Security at the Speed of Innovation: How Tofu Defends AI Without Slowing Down

In the world of AI, innovation happens not in years, but in weeks. New models, agent capabilities, and multimodal features are released at surprising speeds. While the forefront of development races ahead, the reality for many organizations is that security implementation is often left running to catch up.

In the current AI development landscape, the critical challenge is that security must constantly strive to catch up with the speed of innovation. When features are prioritized and patches are applied only after vulnerabilities are discovered, this reactive cycle creates a maintenance cost that will eventually far exceed development costs.

In this article, we share how Tofu faced this structural challenge. We'll walk through the strategies and culture we built to ensure our security keeps pace, protecting our proprietary knowledge from the "probabilistic" risks that are unique to LLM applications.

The Challenge - General Risks in LLM Applications

Why is bridging the gap between AI innovation and security so difficult? It’s because the very nature of LLMs is fundamentally different from the traditional web security we are accustomed to.

In conventional programs, code (instructions) and data (input) are clearly separated by a distinct boundary. This allows rigid, rule-based control where systems are deterministic by design. A specific input follows static logic to always produce the exact same output.

LLMs, on the other hand, operate on a probabilistic nature. The input itself contains a vast array of semantic variables, and due to the stochastic nature of the models, the output is not guaranteed to be identical every time, even if the input remains the same. For engineers accustomed to rule-based logic, this introduces a frustrating reality. To the model, the system prompt prepared by Tofu (instructions) and the context entered by users (data) are both just sequences of tokens. This structurally blurs the critical boundary between instruction and data. For Tofu, this introduces a unique, double-layered challenge.

We are not just building a standard web application. We are integrating LLMs into a complex accounting SaaS platform. This means we must maintain rigorous defense against traditional web vulnerabilities while simultaneously defending against a new layer of probabilistic AI risks that didn't exist a few years ago.

Specifically, we must counter threats such as:

• Prompt Injection: Where attackers manipulate inputs to override system instructions and hijack the model's behavior.
• Jailbreaking: Where specific techniques are used to bypass the model's safety filters and ethical guidelines to elicit forbidden outputs.

To protect the product, Tofu must constantly stay updated on these rapidly evolving attack vectors and implement countermeasures that address both the "deterministic" and "probabilistic" nature of our stack.

Bridging the Gap: Leveraging Our Startup Agility

Staying secure while moving fast is often seen as a trade-off, but at Tofu, we view it differently. In fact, we leverage our nature as a lean startup to turn organizational agility into a strategic security advantage.

In the era of LLMs, effective risk mitigation depends entirely on context. To secure a feature, one must understand not just what the code does, but why it exists and how a user might manipulate it. This level of nuance is difficult to capture through checkpoints or documentation alone. At Tofu, the distance between Security and Engineering is effectively zero. We tackle this challenge not by building gates, but by embedding security directly into our daily development rhythm.

Because our team is compact and collaborative, the security lead possesses the same deep understanding of the product roadmap and business logic as the Product Managers. This contextual fluency is our secret weapon. It allows us to identify subtle, logic-based vulnerabilities during the design phase—long before a single line of code is written. By discussing risks and countermeasures in real-time conversations with developers, we solve problems on the spot. This proactive approach eliminates the friction often associated with security reviews, ensuring that high velocity and high security are mutually reinforcing.

A Safety Net: Verification and External Tooling

While culture and communication form our first line of defense, we cannot rely on human vigilance alone. To ensure no vulnerabilities slip through the cracks, we have constructed a multi-tiered safety net that combines "automated speed" with "human ingenuity."

First, we employ AI-Specific Penetration Testing with an "Assume Breach" mentality. Standard vulnerability scans often miss the nuances of LLM interactions, so we go deeper. Our testing regimen specifically targets sophisticated attack vectors—such as Incremental Extraction (attempting to steal information piece-by-piece through dialogue) or File-Based Injection (embedding hidden commands in PDFs). By rigorously validating our logic against these complex scenarios, we ensure our defenses hold up against real-world adversaries, not just theoretical risks.

To complement this depth, we leverage Automated Tooling & External Eyes for speed and breadth. We use tools like Aikido to constantly scan our codebases and dependencies, keeping pace with weekly release cycles. Furthermore, we actively collaborate with external security experts to audit our defenses, preventing internal "blind spots" and ensuring our security posture remains robust against the latest industry standards.

Conclusion: The Never-Ending Battle

"Security is a process, not a feature." This adage holds even greater weight in the AI era.

In an environment where textbook answers don't exist, we chose to invest in security safeguards which actually match business needs. At first glance, this might seem to slow down development speed. However, we are convinced that security should not be dragging the business but to ensure that security itself keeps its pace with business innovation, rather than trailing behind it.