35,000Automated attack sessions
A regional health authority needed comprehensive security testing for its support chatbot before public launch. As their first patient-facing AI initiative — handling more than 17,000 monthly support calls — external validation was critical before going live. A single misconfigured guardrail or undetected vulnerability could expose patients to harmful or misleading health information at scale. Unlike a failed retail chatbot, the consequences here weren't a lost sale — they were an erosion of patient trust, potential regulatory action and risk to the people the organization exists to serve.
The challenge
With no prior AI deployment of this kind and strict healthcare compliance requirements, the team needed more than an internal review. Manual red teaming couldn't simulate the volume or sophistication of real-world attacks — and for any public-facing healthcare chatbot, the potential risks are significant. Without rigorous automated testing, even a well-built system can be manipulated into providing medical advice it was never designed to give, responding with inappropriate content or exposing sensitive data through sophisticated attacks. For a tool serving patients at scale, validating against these possibilities wasn't optional.
The solution
The team implemented Fuel iX Fortify to automate red teaming using AI. Fortify enabled both technical and non-technical team members to simulate thousands of real-world attacks, uncovering hidden risks that manual testing and extensive User Acceptance Testing (UAT), the final round of checks before a system goes live, had missed entirely.
The results
The health authority completed full security validation in just eight days — giving leadership the confidence to launch a safe, compliant chatbot experience for patients and the public.
Fortify delivered:
- Discovery of 129 vulnerabilities, including critical binary-to-text attacks, where malicious instructions are encoded to evade safety filters, that bypassed cloud provider guardrails.
- 35,000 automated attack sessions executed to validate chatbot security before public deployment.
- Creative attack vectors that previous manual testing had failed to surface.
Curious how another healthcare organization approached the same challenge? Island Health was preparing to launch Shay, their first public-facing careers chatbot, and leadership needed more than gut confidence before go-live. With Fortify, they ran more than 1,000 tests in a single session, cut testing time by 97% and got the validation they needed to launch with certainty. Read the full case study.