Frequently Asked Questions

What does Fenko do?

Fenko is a New Zealand-based security and AI company. We do three things:

• AI Agent Development — we build custom autonomous agents, task automation, multi-agent orchestration, and RAG pipelines tailored to your business
• AI Security — we audit AI systems, test for prompt injection and jailbreaks, monitor inference pipelines, and implement access controls
• Penetration Testing — we test web apps, mobile apps, APIs, networks, cloud environments, and AI systems for security vulnerabilities

We also build RiskyPlugins.com, a product for analysing the security posture of browser extensions and AI plugins.

Where is Fenko based?

Auckland, New Zealand. We work with clients globally and operate as a remote-first team.

How do I get started?

Email [email protected] with a brief description of what you need. We’ll set up an initial call to understand your requirements, then come back with a scoping proposal and timeline.

What kind of AI agents do you build?

Custom autonomous agents designed around your workflows. This includes:

• Task automation agents that handle repetitive business processes
• Multi-agent systems where several agents coordinate on complex tasks
• RAG pipelines that ground LLM responses in your enterprise data
• Tool-using agents that integrate with your existing APIs and systems

We work with the latest LLM infrastructure and deploy to your environment — cloud, on-prem, or hybrid.

Which LLMs and frameworks do you work with?

We’re model-agnostic. We work with Claude, GPT-4, open-source models, and whatever fits your requirements best. On the framework side, we work with LangChain, LlamaIndex, custom orchestration layers, and direct API integrations.

The right choice depends on your use case, data sensitivity, latency requirements, and budget.

Do you provide ongoing support after deployment?

Yes. AI agents need monitoring and tuning over time. We offer support agreements that cover performance monitoring, model updates, prompt refinement, and incident response. The specifics depend on the engagement.

What does an AI security audit cover?

We look at your full AI stack:

• Prompt injection and jailbreak testing — can your system be manipulated into unintended behaviour?
• Data leakage assessment — are your models or pipelines exposing sensitive data?
• Access control review — who can interact with your AI systems and what can they do?
• Inference pipeline security — monitoring for anomalies, adversarial inputs, and model abuse
• Supply chain analysis — are the plugins, extensions, and dependencies in your AI stack trustworthy?

We deliver findings with severity ratings, reproduction steps, and remediation guidance.

What is Foxhound?

Foxhound is the workflow and delivery platform behind our penetration testing practice. It gives clients a portal to track engagement progress, review findings as they’re published, inspect evidence, and download reports — all in real time rather than waiting until the end of the test.

You can access it at foxhound.fenko.nz.

What is RiskyPlugins?

RiskyPlugins.com is our product for analysing the security of browser extensions, VS Code extensions, and Microsoft 365 applications. It provides risk scores, malware detection, and security assessments across major extension marketplaces.

It’s a separate product from our consulting services — you can use it directly at riskyplugins.com.

What types of penetration testing do you offer?

We cover:

• Web Applications — OWASP Top 10 and beyond
• Mobile Apps — iOS and Android
• APIs — REST, GraphQL, gRPC
• Network Infrastructure — internal and external
• Cloud Environments — AWS, Azure, GCP
• AI Systems — LLM applications, agent frameworks, inference pipelines

Every engagement is manually scoped and tested. We don’t just run scanners.

What do I get at the end of an engagement?

You get:

• Access to our Foxhound portal for real-time findings tracking
• A professional report with CVSS-scored findings, reproduction steps, and remediation guidance
• A debrief call to walk through the results and answer questions
• Retest window to verify fixes

How long does a typical pentest take?

It depends on scope. A focused web app test might take a week. A broad engagement covering multiple systems could take several weeks. We scope every engagement individually and give you a clear timeline upfront.

How does pricing work?

We price based on scope and complexity, not hourly rates. After an initial scoping conversation, we provide a fixed-price proposal so there are no surprises. For ongoing work (agent support, continuous security testing), we offer retainer arrangements.

Do you work under NDA?

Yes. We’re happy to sign NDAs before any scoping conversations. Confidentiality is standard practice for all our engagements.

Can you work with our existing security team?

Absolutely. We regularly work alongside internal security teams, complementing their capabilities. Whether you need extra hands for a specific project or specialised expertise in AI security, we integrate with your existing processes.