Explainable AI (XAI) for Security: Uncovering Hidden Vulnerabilities with XAI Tools

2025.10.17.
AI Security Blog

Your AI is a Black Box. Let’s Pry It Open.

You’ve done it. You’ve deployed a shiny new AI model. Maybe it’s a fraud detection system, a malware classifier, or a content moderation bot. It passed all the tests. Accuracy is north of 95%. The metrics look great on the dashboard. Everyone’s happy.

Now, let me ask you a question you probably don’t want to answer.

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

A transaction gets flagged as fraudulent. A user is furious. Your boss wants to know why. The model says “fraud” with 98.7% confidence. Why? What specific feature, what piece of data, pushed it over the edge?

You don’t know, do you?

You can’t just pop the hood on a deep learning model like it’s a simple if/else statement. The logic is smeared across millions of parameters—a complex web of weights and biases that no single human can intuitively grasp. Your model works, but you have no idea how or why. It’s a black box.

And in my world, a black box on your production network isn’t a marvel of modern engineering. It’s a gaping, un-auditable, ticking security vulnerability.

The Dirty Secret of High-Accuracy Models

We’re all obsessed with accuracy. But accuracy, on its own, is a vanity metric. It tells you that the model is right most of the time on the data you tested it on. It tells you nothing about its resilience, its reasoning process, or its hidden biases. A model can be 99% accurate and still be dangerously fragile.

How? It learns shortcuts. These are called spurious correlations—when the model links an outcome to a feature that is coincidentally present in the training data, but isn’t the actual cause.

The classic textbook example is the “husky vs. wolf” classifier. An AI was trained to distinguish between photos of huskies and wolves. It achieved amazing accuracy! But when researchers investigated, they found it wasn’t looking at snout length, ear shape, or fur patterns. It had learned a simple, lazy trick: if there was snow in the background, it was a wolf. All the wolf pictures happened to be taken in the snow. The model was a great snow detector, not a wolf detector.

Now, imagine this isn’t about wolves. Imagine your network intrusion detection system learned that malicious payloads often contain a specific, irrelevant metadata flag left by a particular hacking tool. The attackers update their tool, the flag disappears, and your 99% accurate model becomes completely blind to their new attacks. It learned the wrong lesson.

Golden Nugget: An AI model doesn’t “understand” context. It’s a hyper-efficient pattern-matching engine. If you’re not careful, the patterns it finds are not the ones you intended, and those hidden patterns are your vulnerabilities.

This opacity is a breeding ground for all sorts of nasty problems:

  • Adversarial Attacks: An attacker makes a tiny, human-imperceptible change to an input to completely fool the model. Think changing a few pixels in an image to make a “stop sign” look like a “green light” to an autonomous car’s AI.
  • Data Poisoning: An attacker subtly corrupts the training data, teaching the model a hidden backdoor. For example, they could teach a malware classifier that any program signed with a specific (fake) digital certificate is always “safe.”
  • Model Skew and Drift: The real world changes, but the model doesn’t. The patterns it learned are no longer valid, and its performance silently degrades until something catastrophic happens.

Your model is a black box. You can feed it data and get an answer, but you can’t see the gears turning inside. You can’t audit its logic. You can’t anticipate its failures.

INPUT (e.g., Image, Text, Data) ? AI MODEL (The Opaque Logic) DECISION (e.g., “Fraud”, “Safe”)

Until now. It’s time to talk about Explainable AI (XAI).

XAI: Your AI Interrogation Kit

Explainable AI, or XAI, isn’t a single product. It’s a collection of techniques and tools designed to do one thing: make black box models interpretable. It’s not about dumbing the model down; it’s about building a translator that can explain the model’s complex reasoning in a way that humans can understand.

Think of it like this: A brilliant, cryptic detective solves a case but just points at the suspect and says, “It was them.” That’s your AI. An XAI tool is the partner who walks you through the evidence: “We placed them at the scene because of the muddy boot print here, the motive is tied to this financial record, and the weapon was found in their car. That’s why they’re the suspect.”

Both get the right answer. Only the second one gives you the confidence to act and the ability to find flaws in the reasoning.

XAI methods generally fall into a few categories, but for our purposes as security professionals, two distinctions are critical:

1. Local vs. Global Explanations

  • Local Explanations: These focus on a single prediction. They answer the question, “Why was this specific email flagged as spam?” This is your bread and butter for incident response and debugging individual false positives.
  • Global Explanations: These try to explain the model’s overall behavior. They answer, “In general, what kinds of things does my model consider to be spammy?” This is crucial for high-level model auditing and understanding its potential biases and strategic flaws.

You need both. A local explanation is like a street-level view in a city, while a global explanation is the satellite map. You can’t navigate effectively without switching between the two.

Global Explanation “What does my model generally care about?” Overall feature importance: Feature A: HIGH Feature B: MEDIUM Feature C: LOW Local Explanation “Why was THIS specific decision made?” B A C For this prediction: Feature A = 0.9 (strong impact) Feature C = 0.2 (some impact) Feature B = 0.05 (minor impact)

2. Model-Agnostic vs. Model-Specific

  • Model-Specific Methods: These are custom-built for a particular type of model. For example, some techniques only work on tree-based models (like Random Forests) or require access to the gradients of a neural network. They can be very powerful but lock you into a specific architecture.
  • Model-Agnostic Methods: These are the Swiss Army knives of XAI. They work on any model because they treat it as a black box. They don’t care about the internal architecture; they just probe the model by feeding it different inputs and observing the outputs. This is incredibly useful in a real-world environment where you might be dealing with models from different teams, vendors, or frameworks.

As a red teamer, I love model-agnostic tools. They let me assess any system without needing the source code or the original training data. I can just start interrogating it.

So, let’s open the toolkit.

Tools of the Trade: XAI in the Trenches

Theory is nice. Let’s talk about specific tools and how you can use them to find and fix security holes. These aren’t exotic research projects; they are open-source libraries you can pip install today.

1. LIME: The Local Investigator

What it is: LIME stands for Local Interpretable Model-agnostic Explanations. That’s a mouthful, so let’s break it down. It’s model-agnostic, so it works on anything. And it provides local explanations.

How it works (The Analogy): Imagine your complex AI model is a ridiculously squiggly, high-dimensional curve that perfectly separates “fraud” from “not fraud”. You can’t possibly describe the whole curve. But if you pick one single point on it (one transaction), you can draw a straight line that’s a pretty good approximation of the curve right at that spot. That straight line is simple. It’s interpretable. That’s what LIME does. It takes a single prediction, creates a bunch of tiny variations of the input data around it, and then trains a simple, understandable model (like a linear regression) to explain just that little neighborhood.

LIME: Approximating a Complex Model Locally Class A (“Not Fraud”) Class B (“Fraud”) Prediction X LIME’s Simple Explanation (Locally Accurate) The dotted line is the real, complex model. The solid yellow line is LIME’s simple, local approximation for Prediction X.

Security Application: Analyzing a Phishing Detector

Your new AI-powered phishing detector flags an email from your CFO as a phishing attempt. Panic! Is the CFO’s account compromised? Or is it a false positive?

You run LIME on the decision. The output isn’t just “phishing.” It’s a list of the features that contributed to that decision:

  • Words like “urgent” and “wire transfer”: +0.4 (pro-phishing)
  • Sender domain is corp-email.com instead of corpemail.com: +0.3 (pro-phishing)
  • Contains an unusual link shortener: +0.2 (pro-phishing)
  • Sender is in the company directory: -0.1 (anti-phishing)

Instantly, you see the problem. The model keyed in on a typo in the sender’s domain, which the CFO’s assistant made by mistake. It’s a false positive, but LIME has also just revealed a key feature your model relies on. An attacker could register dozens of lookalike domains to bypass less sophisticated checks. You’ve not only solved the immediate problem, you’ve found a potential vector for a future attack.

2. SHAP: The Fair Contributor

What it is: SHAP stands for SHapley Additive exPlanations. It’s also model-agnostic and can provide both local and global explanations. Its foundation is in cooperative game theory, which sounds complicated, but the idea is brilliant.

How it works (The Analogy): Imagine a team of five people works on a project and gets a $100,000 bonus. How do you divide the bonus fairly? You can’t just split it five ways, because some people contributed more than others. Shapley values solve this by calculating the average marginal contribution of each person across all possible combinations of teams. A player who adds a lot of value no matter who they’re paired with gets a bigger share.

SHAP applies this to AI. The “players” are the features (e.g., transaction amount, user location, time of day). The “game” is making a prediction. The “payout” is the model’s output. SHAP calculates how much each feature contributed to pushing the prediction away from the average.

SHAP Force Plot: Explaining a Single Prediction Why was this transaction flagged as “High Risk”? Base Value (Average Prediction) 0.10 Final Prediction 0.85 Amount = $5000 New Account = True IP from VPN Previous History = Good Features pushing prediction higher (more risk) Features pushing lower

Security Application: Finding Brittle Logic in a Fraud Model

SHAP can produce summary plots that show the impact of every feature across thousands of predictions. This gives you a global view. You’re auditing your fraud model and you generate a SHAP summary plot. You see that the feature user_agent_string has a massive impact. Specifically, when the user agent contains “Linux,” the fraud score skyrockets.

Why? You dig into the training data. Turns out, a fraud ring you busted six months ago was exclusively using Linux-based scripts. Your model didn’t learn to detect fraud; it learned to detect Linux users!

This is a huge vulnerability. Any legitimate Linux user is now at risk of being flagged, creating a terrible user experience. More importantly, the next fraud ring that uses Windows or macOS will fly completely under the radar. SHAP didn’t just explain the model; it exposed its flawed, brittle reasoning. The fix is to retrain the model on more balanced data and perhaps down-weight or remove such a volatile feature.

3. Saliency Maps: The Heatmap of Attention

What it is: This is a model-specific technique primarily for computer vision models (specifically, neural networks). A saliency map is a heatmap that shows which pixels in the input image were most important for the model’s final decision.

How it works (The Analogy): It’s like giving the AI a highlighter and asking it to mark the parts of the image it looked at to make its decision. It does this by looking at the gradients of the network—essentially calculating which pixels, if changed, would have the biggest impact on the final output score. The “hotter” the pixel on the map, the more the AI “cared” about it.

Saliency Map: What is the AI Looking At? Input Image Model Prediction: “Dog” (99%) Saliency Map (Explanation) The model focused on the head and ears.

Security Application: Auditing a CAPTCHA Solver

You’re testing the security of your new visual CAPTCHA system. You suspect a rival might train an AI to break it. So, you do it first. You train a simple neural network to solve your own CAPTCHAs, and it works surprisingly well.

Now, the critical question: how did it solve them? Did it actually learn to read the distorted letters? Or did it find a stupid shortcut?

You generate saliency maps for its correct predictions. The results are horrifying. The heatmaps aren’t on the letters at all. They’re all focused on a tiny watermark you put in the bottom-right corner of every CAPTCHA image. The AI learned that the mere presence of that watermark correlated with a valid image and it was just guessing the letters. It didn’t learn to read; it found a flaw in your image generation process.

Saliency maps just handed you a major vulnerability on a silver platter. Remove the watermark, and the AI’s accuracy plummets. You’ve confirmed your CAPTCHA is more robust than you thought, but only after XAI showed you the flaw in your test model’s logic.

4. Counterfactual Explanations: The “What If” Machine

What it is: This is one of my favorite techniques for red teaming. A counterfactual explanation doesn’t just tell you why a decision was made; it tells you the smallest change you could make to the input to flip the decision.

The Question it Answers: “You were denied a loan. Why?” A normal explanation might say “Because your income is too low.” A counterfactual explanation says, “You would have been approved if your income was $5,200 higher and you had one less credit card.”

Security Application: Discovering Evasion Techniques

You’re testing an AI-based Web Application Firewall (WAF) that is supposed to block SQL injection attacks. You give it a malicious payload: ' OR 1=1; -- and the WAF correctly blocks it.

Now, you ask a counterfactual XAI tool: “What’s the minimum change I need to make to this payload for you to classify it as ‘safe’?”

The tool might spit back a few options:

  • Change ' OR 1=1; -- to ' oR 1=1; -- (case-sensitivity evasion)
  • Change ' OR 1=1; -- to ' OR 1=1; /* (comment style evasion)
  • Change ' OR 1=1; -- to ' OR 1 / comment /=1; -- (inline comment evasion)

This is pure gold. The XAI tool has just reverse-engineered the WAF’s weaknesses and handed you a list of ready-made bypass techniques. You’re not just guessing anymore; you’re using the model’s own logic against it to systematically find the holes. This is proactive vulnerability discovery at its finest.

A Practical Summary Table

Let’s put this all together. Here’s a quick reference for when to use which tool.

Technique What It Answers Best Security Use Case Key Strength
LIME “Why did the model make this specific decision?” Incident response, debugging a single false positive/negative. Easy to understand, model-agnostic, great for quick local checks.
SHAP “How much did each feature contribute to the outcome, both locally and globally?” Holistic model auditing, finding hidden biases and spurious correlations. Theoretically sound, provides both local and global views, great visuals.
Saliency Maps “Which part of the image did the model look at?” Auditing computer vision models (facial recognition, object detection, CAPTCHAs). Very intuitive for visual data, directly shows the model’s “attention.”
Counterfactuals “What’s the smallest change to the input that would flip the model’s decision?” Systematic evasion testing, discovering adversarial examples for WAFs, filters, etc. Actionable and directly generates attack vectors for red teaming.

A Red Teamer’s XAI Workflow

So how do you integrate this into a real security assessment? You don’t just run one tool and call it a day. You use them in a sequence, like a detective moving from a broad search to a detailed forensic analysis.

  1. Phase 1: Reconnaissance (Global Explanations)
    First, you want the lay of the land. You run a global analysis using a tool like SHAP on a large sample of data. The goal is to answer: What are the model’s most important features overall? Are there any surprises? Is it leaning heavily on a feature that could be easily spoofed (like a user-agent)? You’re looking for the model’s strategic biases and high-level logic. This is where you find the “husky in the snow” problems.
  2. Phase 2: Target Identification (Local Explanations)
    Now you zoom in. Look for weird predictions: false positives, false negatives, or predictions where the model’s confidence was unusually low. These are the cracks in the armor. Pick a few of these interesting cases and run a local explanation tool like LIME or a local SHAP plot. Why did the model fail here? What features drove this specific, incorrect (or strange) decision? This helps you form a hypothesis about the model’s weakness.
  3. Phase 3: Exploitation (Counterfactuals and Probing)
    You have a hypothesis. Maybe it’s “The content filter seems to be triggered by financial terms but ignores sarcasm.” Now you weaponize it. Use a counterfactual tool to find the precise boundary. “What’s the smallest change to make this ‘hate speech’ post look ‘safe’?” The tool might tell you that simply adding a positive emoji or a word like “joke” is enough to fool the classifier. You’ve just developed a concrete, repeatable bypass.
  4. Phase 4: Reporting and Remediation (The Proof)
    Your job isn’t done until the vulnerability is fixed. And nothing makes a developer pay attention like a good visualization. Instead of just writing, “The model can be bypassed,” you include the SHAP plot that shows its over-reliance on a single weak feature. You include the saliency map that proves the CAPTCHA solver is looking at the wrong thing. You provide the exact counterfactual examples that bypass the filter. The XAI outputs are your evidence. They make the abstract threat concrete and point the development team exactly where to look.
Golden Nugget: XAI transforms your security report from “Your AI seems to have a problem” to “Your AI has a problem right here, this is what’s causing it, and here are three examples of how I exploited it.”

This Isn’t Optional Anymore

For years, we’ve been deploying AI systems with a “if it works, don’t touch it” mentality. We’ve been content with high accuracy scores and have chosen to ignore the unsettling opacity of the systems we’re putting in charge of critical decisions.

That era is over.

Leaving your AI as a black box is a form of security negligence. It’s like deploying a web server without ever looking at the logs, or running a firewall without ever auditing the rules. You’re willfully ignorant of the risks you’re accepting.

XAI is not a magic bullet. Explanations can sometimes be misleading, and interpreting them still requires a critical human eye. But they are the best tools we have to shed light into these dark corners. They are the difference between flying blind and having an instrument panel.

So, look at the AI systems you’re responsible for. The ones making decisions about security, finance, or safety.

Can you honestly say you know how they work?

If the answer is no, you have work to do.

AI Incident Response Plan: A Step-by-Step Guide for Effective Action

2025.10.17.

Managing Model Drift: How to Prevent AI Performance Degradation and Security Risks

2025.10.17.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist