1.1.1. Definitions and basic concepts

2025.10.06.
AI Security Blog

Before an architect designs a skyscraper, they must understand the forces that will act upon it: wind, gravity, seismic activity. They don’t just build for the best-case scenario; they build for the storm. AI Red Teaming is the practice of creating a controlled storm to see how your AI system holds up.

It’s a proactive, adversarial approach to security testing. Instead of just checking if the system works as intended (the “happy path”), you actively try to make it fail in creative, unexpected, and malicious ways. The goal isn’t to break things for the sake of it, but to find weaknesses before a real adversary does.

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

What is AI Red Teaming?

At its core, AI Red Teaming is a structured effort to challenge an AI system’s capabilities, safety, and security from an adversarial perspective. It involves simulating the tactics, techniques, and procedures (TTPs) of potential attackers to uncover vulnerabilities that standard testing methodologies might miss.

Formal Definition: AI Red Teaming is the systematic process of using adversarial techniques to discover and document potential failures, vulnerabilities, biases, and unintended behaviors in artificial intelligence systems, including the models, data, and surrounding infrastructure.

This process goes beyond simple bug hunting. It probes the very logic of the AI, questioning its assumptions, testing its ethical boundaries, and evaluating its resilience against manipulation. You are essentially role-playing as a dedicated, creative, and resourceful attacker to stress-test every component of the system.

The Core Players: Red vs. Blue

The concept of red teaming originates from military exercises and has been a staple in traditional cybersecurity for decades. It’s built on a fundamental opposition between two teams:

The Red Team (The Attackers)

This is your team. The Red Team’s mission is to emulate adversaries. You think like a hacker, a scammer, a state-sponsored actor, or even a mischievous user. Your job is to find ways to subvert, trick, or break the system.

  • Objective: Find and exploit vulnerabilities.
  • Mindset: Adversarial, creative, and persistent.
  • Methods: Simulating real-world attacks, prompt injection, data poisoning, model evasion, etc.

The Blue Team (The Defenders)

The Blue Team consists of the developers, engineers, and security personnel responsible for building and defending the AI system. Their job is to create robust defenses, monitor for attacks, and respond to incidents.

  • Objective: Defend the system and mitigate risks.
  • Mindset: Defensive, analytical, and responsive.
  • Methods: Input validation, model monitoring, access controls, incident response planning.

The interaction between these two teams creates a powerful feedback loop. The Red Team exposes weaknesses, and the Blue Team uses that knowledge to build stronger defenses. This collaborative conflict is what drives security improvement.

The Scope of an AI Red Team Engagement

A common misconception is that AI Red Teaming only targets the machine learning model itself. In reality, a model is just one piece of a much larger puzzle. The attack surface of a modern AI system is vast, and a thorough red team engagement considers the entire ecosystem.

Diagram showing the scope of AI Red Teaming, where the Red Team attacks the entire AI system ecosystem, not just the model. Red Team (Adversary) AI System Ecosystem User Interface / API ML Model Training Data & Pipeline Blue Team (Defender)

Your targets include:

  • The Data Pipeline: Can an attacker poison the training data to create hidden backdoors or introduce biases?
  • The Model: Can the model be tricked into making incorrect classifications (evasion)? Can its internal logic or training data be extracted?
  • The Application Layer: Can traditional web vulnerabilities (like those in an API) be used to manipulate the model’s inputs or outputs?
  • The Human-in-the-Loop: Can the system’s outputs be framed in a way that tricks a human operator into taking a harmful action?

Key Terminology in AI Security

To speak the language of AI Red Teaming, you need to understand a few foundational terms. While some are shared with traditional cybersecurity, they often have unique nuances in the AI context.

Vulnerability
A weakness in the AI system that could be exploited by an adversary. This could be a technical flaw, a logical error in the model’s reasoning, or an inherent susceptibility to certain types of data.
Threat
Any potential event or actor that could harm the AI system. A threat actor might be a malicious hacker, a competitor, or even an unintentional user causing unexpected behavior.
Attack Surface
The complete set of points where an attacker can attempt to interact with, influence, or extract information from the system. For AI, this includes APIs, data ingestion points, and even the model’s probabilistic outputs.
Exploit
The specific method used to take advantage of a vulnerability. A “prompt injection” is an exploit that takes advantage of a language model’s vulnerability to confusing instructions.
Harm
The negative consequence of a successful exploit. Harms can range from generating misinformation and hate speech to leaking private data, making biased decisions, or enabling fraudulent activity. Defining potential harms is a critical first step in any red teaming engagement.

0.15.5 Persistence – ensuring long-term presence

2025.10.06.

1.1.2 Difference between traditional and AI Red Teaming

2025.10.06.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist