A recent security analysis conducted by Qualys, using its QualysTotalAI solution, has raised significant concerns about DeepSeek-RI’s risks, particularly in enterprise and regulatory settings.
The newly released large language model (LLM) has captured global attention with its promise of high efficiency and accessibility. Developed by the Chinese startup DeepSeek, the model promises competitive performance while draining fewer computational resources than its Western counterparts.
DeepSeek-R1: A New AI Contender
DeepSeek has introduced multiple distilled versions of DeepSeek-R1, leveraging Llama and Qwen as base models. These variations cater to different use cases, from lightweight models optimized for efficiency to larger, more powerful versions designed for complex reasoning tasks.
However, as AI adoption accelerates, organizations must look beyond performance benchmarks and address critical issues related to security, safety, and compliance. The Qualys TotalAI analysis of the distilled DeepSeek-R1 LLaMA 8B variant underscores the urgency of such assessments.
Rigorous Testing Using Qualys TotalAI
Qualys TotalAI was designed to provide full visibility into AI workloads, detect risks, and protect infrastructure, identifying threats like prompt injection, jailbreak vulnerabilities, bias, and harmful language to help AI models stay secure, compliant, and resilient.
The Qualys security team subjected the DeepSeek-R1 model to rigorous testing using its AI-specific security framework. The findings, particularly in the areas of jailbreak susceptibility and knowledge base (KB) analysis, suggest that while DeepSeek-R1 is a powerful model, it is also highly vulnerable to adversarial manipulation.
Knowledge Base Analysis: 61% Failure Rate
Qualys TotalAI conducted 891 assessments across 16 security categories. The model failed 61% of the tests, with the highest failure rate in misalignment—where the model deviated from expected behaviors and produced unpredictable or harmful outputs. It performed best in sexual content filtering, indicating strong safeguards in that category.
Among the critical areas evaluated were:
- Factual inconsistencies: The model demonstrated vulnerabilities in providing inaccurate or unverifiable information.
- Privacy attacks: It showed susceptibility to extracting or leaking private user data.
- Unethical actions and violence: The model occasionally produced morally questionable or harmful recommendations.
- Harassment and hate speech: Despite built-in restrictions, some adversarial prompts successfully bypassed safeguards.
Jailbreak Testing: 58% Failure Rate
Jailbreaking techniques exploit weaknesses in an LLM’s safety mechanisms, allowing it to generate restricted responses, including instructions for illegal activities, misinformation, and unethical content.
The Qualys team tested DeepSeek-R1 against 18 sophisticated jailbreak strategies, including:
- DevMode2: Tricks models into a fake “Developer Mode” to bypass safety protocols.
- PersonGPT: Forces an unrestricted persona that ignores ethical constraints.
- CaiozAI & Titanius: Removes all safety guidelines to fulfill any request without restriction.
- M78VM: Simulates an unrestricted virtual machine to bypass content moderation.
Out of 885 jailbreak attempts, DeepSeek-R1 failed 58%, showing significant weaknesses when it comes to preventing adversarial manipulation. Among the most worrying jailbreak outputs were instructions on creating explosives, generating hate speech and conspiracy theories, promoting software exploitation, and providing incorrect medical advice.
These results hammer home the importance of robust guardrails that are able to dynamically adjust to adversarial exploits and mitigate security risks in enterprise environments.
Plagued by Security Challenges
DeepSeek AI’s privacy policy states that all user data is stored on servers located in China, raising concerns about regulatory compliance and data sovereignty.
For one, China’s Cybersecurity Law permits authorities to access locally stored data without user consent, which is a big no-no for entities governed by GDPR, CCPA, and other frameworks.
Moreover, enterprises relying on proprietary data for AI training may face unauthorized access or mandated disclosure, and there is limited transparency into how data is stored and shared.
Since DeepSeek ‘hit the shelves’ has been plagued by security challenges. It experienced a large-scale cyberattack that disrupted its services. It was also used to distribute two malicious infostealer packages through the Python Package Index, mimicking legitimate developer tools for the AI platform.
These incidents highlight deficiencies in DeepSeek’s data protection measures and amplify concerns about user privacy and enterprise security.
Regulatory and Legal Implications
Legal analysts have also raised questions about DeepSeek AI’s compliance posture. There are ambiguities in data processing and a lack of clarity on how user data is processed and shared. Moreover, data retention policies may conflict with regulations in global markets.
Some government agencies have also flagged concerns about deploying AI models developed under foreign jurisdiction.
A Big Step Forward
While many vulnerabilities have been identified in DeepSeek-R1, potentially more than other mature models, the model is a new architecture with reasoning built in open source - a big step forward, says Satyam Sinha, CEO and Co-founder at Acuvity.
“No organization should expose an LLM to the end user directly. When they host the DeepSeek-R1 models, organizations must be equally concerned as any other model as models falling into prompt injections and jailbreak is a reality,” Sinha adds.
Businesses must use software architectures and security layers on top of LLMs in line with OWASP’s Top 10 LLMs and other frameworks. “If your enterprise consumes it in an application, you must have the safeguards. You can’t forget, however, that DeepSeek services store your data in China and use it to train and improve models and services, a significant data security risk.”
Sinha says most models in their early stages contain more vulnerabilities than is desirable—it’s the natural course of the model lifecycle, and DeepSeek-R1 is no exception. All models hallucinate, provide misinformation, and are prone to exploits, vulnerabilities, and attacks to varying degrees.
DeepSeek is the Tip of the Iceberg
“Although the industry has been focused on DeepSeek specifically, cyberattacks targeting these services are not new,” Sinha explains. “Even a ‘mature’ GenAI service can fall victim to cyberattacks anytime. While organizations can do their best to vet the services or applications for use by employees, they must realize that such efforts are often short-lived, requiring continuous assessment.”
Entities must invest in solutions and processes in which GenAI services are continuously monitored to detect services and the state of approved services.
DeepSeek is just the tip of the iceberg, not a one-off, Sinha says. “The pace at which these services come online will only accelerate. If they haven’t already, businesses must designate part of their IT/IS team with the charter and budget to secure the use of GenAI.”
Critical Vulnerabilities in DeepSeek-RI
The ability to bypass safety controls and generate harmful content presents the most critical vulnerability in DeepSeek-R1, which could expose organizations to significant security and reputation risks, adds J Stephen Kowski, Field CTO at SlashNext. “AI-powered detection systems can identify when these models are manipulated to produce malicious content or reveal sensitive information. Real-time monitoring and advanced filtering capabilities are essential to protect against these vulnerabilities before they impact business operations.”
Kowski adds that the model’s high failure rate in knowledge base tests reveals potential gaps in its ability to tell the difference between legitimate and harmful requests, making it vulnerable to sophisticated social engineering attacks. Companies should implement AI-powered anomaly detection that uses pattern recognition and behavioral analysis to spot real-time manipulation attempts. Multi-layered security architecture and continuous monitoring can help intercept social engineering attempts and prevent unauthorized access.”
Implement Robust Data Protection Measures
Kowski says entities should implement robust data protection measures, including AI-powered threat detection systems that can monitor and analyze data access patterns to address compliance challenges. Advanced filtering and quarantine capabilities should be deployed to prevent unauthorized data exposure and ensure regulatory compliance.
In addition, they should conduct comprehensive security assessments using AI-powered tools to analyze vast amounts of data and detect subtle anomalies that might indicate potential vulnerabilities. Real-time threat detection and automated response capabilities can help identify and mitigate risks before they lead to security breaches. Advanced pattern recognition and predictive analytics should be used to proactively forecast potential threats and strengthen security measures, Kowski ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.