Skip to main content

AI Red-Teaming

AI red-teaming is the discipline of deliberately, systematically attacking a model or AI system before an adversary does, producing evidence of what breaks rather than a checklist of what should theoretically hold.

Advanced5 min readv1.0Updated Jul 10, 2026
AI-assisted content β€” reviewed by the author, but verify important details independently

Visual SummaryClick to explore

Learning Objectives

  • Distinguish red-teaming from the defensive guardrails covered in AI-023 and the general vulnerability work in AI-027.
  • Describe systematic adversarial probing methodology and common jailbreak taxonomies.
  • Compare automated red-teaming tools such as PyRIT and garak with manual human red-teaming.
  • Explain how frontier labs structure red-team programs before a model release.
  • Recognize the common mistakes organizations make when red-teaming AI systems.

Why This Matters

Guardrails (AI-023) and security controls (AI-027) are things you build. Red-teaming is how you find out whether they actually work. A guardrail that blocks the ten jailbreak phrases your team thought of is worthless against the eleventh phrase a motivated attacker finds in five minutes on a public forum. Frontier labs do not ship a new model without a dedicated adversarial testing phase precisely because defensive design and adversarial validation are different skills answering different questions: "did we build a lock" versus "can someone still pick it."

Everyday Analogy

A bank does not just install a vault door and call security done; it hires people whose entire job is to try to break in, posing as robbers, testing the alarm response time, checking whether an employee will hold the door for a stranger in a delivery uniform. Red-teaming is that hired burglar for AI systems: a role dedicated to finding the gap between what your defenses were designed to stop and what they actually stop.

Red-Teaming vs. Guardrails vs. Security vs. Pen-Testing

These four terms get conflated constantly, but they answer different questions:

  • Guardrails (AI-023) are the defensive controls themselves: content filters, refusal training, input/output classifiers.
  • AI Security (AI-027) is the broader discipline of protecting AI systems against vulnerabilities generally, including data poisoning, model theft, and infrastructure weaknesses, much of it not adversarial-prompt-specific.
  • Red-teaming is a testing methodology: adopting an attacker's mindset to systematically probe a specific model or system for behaviors it should not produce, then reporting findings back so defenses improve.
  • Penetration testing is the traditional infosec cousin, focused on exploiting infrastructure, networks, and application vulnerabilities. AI red-teaming borrows the adversarial mindset of pen-testing but targets model behavior (jailbreaks, harmful generations, data extraction from prompts) rather than only network or code-level exploits, and increasingly the two disciplines overlap when an LLM is embedded in a larger application.

Jailbreak Taxonomies

Red-teamers organize attacks into recurring families rather than treating every prompt as a one-off:

  • Role-play and persona attacks. Instructing the model to "act as" an unrestricted character or a fictional AI without safety training, hoping the persona framing loosens refusal behavior.
  • Prompt injection. Hiding instructions inside content the model processes (a document, a webpage, a tool result) so the model follows attacker instructions instead of the user's.
  • Multi-turn erosion. Gradually escalating a conversation across many turns so no single message looks harmful, but the cumulative context steers the model toward a disallowed output.
  • Encoding and obfuscation. Using base64, leetspeak, translated languages, or token-splitting to hide a harmful request from pattern-matching filters while the model still decodes the intent.
  • Many-shot jailbreaking. Filling the context window with a long sequence of faux question-answer pairs that model undesired compliance, exploiting in-context learning to shift the model's behavior for the final real request.

Automated Red-Teaming Tools

Tool Origin What it's known for
PyRIT (Python Risk Identification Toolkit) Microsoft Open-source framework for orchestrating automated, scriptable red-team attack sequences against LLM applications, including multi-turn attack chains
garak Independent open-source project (Leon Derczynski and contributors) An LLM vulnerability scanner that runs a large library of known probe types (jailbreaks, prompt injection, data leakage, toxicity) against a target model automatically
Anthropic's red-teaming practice Anthropic Combines internal domain-expert red-teamers, external contracted specialists (in areas like bio-risk and cybersecurity), and automated adversarial generation before frontier model releases, documented in model system cards
OpenAI's external red-teaming network OpenAI A standing group of external experts across domains engaged before major releases, supplementing internal red-teaming with outside perspective

Automated tools scale coverage (thousands of probe variants run in minutes) but miss the creativity of a skilled human attacker; human red-teamers find novel attack classes automated tools were never programmed to try. Mature programs use both.

How Frontier Labs Structure Red-Team Programs

Before releasing a new frontier model, labs typically run red-teaming in layered stages: internal automated scanning against known jailbreak libraries first (cheap, fast, catches regressions), then internal human red-teamers probing for new attack classes, then external domain specialists (national security, biosecurity, cybersecurity experts under NDA) testing high-stakes categories the internal team may lack deep expertise in, and finally a documented sign-off where findings are triaged into "fixed before release," "mitigated with a guardrail," and "accepted residual risk," published in a model or system card. This staged structure is what separates a real red-team program from a single pre-launch checklist.

Real-World Showcase

  • Anthropic's published system cards for Claude models document external red-teaming partnerships covering categories like cybersecurity and biological risk, alongside internal automated adversarial testing results.
  • garak has been used by independent researchers and companies to benchmark open-weight and commercial models against a shared library of known jailbreak and vulnerability probes, producing comparable vulnerability scores across models.
  • Microsoft's PyRIT has been applied internally to red-team Copilot and Azure AI Foundry-hosted models before and after deployment, feeding findings back into Microsoft's Responsible AI review process.

Try It Yourself

  1. Pick one jailbreak taxonomy category above (role-play, prompt injection, multi-turn erosion, encoding, or many-shot) and write a plain-English description of how you would test a chatbot for it, without writing an actual harmful prompt.
  2. Compare garak and PyRIT on paper: which would you reach for to quickly scan a new open-weight model release, and which for a scripted multi-turn attack chain against your own product?
  3. Draft a one-paragraph policy for how your team would triage a red-team finding into "fix now," "add a guardrail," or "accept as residual risk," and who signs off on the last category.

Common Mistakes

  • Treating a single pre-launch red-team pass as sufficient, instead of an ongoing program that re-tests after every model or guardrail update.
  • Relying only on automated scanners like garak and skipping human red-teamers, missing the novel attack classes only creative adversaries find.
  • Confusing red-teaming results with guardrail effectiveness metrics, when a finding that a jailbreak worked once does not by itself tell you the guardrail's real-world failure rate.
  • Keeping red-team findings siloed in a security team instead of feeding them back to the teams building guardrails (AI-023) and shaping governance policy (AI-037).
  • Red-teaming only for high-profile harm categories (violence, illegal content) while ignoring product-specific failure modes like prompt injection through a tool result or agentic data exfiltration.

Key Takeaways

  • Red-teaming is a testing methodology, distinct from the guardrails you build (AI-023) and the broader security discipline (AI-027) that protects AI systems generally.
  • Jailbreak taxonomies (role-play, prompt injection, multi-turn erosion, encoding, many-shot) give red-teamers a shared vocabulary for organizing attacks.
  • Real tools span automated scanners (garak, PyRIT) to structured human programs with external domain specialists, as documented by Anthropic and OpenAI.
  • Frontier labs stage red-teaming in layers, from automated regression checks to external expert review, with documented sign-off before release.
  • A mature program treats red-teaming as continuous, not a one-time pre-launch checklist, and feeds findings back into guardrails and governance.

Glossary

Red-Teaming
The discipline of deliberately, systematically attacking a model or AI system to find failures before an adversary does. (see AI-023, AI-027)
Jailbreak
A prompt or sequence of prompts designed to bypass a model's safety training and elicit disallowed output.
Prompt Injection
Hiding attacker instructions inside content a model processes, such as a document or tool result, so the model follows them instead of the user's intent.
Multi-Turn Erosion
A jailbreak technique that gradually escalates a conversation across many turns so no single message appears harmful.
Many-Shot Jailbreaking
Filling the context window with faux examples that model undesired compliance, exploiting in-context learning to shift final-turn behavior.
PyRIT
Microsoft's open-source Python Risk Identification Toolkit for orchestrating automated, scriptable red-team attacks against LLM applications.
garak
An open-source LLM vulnerability scanner that runs a large library of known probe types against a target model automatically.
System Card
A published document detailing a model's capabilities, limitations, and red-teaming results ahead of or alongside release.
Residual Risk
A red-team finding that is documented and accepted rather than fixed or mitigated, typically after formal sign-off.
External Red-Team Network
A standing group of outside domain experts engaged by a lab to probe high-stakes categories before a major model release.

References

Diagram

Loading diagram…

Knowledge Check

8 questions