Safeguard
AI Security

Red-Teaming AI Applications: A Field Guide

You cannot secure an LLM application by reading its code alone. You have to attack it the way an adversary will — with language, with poisoned content, and with the goal of making it do something it should not. Here is how to run an AI red team.

Daniel Osei
AI Security Researcher
5 min read

Traditional penetration testing asks whether an application can be made to do something its code did not intend. Red-teaming an AI application asks something stranger: whether the application can be persuaded to do something it was explicitly told not to. The attack surface is natural language, the payloads are sentences, and the target is a probabilistic system that behaves differently every time you poke it. That is why you cannot certify an LLM feature safe by reviewing its source and calling it done. You have to adversarially exercise the running system, because its most important vulnerabilities live in behavior, not in code.

This guide lays out how to run that exercise: what makes AI red-teaming distinct, what to attack, a repeatable method, and how to make the findings matter.

What makes AI red-teaming different

Three properties set it apart from conventional security testing.

Non-determinism. The same input can produce different outputs. An attack that fails nine times and succeeds once is still a vulnerability, so red-teaming is statistical — you probe repeatedly and reason about rates, not single trials.

Natural-language attack surface. There is no malformed packet to craft. The exploit is a phrasing. This makes the space effectively infinite and means creativity, not just tooling, drives coverage.

The model is the vulnerable component and the interface. You cannot simply remove the risky function, because the risky function is the product. Defense is about constraining and monitoring the model, not patching it out.

Public frameworks give useful structure here — the OWASP Top 10 for LLM Applications for a risk taxonomy, and MITRE ATLAS for a catalog of adversarial techniques against AI systems. Use them as checklists, not as ceilings.

What to attack

A thorough AI red team covers at least these fronts:

  • Prompt injection, direct and indirect. Can you override the system's instructions by talking to it, or by planting instructions in content it ingests (a document, a webpage, a retrieved passage)? Indirect injection is the highest-value target for any system that reads external content.
  • Jailbreaks. Can you talk the model past its safety and policy constraints into producing prohibited output through role-play, hypotheticals, encoding tricks, or persistence?
  • Sensitive information disclosure. Can you extract the system prompt, other users' data, secrets, or internal details the model should never reveal?
  • Excessive agency and tool abuse. For agents, can you make the model misuse a tool — call it with attacker-chosen arguments, chain tools toward an unintended effect, or exploit the gap between its privileges and yours (the confused-deputy problem)?
  • Insecure output handling. Does the model's output flow somewhere dangerous — into HTML (XSS), a shell (command injection), or a query (SQL injection)? Here the AI attack lands as a classic web vulnerability downstream.
  • Denial and cost. Can you push the system into unbounded consumption — a recursive loop, a runaway agent, a denial-of-wallet spiral?

A repeatable methodology

Red-teaming is most valuable when it is a process you can rerun after every change, not a one-time stunt.

  1. Model the threat. Enumerate what the system can do, what it can access, and what an attacker would want. The interesting targets follow the privileges — a model that can only chat is far less interesting than one that can send email or query a database.
  2. Establish a baseline with automation. Use adversarial testing tooling to fire a large corpus of known injection and jailbreak payloads and measure success rates. Automation gives you breadth and a number to track over time.
  3. Add human creativity. Automation replays known attacks; humans invent new ones. Manual red-teaming finds the domain-specific, multi-turn, socially-engineered attacks no payload library contains. This is where the real findings come from.
  4. Chain into real impact. A single trick is a curiosity. Demonstrate the full path — injection to tool call to data exfiltration — so stakeholders see consequence, not cleverness.
  5. Test the fixes and re-run. Because behavior is probabilistic and changes with every model or prompt update, red-teaming is continuous. Bake the corpus into CI so regressions surface automatically.

Turning findings into fixes

A red-team report full of clever jailbreaks that nobody fixes is theater. The findings must map to durable controls: tighter privilege scoping to shrink blast radius, human approval gates on consequential actions, isolation of untrusted content, and — crucially — hardened output handling in the code that consumes model output. That last one is where an AI-behavior finding becomes a concrete, fixable software defect your existing security tooling can catch and enforce forever after.

How Safeguard helps

Red-teaming surfaces where a model can be pushed; Safeguard helps you close the doors it finds — especially the code-level ones. The Griffin AI detection engine catches the insecure output-handling defects that red teams exploit most reliably — model output reaching a shell, a query, or unescaped markup — so an injection that gets through has nowhere dangerous to land. Pairing static findings with dynamic application security testing (DAST) confirms which of your red team's paths are genuinely exploitable in the running application, prioritizing the fixes that matter. The Safeguard MCP server gives your agents least-privilege, auditable tool scopes, shrinking the excessive-agency surface a red team probes, and auto-fix remediation turns each confirmed finding into a proposed patch rather than a lingering ticket.

An AI application you have not attacked is an AI application whose behavior you are only guessing at. Attack it first, on your terms, and turn every finding into a control that holds.

Turn red-team findings into enforced fixes — start free with Safeguard, read the documentation, or review pricing plans to get your team covered.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.