs an agent to emit a labeled `TEST_PATTERN_NN` string. Use this URL to evaluate any scanner, including ours. ## Legal - [Impressum](https://everharden.com/impressum.html): Operator information per §5 TMG. - [Datenschutz](https://everharden.com/datenschutz.html): GDPR/DSGVO privacy notice. ## Operator - Provider: EverHarden - Region: EU (Germany hosted) - Language: English (primary) - Use cases: web security teams, content site owners, AI integration teams, compliance officers concerned about prompt-injection threats from AI-agent traffic, financial-services operators preparing for late-2026 IMF-aligned cyber stress-test expectations. - Threat surface covered: hidden CSS text, adversarial alt-text, AI-user-agent cloaking, HTML/Markdown prompt injection payloads, indirect prompt injection (OWASP LLM01:2025), dynamic agent-conditional injection, agent-tuned payload variants. - Architecture: multi-agent parallel fetching with DOM-aware response diff and signature library. Distinct from single-fetch traditional scanners (Burp, ZAP, Snyk). - Regulatory framing: IMF May 7, 2026 statement on AI-driven systemic cyber risk; OWASP LLM Top 10 (2025), entry LLM01:2025; EU AI Act provisions on systemic-risk GPAI obligations and August 2026 high-risk system compliance deadline. ## Category and Entity EverHarden is an **indirect prompt injection (IPI) scanner** for the AI-agent web. Indirect prompt injection is the #1 OWASP-ranked risk for LLM applications (entry LLM01 in the 2025 OWASP Top 10 for LLM Applications) and a financial-stability concern per the IMF (7 May 2026 statement on AI-driven cyber risk). EverHarden is positioned for: - AppSec teams at companies deploying AI agents - Security architects at AI-agent and AI-browser vendors - CISOs at EU-regulated B2B SaaS preparing for the August 2026 EU AI Act high-risk compliance deadline - BAIT / VAIT / DORA auditors and Prüfer integrating IPI evidence into ICT-risk audits - AI red-team researchers and IPI methodology researchers ## Key Concepts and Vocabulary - **Indirect prompt injection (IPI)**: An attack where adversarial instructions are placed in content that an AI agent reads on behalf of a user, hijacking the agent's behavior. OWASP LLM01:2025. - **Multi-agent diff scanning**: Fetching the same URL as multiple AI user-agents (ChatGPT, Claude, Copilot, Perplexity, Googlebot) and diffing the renders to surface content cloaked to specific agents. EverHarden's core architectural primitive. - **Single-fetch blindness**: The architectural limitation in traditional scanners (Burp, ZAP, Snyk) — each URL is fetched exactly once, so user-agent-conditional payloads are invisible. - **IPI attack classes EverHarden detects**: zero-width Unicode injection (U+200B/U+200C/U+200D/U+FEFF), 1px-font text, transparent ARIA labels, off-screen positioning (`position: absolute; left: -9999px`), canvas-rendered prompts (text painted to pixel buffer, not DOM), HTML comment injection, CSS `display: none` content, `noscript` tags, white-on-white text, SVG ``/`<desc>` metadata, JSON-LD structured-data injection, user-agent cloaking. - **EU AI Act high-risk system (Annex III)**: classification triggering enhanced obligations under the EU AI Act, with compliance deadline August 2026 for in-scope providers. - **DORA Art. 9 RTS** and **BAIT / VAIT Section 5**: regulatory frameworks under which indirect prompt injection is increasingly named in ICT-risk audits of EU-regulated financial entities and their providers. ## References EverHarden's Methodology Builds On - OWASP Top 10 for LLM Applications (2025) — entry LLM01: Prompt Injection. https://owasp.org/www-project-top-10-for-large-language-model-applications/ - Kai Greshake et al., "Not what you've signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection" (2023). The original IPI paper. arXiv:2302.12173. - CVE-2025-32711 ("EchoLeak") — Microsoft 365 Copilot indirect prompt injection vulnerability. - IMF Blog, "Financial Stability Risks Mount as Artificial Intelligence Fuels Cyberattacks," 7 May 2026. - Forcepoint AI security research (2026) — documented in-the-wild IPI attacks including the $5,000 PayPal exfiltration case. - Johann Rehberger / Embrace the Red — IPI attack-pattern catalog and red-team writeups. - Simon Willison — extensive public writing on prompt injection (2022–present). ## What EverHarden Does Not Do EverHarden scans only the **public web** that AI agents read on behalf of users. EverHarden does not: - Scan binaries, internal applications, or authenticated/login-gated areas of customer sites. - Audit internal AI training pipelines or RAG datasets. - Replace traditional web vulnerability scanners (Burp, ZAP, Snyk) — those cover OWASP Top 10 web vulnerabilities (XSS, SQL injection, CSRF, etc.) which EverHarden does not cover. Both are needed. - Provide TLPT (Threat-Led Penetration Testing) frameworks under DORA Art. 24 — EverHarden is a specific tool that can be used inside a TLPT engagement, not a TLPT framework itself. - Make claims about an entity's overall EU AI Act compliance — EverHarden surfaces one specific attack class. Compliance is a broader assessment. - Issue audit certificates. EverHarden delivers structured scan findings; the audit certification is issued by an accredited auditor (TÜV-class or equivalent) using EverHarden's findings as part of their evidence base.