Open-source gateways move fast. Privilege isolation failures, key exposure paths, and multi-tenant boundary violations accumulate faster than security reviews can catch them. We've already found 600+ across the most-deployed gateways.
The problem
The same openness that makes OSS gateways attractive also means vulnerabilities accumulate in public, and every deployment configuration creates a new attack surface.
01
Open-source AI gateways ship weekly. Each release brings new configuration surface, new API endpoints, and new trust boundaries — faster than any manual security review can track.
02
Every gateway deployment is configured differently — custom routing rules, provider fallbacks, multi-tenant key namespacing. The attack paths in your deployment are not the same as the ones in the upstream docs.
03
Most teams discover gateway vulnerabilities when someone exploits them — a leaked API key, a prompt injection that reaches a privileged tool, or a multi-tenant data leak. At that point, the damage is done.
How Tracestone helps
Automated Vuln Discovery runs a corpus-driven audit agent against your gateway configuration — finding what standard CVE scanners miss, and generating regression fixtures so fixed vulnerabilities stay fixed.
Our Code-Audit LLM is fine-tuned on 2,900+ real-world LLM gateway vulnerabilities, NVD CVE data, and OWASP GenAI cases. It finds implementation flaws that static scanners and generic pentest tools miss because they don't understand gateway-specific attack patterns.
A second model analyzes live model requests, tool calls, and permission decisions to find policy bypass and privilege escalation in real traffic — the class of vulnerability that only appears under production load, not in static code review.
Every finding automatically generates a regression test fixture. Discovered vulnerabilities are added to a continuous CI suite — so when you upgrade your gateway version, you know immediately if a fixed vulnerability regressed.
What we audit
We cover the vulnerability dimensions that matter for AI gateway deployments — not generic web security, but the patterns that show up specifically in LLM routing, multi-tenant key management, and tool-call authorization.
Privilege isolation failures — tenant A accessing tenant B's model keys or usage data.
Key exposure paths — provider API keys reachable via crafted requests or error responses.
Tool-call authorization bypass — skipping permission checks via prompt crafting or parameter manipulation.
Secrets in model context — credentials injected into retrieved context and returned in completions.
# Scan report excerpt target: ai-gateway:4000 corpus: v2.9 · 2,900 entries scanned: 2026-06-04T09:12:00Z FINDING [HIGH] CVE-class · Privilege Isolation Path: /key/generate · param: team_id Tenant A can generate keys scoped to Tenant B via unsanitized team_id in request body Fixture: fixtures/priv-isolation-001.json FINDING [MED] Key Exposure · Error Response Path: /chat/completions · malformed model Stack trace leaks provider API key prefix Fixture: fixtures/key-exposure-007.json Summary: 2 findings · 2 fixtures generated proof_hash sha256:7c3d2a… (Evidence-AIDR)
Common questions
Which gateways do you currently cover?
We cover the major open-source and cloud-native AI gateway deployments. We also validated corpus transferability against 300+ crypto wallet projects — the vulnerability patterns are consistent across trust-boundary enforcement in multi-tenant key management systems.
Does the scan require access to our production environment?
No. We can scan against a staging replica or a production-equivalent test environment. The audit agent needs network access to the gateway's API surface — not database access, not SSH access. Most teams point us at a dedicated staging deployment.
What do we get as deliverables?
A signed findings report with each vulnerability classified by severity, reproduction steps, and a generated adversarial test fixture. Findings are also logged as entries in the shared evidence chain — giving you a cryptographically verifiable record of your security posture at scan time.
Can we buy this standalone, without the Evidence-AIDR subscription?
Yes. Automated Vuln Discovery is purchasable independently. You get the private corpus, the audit agent, and adversarial fixtures — without requiring a SaaS subscription for the evidence aggregator.
Point our audit agent at your gateway environment and we'll deliver a findings report with cryptographic evidence your team can verify offline.