top of page
Search

Braintrust Breach: Cloud Security Risk in Your AI Stack

  • May 11
  • 5 min read

Braintrust

On May 4, the AI evaluation platform Braintrust discovered unauthorized access to one of its AWS accounts. The account held API keys that customers used to connect their applications to cloud-based AI models. By May 6, every Braintrust customer had been told to rotate any keys stored with the company.

The Braintrust incident is the cleanest example yet of a new class of supply chain risk: AI tools that have quietly become credential warehouses for an entire AI stack.


What happened at Braintrust


Braintrust raised $80 million in February 2026 at an $800 million valuation. Its platform helps engineering teams monitor and evaluate AI models in production. To do that job, it stores customers’ AI provider API keys — the credentials that let an application call an AI model and receive a response.


Suspicious activity was reported on May 4. Braintrust says it locked down the compromised AWS account, audited and restricted access to related systems, rotated internal secrets, and engaged outside incident response experts. Customers were emailed on May 5 with indicators of compromise and remediation guidance. The company has confirmed one impacted customer and is investigating three more that reported suspicious spikes in AI provider usage.

So far, public disclosure is limited. Braintrust says it has not found evidence of a broader breach beyond the confirmed customer. The company is also telling every customer who stored AI provider secrets to rotate them as a precaution, which tells you something about the level of forensic certainty available right now.


Why this matters if you have never heard of Braintrust


Here is the part that should land for a CFO, COO, or owner: you may already use a Braintrust, even if your company has not formally approved one.

AI evaluation and observability platforms are a fast-growing category. So are AI gateway tools, prompt management platforms, and AI-native workflow tools that hold the API keys connecting your data, and your customers’ data, to OpenAI, Anthropic, Google, Azure, and others. Each of those tools is a place where high-value credentials sit.


Jaime Blasco, CTO of Nudge Security, framed it directly for SecurityWeek: every AI evaluation, observability, and gateway tool a company adopts becomes a credential warehouse, and those warehouses are now a tier-one target. If your developers, marketers, or data team have signed up for any of these — often on a credit card, often without IT review — your AI credentials are spread across vendors you do not have an inventory of.


The downstream effect is concrete. Once an attacker has a valid AI provider API key, they can log into the AI service as a legitimate user. They can run up large compute bills against your account, exfiltrate prompt and output data, or pivot to integrations that depend on the same credential.


How the attackers got in


Braintrust has not disclosed the initial access vector publicly. The known facts are that attackers reached one of Braintrust’s internal AWS accounts and that the account held customer-facing API keys. MITRE ATT&CK maps this pattern to T1078.004 — abuse of valid cloud accounts.


What the disclosure does reveal is the breach shape. A SaaS vendor’s cloud account gets compromised. Credentials stored inside that account give the attacker access to dozens or hundreds of downstream customers without ever touching those customers’ own infrastructure. CircleCI followed the same pattern in 2023, asking customers to rotate every secret they had stored. A separate incident in April involving a compromised AWS account used by the European Commission resulted in 92 gigabytes of data being stolen. The mechanics repeat.


Your AI vendors are now part of your attack surface


Most mid-market companies still treat AI tools as an experimentation line item. Procurement is not involved. Security review is not involved. The CFO sees small monthly charges on the corporate card and moves on.


That model worked when AI tools meant a writing assistant. It does not work when an AI tool holds the keys that let your code talk to an LLM with access to customer data, financial records, or proprietary content. The risk profile of an AI evaluation platform sitting in your stack is closer to that of a CI/CD vendor than a typical SaaS productivity app.


Three shifts make this risk worse than the typical SaaS supply chain concern.

The keys themselves are high-value. AI provider tokens can be abused immediately for compute and data exfiltration with low detection probability.


The vendors are young. Many AI tool startups are 18 to 36 months old. Their security programs are catching up to their growth, not leading it. The blast radius is opaque. Unlike a payroll provider where you know exactly which records were exposed, a compromised AI gateway can affect every prompt and output that passed through it, and most companies do not retain logs detailed enough to reconstruct that history.


For regulated businesses, this lands harder. If you operate under HIPAA, PCI DSS, GLBA, or state-level data protection rules, an AI tool that received customer PHI, payment data, or personal information in a prompt is part of your compliance picture whether you have documented it or not. AI security governance and cloud security services are increasingly the same conversation viewed from two angles.


What to do this week


Four actions are worth pushing onto your IT or security lead this week, regardless of whether you use Braintrust.


  1. Build the inventory. Ask your team for a written list of every third-party tool that holds an API key for an AI provider. Include trial accounts, developer-only tools, and anything signed up through the engineering, marketing, or operations teams. If nobody can produce the list in a meeting, that is your first finding.

  2. Rotate the keys you can identify. If you are a Braintrust customer, follow their guidance: visit the org-level settings page, delete the existing secrets, configure new ones, and confirm the timestamps changed. For every other AI tool, set a policy that production keys are rotated on a schedule and never reused across environments.

  3. Turn on usage and spend anomaly alerts at every AI provider. OpenAI, Anthropic, Azure AI, and the major cloud platforms all offer usage and cost anomaly alerts. Compromised keys typically show up as sudden usage or spending spikes before they show up anywhere else.

  4. Decide who is accountable. A surprising number of organizations cannot answer the question of who owns AI tool security. If the answer is unclear, this is the kind of cross-cutting gap a vCISO or fractional CISO is designed to close — someone who can hold AI governance, vendor security, and cloud security under a single set of standards. Purple Shield’s vCISO services are built for exactly this situation, where AI tool adoption has moved faster than the existing security program.


The pattern is unlikely to slow


Expect more incidents like Braintrust in the next 12 months. The combination of fast-growing AI vendors, sprawling credential storage, and tier-one target value makes this a category attackers will keep returning to. The companies that come out of this period best will not be the ones avoiding AI tools — they will be the ones who treat every AI tool the way they already treat their core SaaS systems: inventoried, governed, and held to a documented security standard.


If your team is working through what your AI stack actually looks like and where the cloud security gaps are, Purple Shield’s cloud security consulting can help map the credentials, the integrations, and the response plan before an incident forces those questions.

 
 
bottom of page