Why share the threat model with customers?

It accelerates security review, shows you anticipate abuse vectors, and proves you have owners for each control.

How often should we update it?

Quarterly or after any major architecture change. CrawlBot’s threat model is a living document tied to the Ops runbook.

Which controls matter most?

Prompt injection mitigation, SSRF protections in crawlers, data retention policies, widget CSP/SRI, and kill switches.

Threat Model Questions for AI Assistants

2/24/2025

threat-model • security • ai-assistant

Threat Model Questions for AI Assistants

Security teams deciding on AI chat deployments ask the same questions. Use this checklist to prep your answers and demonstrate mature controls.

1. Prompt injection and abuse

How do you sanitize retrieved content before sending it to the LLM?
Do you enforce citations-only responses and refusal logic when context is missing?
Can admins review negative feedback and adjust prompts safely?

2. Crawler and SSRF risk

Do you obey robots.txt, enforce allowed domain lists, and block internal IP ranges (e.g., 169.254.169.254)?
What happens when a crawler hits 429/5xx? Show politeness controls like QPS limits and backoff.
Are headless renderers isolated in Cloud Run with minimal permissions?

3. Data retention and deletion

Default retention for chat logs, analytics, and audit configs (e.g., 90/90/365 days) plus tenant overrides up to 730 days.
Evidence capture for GDPR deletion (hash, actor, scope) without storing original PII.
Scheduled deletion jobs and operator visibility via compliance dashboards.

4. Embed security

Content Security Policy (CSP) and Subresource Integrity (SRI) for widget scripts and styles.
PostMessage origin checks to prevent hostile parent frames from manipulating the chat.
CORS policy (GET/HEAD only) and strict headers: X-Content-Type-Options, Referrer-Policy, frame-ancestors.

5. Secrets and LLM providers

Provider abstraction with timeouts, retries, circuit breakers, and fallback logging.
Secret rotation via GCP Secret Manager, KEK/DEK strategy with Tink, and audit logs for access.
Fallback reason logging (low_score, provider_error, timeout, overflow) tied to monitoring.

6. Kill switches and incident response

Ability to disable embeds per tenant, per environment, or globally.
Ops runbooks for provider outages, stale crawls, billing lockouts, and compliance incidents.
Alert destinations (Google Chat, PagerDuty) and RTO/RPO targets (4h/24h per AGENTS spec).

CrawlBot readiness

CrawlBot maintains a formal threat model covering prompt injection, XSS, SSRF, data exfiltration, token leakage, and supply chain risk. Controls map to owners, likelihood, and mitigation tests. Share this checklist with your own customers to build trust quickly.***

Next Step

Evaluation Guide (Score Vendors)

Use rubric to compare solutions

Enterprise Security & SLA

Controls, retention, guarantees

Start Free 5‑Page Crawl

Hands-on trial environment