Hinchilla — agentic threat model

Not certain from the listing — likely relies on third-party commercial LLMs. Primary threats include prompt injection to bypass generation constraints and potential model-level data leakage, though the vendor claims they do not train on user data.

Highly critical layer as the agent's core value is RAG over past proposal documents. Key threats include data exfiltration of proprietary business data, unauthorized access to sensitive pricing/IP across tenant boundaries, and data poisoning if malicious or inaccurate proposals are ingested into the knowledge base.

Not certain from the listing — likely uses a standard RAG orchestration framework. The primary threat is indirect prompt injection, where malicious instructions embedded within uploaded proposal documents hijack the agent's generation logic during retrieval.

Not certain from the listing — likely hosted as a standard cloud SaaS. Threats include insecure storage of uploaded PDF/Word documents, weak vector database access controls, and lack of robust multi-tenant isolation.

Not certain from the listing — no observability or evaluation guardrails are mentioned. Threats include a lack of detection for hallucinated or inaccurate proposal answers, which could lead to legal or financial liability if submitted to clients.

The listing asserts 'Data secure out of the box' and commitments not to share or train on user data. However, specific compliance certifications (e.g., SOC 2) are not detailed, leaving threats of regulatory non-compliance (GDPR/CCPA) if proposals contain PII or sensitive customer data.

Not certain from the listing — the agent appears to operate as a standalone vertical application with no described multi-agent interactions or ecosystem integrations.