Module 3 of 6 · Vector DB & RAG Security · Core Security Path

Pipeline Security

Securing the
Embedding Pipeline

From raw document to stored vector, every step is an attack surface. This module covers how to lock down each one, with VectaX encrypt-at-embed at the centre.

22 min read
Core Security
Intermediate

Module Progress

1 2 3 4 5 6

Section 01 · Foundation

The pipeline as a security boundary

Most RAG security thinking focuses on the vector database itself. That is the wrong place to start. By the time data reaches the vector store, it has already passed through four or five steps where an attacker could have introduced malicious content, corrupted the embedding, or caused sensitive data to be exposed.

The embedding pipeline is the full sequence from raw document to stored vector. Each step is a distinct control point. If any step lacks proper controls, everything downstream inherits that weakness. A document that was not sanitised at ingestion becomes a poisoning vector. An embedding model that was not verified becomes a supply chain risk. A vector generated from plaintext that is never encrypted is vulnerable at every step between generation and storage.

The Cisco 2024 white paper on securing vector databases states this directly: a secure embedding pipeline ensures that data is sanitised, classified, and monitored before it becomes part of the retrieval system. That principle governs every section in this module.

Key principle: Security controls applied upstream are always more effective than controls applied downstream. A document sanitised before embedding cannot poison the retrieval layer. A vector encrypted before storage cannot be reconstructed even if the database is compromised. The pipeline flows in one direction. Put controls at the start, not only at the end.

Section 02 · Ingestion

Document ingestion controls

Document ingestion is where external content enters your system. Everything that happens here affects every component downstream. A malicious document that passes ingestion without scrutiny becomes an embedded vector in your database and a potential retrieval result for your users.

The three things ingestion controls must do: validate that the document is what it claims to be, sanitise it to remove dangerous content, and classify it so access controls can be applied correctly at retrieval time.

📄
PDF
Highest risk
Hidden text layers, embedded JavaScript, complex rendering that differs between parser and viewer, font-based encoding tricks, and link objects that execute on open. Always parse in a sandboxed process. Strip all JavaScript and embedded objects before embedding.
📊
Office Files
High risk
DOCX, XLSX, and PPTX files can contain macros, embedded objects, and DDE (Dynamic Data Exchange) links. Strip macros before parsing. Use LibreOffice or python-docx with macro execution disabled, never open these files in a full Office installation on a server.
🌐
HTML
High risk
External HTML from crawlers can contain XSS payloads, hidden div text, script tags, and prompt injection in white-on-white text. Strip all script tags, style blocks, and HTML comments before embedding. Parse body text only.
{ }
JSON / CSV
Medium risk
Field values can carry injection payloads. Validate against expected schemas. Reject records with unexpected field types, oversized values, or control characters in string fields. Do not embed raw field values without sanitisation.
📝
Plain Text / Markdown
Lower risk
Lowest attack surface but not zero. Markdown can contain hidden HTML. Long documents with repetitive content or unusual character distributions may be crafted to position embeddings deliberately. Check for anomalous content patterns.
🗜
Archives / Zips
Do not ingest
Zip bombs, path traversal in archive entries, and nested archives can crash parsers or consume unlimited resources. Never ingest archive files directly. Extract and validate each file individually with strict size limits.

Classification before embedding

Every document that enters the ingestion pipeline should be assigned a classification level before embedding. This classification label becomes part of the metadata attached to each vector at storage time. At retrieval time, the label is used to enforce access controls so that only users with the appropriate clearance see documents from each classification level.

Classification must happen at ingestion, not as an afterthought. If a document is embedded without a classification label, the metadata cannot be retroactively added reliably because you would need to re-embed and re-index every chunk. Set up classification as part of the ingestion pipeline from day one.

Ingestion from untrusted sources: If your RAG system ingests content from external sources such as web crawlers, user uploads, email attachments, or third-party APIs, treat all of it as untrusted. This is not the same as treating it as malicious, but it means applying the same validation and sanitisation as you would for data from an unknown origin. An employee who uploads a document from their personal cloud storage is introducing external content. Apply the controls consistently.

Section 03 · Chunking

Chunking and preprocessing: where context gets fragmented

Chunking splits source documents into smaller segments that each become a separate embedding. The purpose is retrievability: a 50-page contract should not become a single vector that gets retrieved in its entirety for a narrow question. You want to retrieve only the relevant paragraph.

But chunking creates security problems that teams rarely think about. The way you split a document determines what information can be retrieved separately, what context gets lost at chunk boundaries, and how an attacker can position poisoned content to be retrieved for specific queries.

Chunking strategy recommendations: Use semantic chunking (splitting on paragraph and section boundaries) rather than fixed-size character chunking. Fixed-size chunking often splits sentences mid-thought, creating chunks that lack enough context to be meaningful and increasing the chance of boundary leakage. Add overlapping context windows where each chunk includes the last sentence of the previous chunk and the first sentence of the next, so retrieval provides coherent context.

For documents with mixed classification content (a contract with both standard terms and confidential pricing), chunk at section boundaries and apply per-chunk classification labels rather than document-level labels. This is more work to implement but prevents high-sensitivity chunks from being retrieved in low-sensitivity contexts.

Section 04 · OWASP LLM03

Embedding model supply chain: trusting what generates your vectors

The embedding model is the component that determines what every vector in your database actually represents. If this model is backdoored, substituted, or manipulated, an attacker can control how documents map to the embedding space without ever touching your database. Every vector you have ever stored becomes compromised from the moment the bad model was used.

This is not theoretical. Backdoored machine learning models have been published on public repositories. The Hugging Face MTEB leaderboard lists hundreds of embedding models, many from organisations with no verifiable security posture. Using any of these without verification is a supply chain risk.

Model substitution
Attack vector
An attacker substitutes a legitimate model in a package registry or model hub with one that has been manipulated. The filename and model card look identical. The outputs appear normal on test inputs but produce predictable vectors for specific trigger inputs, allowing an attacker who knows the trigger to reliably surface specific documents.
Fix: pin the model version AND verify the SHA256 hash of the downloaded weights before any production use.
Backdoored weights
Attack vector
Backdoor attacks on embedding models (also called trojan attacks) inject hidden behaviour during training. The model performs normally on standard inputs but produces manipulated outputs when a specific trigger is present. An attacker who publishes a backdoored embedding model can control retrieval results for any RAG system that uses it.
Fix: only use models from verified publishers with published training provenance. For sensitive applications, run adversarial input testing on the model before deployment.
Version drift without re-embedding
Operational risk
If the embedding model version changes (even a minor update) without re-embedding the entire corpus, the existing vectors and new vectors are from different embedding spaces. Similarity search across mixed-version vectors produces incorrect and unpredictable results. This is not an attack but produces the same result: retrieval that surfaces wrong documents.
Fix: pin embedding model versions. Track which model version was used for each batch of embeddings. Re-embed the full corpus when the model changes.
API endpoint substitution
Attack vector
If your embedding pipeline calls an external API (OpenAI, Cohere, etc.), an attacker who can intercept or redirect that traffic can substitute different embedding values for your documents. This is a MITM attack on the embedding step. Without TLS certificate verification, embeddings in transit can be replaced.
Fix: enforce TLS with certificate verification on all embedding API calls. Never disable SSL verification in production. Log embedding API responses for anomaly detection.

AI-BOM for embedding models: Maintain an AI Bill of Materials that records the exact model name, version, hash, download source, and date for every embedding model in your pipeline. When a security advisory affects a model you use, you need to know immediately. This is the same principle as a software SBOM but applied to ML model artefacts.

Section 05 · VectaX

Encrypt-at-embed: closing the plaintext window

Standard encryption at rest protects vectors stored on disk. It does not protect vectors that are in memory during indexing, in transit between the application and the database, being processed by the orchestration layer, or visible to any service with database query access.

Encrypt-at-embed means the vector is encrypted immediately after it is generated, before it is passed to any other system. The encrypted vector is what gets stored, indexed, and queried. The plaintext vector never leaves the embedding step.

How to implement it

Python · VectaX encrypt-at-embed (pip install mirror-sdk)

# Standard setup
from mirror_sdk.core.mirror_core import MirrorSDK, MirrorConfig
from mirror_sdk.core.models import VectorData
import openai

config = MirrorConfig.from_env()  # reads MIRROR_API_KEY
sdk = MirrorSDK(config)

# 1. Generate embedding as normal
doc = "Employee salary review policy Q3 2026"
embedding = openai.embeddings.create(
    model="text-embedding-3-small",
    input=doc
).data[0].embedding

# 2. Encrypt immediately after generation (before passing anywhere)
vector = VectorData(vector=embedding, id="hr_policy_q3")
encrypted = sdk.vectax.encrypt(vector)

# 3. Apply access policy before storage
sdk.set_policy({
    "roles": ["hr_manager", "department_head"],
    "departments": ["human_resources"]
})

# 4. Store encrypted vector - works with ChromaDB, Qdrant, Pinecone, pgvector
# db.store(encrypted)  ← same interface as plaintext storage

Try it live · VectaX Playground

Run encrypt-at-embed on real vectors and compare search results vs plaintext

Section 06 · Metadata Security

Format-preserving encryption: protecting metadata without breaking it

Vector embeddings are the main data in a vector database, but metadata is often more sensitive in practice. Metadata fields like document IDs, customer references, employee numbers, and classification labels directly identify what a vector represents. An attacker who reads metadata does not need to invert the embedding. The metadata already tells them what the document is about.

Standard encryption of metadata creates a problem: many retrieval workflows filter results by metadata values. If a customer service application needs to retrieve only documents relevant to customer ID 84721, it passes that filter to the vector database. If the customer ID field is encrypted with standard AES, the filter no longer works because the encrypted value of 84721 does not match the stored encrypted value unless the query uses exactly the same key and nonce, which requires a more complex query structure.

Format-preserving encryption (FPE) solves this. FPE encrypts a value while preserving its format. A 10-digit number stays a 10-digit number. A string in a specific pattern stays in that pattern. The encrypted value is different from the original but looks identical in format, so existing filter logic continues to work.

Field type Plaintext value FPE encrypted 🔒 Filter still works? Why it matters
Customer ID CUST-84721 CUST-X7Q3R Yes, pattern preserved Leaks customer identity if exposed
Employee number EMP-001204 EMP-9K4M71 Yes, pattern preserved Links documents to specific people
Classification label CONFIDENTIAL XKPRLQSMTEN Yes, exact match filter Reveals document sensitivity level
Phone number +353-87-1234567 +353-87-8X3K9W2 Yes, format preserved Direct PII under GDPR
Patient ID PAT-2024-00847 PAT-2024-7B3KQ Yes, pattern preserved HIPAA-protected identifier
Document source path /hr/salaries/q3.pdf /hr/salaries/k9w.pdf Partial match only Reveals internal file structure

VectaX includes FPE for metadata fields as part of the SDK. You define which fields require FPE during the policy configuration step, and the SDK handles encryption and decryption transparently when reading and writing metadata. The key is held separately from the database, so a compromised database does not expose the metadata values.

Compliance note: GDPR Article 32 requires appropriate technical measures for personal data, which the European Data Protection Board has confirmed includes pseudonymisation of identifiers in databases. FPE on metadata fields like customer IDs and employee numbers satisfies this requirement while keeping the database functional. HIPAA's Safe Harbour de-identification standard explicitly requires removal or protection of 18 categories of identifiers, all of which can appear in vector database metadata.

Section 07 · Validation

Input validation: what the pipeline should reject

Input validation sits at the boundary between the ingestion controls and the embedding step. Its job is to reject anything that does not conform to what the pipeline expects. The Cisco 2024 white paper on securing vector databases specifically names input validation and sanitisation as mitigations for malicious vector injection. The principle is simple: if you only accept inputs you understand, you have a much smaller attack surface than if you accept everything and try to neutralise bad content after the fact.

Required
Document type allowlisting
Only accept file types that your pipeline explicitly handles. Reject anything else with a clear error before attempting to parse it. Allowlisting is safer than blocklisting: define what you accept, not what you reject.
Required
Size limits on documents and chunks
Set maximum file sizes for ingested documents and maximum token counts for individual chunks before embedding. Oversized inputs can crash parsers, produce embedding timeouts, or cause context window overflow. An attacker can use oversized documents as a denial-of-service vector against your ingestion service.
Required
Vector dimension validation
If your pipeline accepts pre-computed vectors (for direct injection detection), validate that every incoming vector has exactly the expected number of dimensions for your embedding model. A vector with the wrong number of dimensions is either from a different model (and should not be stored) or has been manually crafted for injection.
Important
Content character and encoding validation
Strip null bytes, control characters, and uncommon Unicode that are frequently used to hide malicious content. Normalise all text to UTF-8 before processing. Documents with high proportions of non-printable characters or unusual encoding should be quarantined for review rather than passed directly to the embedding model.
Important
Metadata schema validation
Validate all metadata fields against expected schemas before storage. Reject records with unexpected field names, wrong value types, or values outside allowed ranges. An attacker who can inject metadata fields can bypass classification controls or add filtering labels that cause documents to appear in the wrong access context.
Recommended
Source identity verification
Log the identity of the service or user that submitted each document for ingestion. This provides the audit trail needed to trace poisoned content back to its source. Without this, post-incident forensics cannot determine who introduced malicious content or when.

Section 08 · Detection

Anomaly detection on insertion events

Input validation rejects known-bad inputs. Anomaly detection catches patterns that are not obviously wrong but are statistically unusual. The Cisco white paper recommends both together: validate individual inputs, and separately monitor the aggregate pattern of insertions over time.

Anomaly detection on write events is the closest thing to an intrusion detection system for your embedding pipeline. Here are the signals that matter most.

Bulk insertion spikes
A sudden increase in insertion volume from a single service identity in a short window. Normal ingestion pipelines have relatively stable write rates. A spike may indicate automated bulk injection or a compromised pipeline processing a large payload.
High signal
Off-hours insertions
Insertions at times when your ingestion pipeline should not be running. If your document pipeline only runs during business hours and you see insertions at 3am, investigate immediately. Attackers who have compromised a service often act during low-visibility periods.
High signal
Insertions from unexpected sources
Write requests from service identities, IP addresses, or API keys that are not in your authorised ingestion list. Every insertion should come from a known, authenticated, authorised source. Any unrecognised source is a red flag regardless of whether the content looks normal.
Critical signal
Dense clustering in embedding space
A batch of new insertions that cluster tightly in a specific region of the embedding space. This is a signature of semantic positioning attacks where an attacker inserts many vectors near a high-value query area to ensure retrieval. Legitimate ingestion produces more distributed embedding patterns.
Medium signal
Metadata classification mismatches
Documents classified at a level inconsistent with their source path or author. If a document from an external web crawler is labelled as INTERNAL-CONFIDENTIAL, that is a metadata anomaly. Either the classification system was bypassed or someone is manipulating labels.
Medium signal
Vector value range anomalies
Vectors with component values far outside the expected range for your embedding model. Most embedding models produce normalised vectors with values in a predictable range. Values far outside this range suggest manually crafted vectors rather than model-generated ones.
Medium signal

How DiscoveR helps here: DiscoveR from Mirror Security includes automated adversarial testing that probes your insertion pipeline for validation gaps and tests whether anomalous insertion patterns trigger your monitoring. It provides a baseline of expected pipeline behaviour so deviations are easier to detect. See DiscoveR →

Section 09 · Advanced

Graph embedding security

Graph embeddings are used in enterprise RAG systems that query structured relational data: knowledge graphs, org charts, social networks, supply chain relationships, or any domain where connections between entities matter as much as the entities themselves. Instead of embedding flat documents, graph embedding encodes the structure of a graph into vectors.

The security concerns for graph embeddings overlap with those for document embeddings but add one important additional risk: inverse lookup attacks on graph structure. If an attacker can extract graph embeddings, they may be able to reconstruct not just the content of individual nodes but the relationships between them. This is often more sensitive than the content itself. Knowing that person A reported to person B and was connected to project C tells an attacker something about organisational structure that individual documents would not reveal.

The Cisco white paper recommends using graph attention networks (GATs) to encode graphs because they apply selective attention to neighbouring nodes and edges, meaning the embedding focuses on the most structurally important connections rather than encoding the full graph topology. This reduces the information available to an inversion attack.

The cross-matrix fusion method mentioned in the Cisco paper applies an additional transformation to the encoded feature vectors before storage. This transformation is designed to make it harder to recover the original graph structure from the stored vectors, even with knowledge of the GAT architecture. Combined with VectaX encryption, it creates two separate barriers against graph structure reconstruction.

Section 10 · VectaX

Secure agents pipeline: end-to-end from ingestion to serving

Individual pipeline controls protect individual steps. The VectaX secure agents pipeline is the architectural pattern that connects all of these controls into a coherent system where data is encrypted from the point it enters the pipeline through to model serving, with no plaintext windows in between.

This matters for agentic RAG systems in particular. An AI agent that can ingest new documents, retrieve existing ones, generate responses, and take actions based on retrieved content needs security that spans all of those operations. A control that only protects the vector database does not cover the agent's tool calls, its context window, or the documents it generates as outputs.

VectaX secure agents pipeline: what is protected at each stage

📥
Data ingestion
Documents validated, sanitised, classified. FPE applied to metadata fields before storage.
Protected
🔒
Embedding and encryption
Vectors encrypted at generation via sdk.vectax.encrypt(). Never stored as plaintext.
Protected
🗄
Vector storage and retrieval
Encrypted similarity search. RBAC enforced at query time at role, group, and department level.
Protected
🤖
Agent context and tool calls
AgentIQ policy engine monitors inputs, outputs, and tool calls. Guardrails enforced at runtime.
Protected
📤
Model serving and response
Encrypted inference via VectaX FHE. Inputs and outputs remain encrypted through model layers. Covered in Module 5.
Module 5

The MongoDB integration described in Mirror Security's technical blog demonstrates this pattern in production. MongoDB handles TLS, encryption at rest, queryable encryption, and CSFLE for scalar data. VectaX adds vector-specific encryption, AI-centric RBAC, and encrypted similarity search on top. The AgentIQ policy engine governs what the agent can do with retrieved data. Together the three layers cover scalar data, vector data, and agent behaviour.

Section 11 · Production Checklist

Pipeline security checklist

Use this as a review checklist before deploying a RAG embedding pipeline to production. Each item corresponds to a section in this module.

Ingestion: All document types are parsed in sandboxed processes. Scripts, macros, and embedded objects are stripped. Only allowlisted file types are accepted.
Classification: Every document is assigned a classification level at ingestion time. Per-chunk classification is applied for mixed-sensitivity documents.
Chunking: Semantic chunking strategy in use. Chunk size limits enforced. Sensitive PII does not appear in isolation at chunk boundaries without surrounding context.
Embedding model: Model version is pinned. SHA256 hash of model weights verified before deployment. AI-BOM entry created for the model including publisher, version, and download source.
Encrypt-at-embed: VectaX sdk.vectax.encrypt() called immediately after embedding generation, before the vector is passed to any other system component.
Metadata: FPE applied to all PII fields, customer identifiers, patient IDs, and classification labels in metadata. Key held separately from the database.
RBAC policy: Access policies defined and applied at ingestion time using sdk.set_policy(). Per-user decryption keys issued via sdk.rbac.generate_user_secret_key().
Input validation: Document size limits, vector dimension checks, metadata schema validation, and character encoding normalisation all in place.
Anomaly detection: Insertion events logged with source identity, timestamp, namespace, and vector count. Alerts configured for bulk spikes, off-hours insertions, and unexpected sources.
TLS: All connections to embedding model APIs and vector databases use TLS with certificate verification enabled. Never disable SSL verification in production.
Audit trail: Every ingestion event linked to the service identity or user that submitted the document. Post-incident forensics can trace any vector back to its source document and submitter.

Next: Module 4 of 6

Vector Store Access Control & Data Governance

Multi-tenancy isolation, metadata filtering failures, query-time RBAC enforcement, the data governance gap, and SBOM practices for AI systems.