DeepSeek has failed the security test – and it isn’t alone. A comparative analysis displayed at Cisco Live EMEA in Amsterdam on Tuesday showed that 100% of attacks on DeepSeek were successful. This exposed its extreme vulnerability to jailbreak attacks, data exfiltration, and model manipulation.
Meta’s Llama model fared only marginally better, and OpenAI’s ChatGPT-4o was not far behind, raising concerns about the widespread security risks of AI systems being deployed in business and government applications.
“The problem isn’t just that AI can be attacked,” said Jeetu Patel, Cisco EVP and chief product officer. “It’s that AI itself doesn’t always know when it’s being manipulated.”
The unpredictability of AI, a feature that makes it useful for complex tasks, is also its Achilles’ heel. Unlike traditional software, AI models generate responses based on probabilistic calculations, making them highly susceptible to “adversarial manipulation”.
The implications for enterprises relying on AI systems are significant. Generative AI is rapidly being integrated into customer service, cybersecurity monitoring, and decision-making processes. It means that, if an adversary can exploit these systems, they could redirect conversations, extract confidential data, or even modify AI-generated reports to serve malicious ends. The potential for misinformation at scale is a looming concern, as is the risk of AI-powered phishing and fraud campaigns.
DJ Sampath, Cisco VP of product, AI software and platform, described the process: “We tested Deepseek using ARMBench, an industry-standard framework for adversarial robustness. And every single attack succeeded. That’s not a minor issue—it’s a systemic failure.”
The vulnerabilities identified fall into two categories: model safety and model security. Safety vulnerabilities in Deepseek allowed attackers to bypass guardrails meant to prevent harmful or illegal requests, making it possible to generate outputs that violate ethical guidelines. Security vulnerabilities, on the other hand, left Deepseek open to manipulation through adversarial data injections, which gradually altered its responses over time.
Cisco’s research highlights a stark reality: AI safeguards are still in their infancy. Patel compared AI security today to cybersecurity 20 years ago, when organisations reacted to threats only after breaches occurred.
“The industry is still playing catch-up,” he warned. “We need AI that’s aware of its own risks. That’s the next frontier.”
One of the biggest concerns is that AI security threats are evolving faster than traditional mitigation strategies can handle. Patel pointed to quantum-generated adversarial prompts, a method where AI is used to attack AI. These sophisticated attacks can outpace traditional patching cycles, leaving models like Deepseek, Llama, and ChatGPT vulnerable even after updates.
Sampath echoed this concern: “Attackers are leveraging AI to find vulnerabilities faster than security teams can patch them.”
Cisco’s response to these threats is Cisco AI Defense, a security framework designed to validate AI models continuously, before and during deployment.
The system continuously tests AI models, detecting silent corruption before it can be exploited. The framework focuses on both model safety and adversarial resilience, ensuring AI systems can withstand real-world attack scenarios.
Patel said organisations must take proactive measures, including adversarial testing, security-first AI policies, and continuous monitoring.
“We need AI that is actively monitored for anomalies in real time. Every company is going to be an AI company. The question is whether they will be a secure AI company.”
* Arthur Goldstuck is CEO of World Wide Worx and editor-in-chief of Gadget.co.za. Follow him on Bluesky on @art2gee.bsky.social.