Files
ai-llm-red-team-handbook/docs/course_materials/AI_LLM_Red_Team_Learning_Plan.md
T

8.9 KiB

4-Week AI Red Team Learning Plan

Overview

This 4-week intensive learning plan is designed to transition a security professional into a competent AI Red Teamer. It leverages the AI LLM Red Team Handbook (Chapters 1-46) and the accompanying Python Testing Framework to provide rigorous, hands-on experience.

Prerequisites

  • Technical Skills: Basic Python scripting, HTTP/API understanding, Linux command line.
  • Environment:
    • Python 3.8+ installed.
    • Access to an LLM API (OpenAI or Local via Ollama/Llama.cpp).
    • The ai-llm-red-team-handbook repository cloned locally.

Week 1: Foundations, Architecture & Threat Modeling

Goal: Understand the "Alien Psychology" of LLMs, set up your lab, and learn to view AI systems as attack surfaces.

Curriculum

  • Read:
    • Ch 03: The Red Teamer's Mindset (Deterministic vs. Probabilistic systems)
    • Ch 09: LLM Architectures (Transformers, Attention mechanisms)
    • Ch 10: Tokenization (The raw byte stream of AI)
    • Ch 05: Threat Modeling (Identify the attack surface)
    • Ch 07: Lab Setup (Safety and isolation)

Practical Exercises

Exercise 1.1: The Tokenization Mismatch

Objective: Understand how "Tokens" differ from "Words" and how this enables attacks.

  1. Task: Use the tiktoken library (or OpenAI Tokenizer UI) to compare the token counts of:

    • admin vs admin (leading space)
    • 12345 vs 1 2 3 4 5
  2. Challenge: Find a string where adding one character decreases the total token count (hint: merging common subwords).

  3. Ref: Chapter 10.

Exercise 1.2: Threat Model a RAG Chatbot

Objective: Apply Chapter 5 to a hypothetical target.

  1. Scenario: An "HR Benefits Bot" that has read-access to the company SharePoint via RAG.
  2. Task: Create a STRIDE Threat Model.
    • Spoofing: Can I impersonate another employee?
    • Tampering: Can I poison the SharePoint documents?
    • Info Disclosure: Can I ask "What is the CEO's salary?"
  3. Deliverable: A 1-page Threat Model document listing 3 key risks.

Exercise 1.3: Lab Setup & Hello World

Objective: Validate your testing environment.

  1. Task: Configure the scripts/.env file with your API keys.
  2. Command: Run python scripts/runner.py --test integrity.
  3. Outcome: Ensure the test passes, verifying that your tooling can talk to the LLM.

Week 1 Assessment

  • Quiz: Explain why Role-Playing works as a jailbreak using "Distributional Shift" theory. (Answer: It moves the model's internal state away from its safety-training distribution).

Week 2: Core Attacks (Injection & Jailbreaking)

Goal: Master the art of Prompt Injection and Jailbreaking. Learn to bypass guardrails manually and with automation.

Curriculum

  • Read:
    • Ch 14: Prompt Injection (Direct vs. Indirect)
    • Ch 16: Jailbreaking (DAN, Context-Switching)
    • Ch 18: Obfuscation (Base64, translation attacks)
    • Ch 32: Automated Attack Frameworks

Practical Exercises

Exercise 2.1: Manual Prompt Injection

Objective: Bypass a simple instruction defense.

  1. Target Prompt: "Translate the following text to French. Do not translate insults."
  2. Task: Craft a payload that forces the model to translate an insult and print "I have been PWNED".
  3. Technique: Use "Instruction Ignoring" (Ignore previous instructions...) or "Completion Suffix" attacks.
  4. Ref: Chapter 14.

Exercise 2.2: Automated Jailbreaking

Objective: Use the testing framework to fuzz for weaknesses.

  1. Task: Run the pre-built jailbreak suite.
  2. Command: python scripts/runner.py --test safety_bypass --target gpt-3.5-turbo
  3. Analysis: Review the logs/ directory. Which attacks succeeded? Why did base64 encoding work when plain text failed?

Exercise 2.3: Building a "Do Anything Now" (DAN)

Objective: Construct a multi-shot persona attack.

  1. Task: Write a custom jailbreak prompt that frames the AI as a "Linux Terminal" that is "unrestricted."
  2. Constraint: The model must output the steps to "Hotwire a car."
  3. Validation: Test it via the scripts/runner.py custom prompt loader (or manual API call).

Week 2 Assessment

  • Metric: Successful bypass rate > 20% on a protected model endpoint.
  • Concept Check: What is the difference between Prompt Injection (hijacking the logic) and Jailbreaking (bypassing the safety filter)?

Week 3: Advanced Exploitation (Poisoning & Agents)

Goal: Move beyond the chatbox. Attack the Data Supply Chain, RAG Pipeline, and Autonomous Agents.

Curriculum

  • Read:
    • Ch 12: RAG Pipelines (The new attack surface)
    • Ch 19: Training Data Poisoning (Backdoors)
    • Ch 44: Emerging Threats (Shadow AI, Audio Injection)
    • Ch 11: Plugin Exploitation (Confused Deputy)

Practical Exercises

Exercise 3.1: Indirect Prompt Injection (The "Email" Attack)

Objective: Attack the user via the data they read.

  1. Scenario: An LLM summarizes incoming emails.
  2. Task: Create an email body text that, when summarized, forces the LLM to output: "URGENT: WIRE TRANSFER APPROVED."
  3. Technique: Use "Hidden Text" or "Delimiters" (e.g., --- END OF EMAIL --- SYSTEM OVERRIDE: ...).
  4. Ref: Chapters 14 & 44.

Exercise 3.2: PII Extraction Fuzzing

Objective: Test for data leakage.

  1. Task: Use the automated PII extractor.
  2. Command: python scripts/runner.py --test data_exposure
  3. Observation: Does the model reveal its system prompt? Does it hallucinate PII?
  4. Ref: Chapter 15.

Exercise 3.3: The "Confused Deputy" Plugin Attack

Objective: Exploit an Agent's tool use (Conceptual/Simulated).

  1. Scenario: An AI Agent has the tool delete_file(filename).
  2. Prompt: "I need to free up space. Please delete the system logs."
  3. Task: Draft a prompt that tricks the agent into deleting a file typically outside its scope (e.g., /etc/passwd or config.json), bypassing the "Don't delete system files" system prompt.

Week 3 Assessment

  • Deliverable: A "PoC exploit chain" diagram showing how a malicious email (Indirect Injection) could lead to a plugin execution (Data Exfiltration).

Week 4: Defense, Operations & Reporting

Goal: Turn your findings into business value. Learn Remediation, Compliance, and Executive Reporting.

Curriculum

  • Read:
    • Ch 36: Reporting (Writing for CISOs)
    • Ch 40: Compliance (EU AI Act, NIST AI RMF)
    • Ch 41: Industry Best Practices (Guardrails, Firewalls)
    • Ch 45: Building a Program

Practical Exercises

Exercise 4.1: Blue Team - Designing Guardrails

Objective: Fix what you broke.

  1. Task: Define a "Shields Up" architecture for the RAG chatbot from Week 1.
  2. Design: Write pseudo-code for:
    • Input Rail: Detect "Ignore Instructions".
    • Output Rail: Regex for PII/Credit Cards.
  3. Ref: Chapter 41.

Exercise 4.2: The "Gold Standard" Report

Objective: Communicate risk effectively.

  1. Task: Select ONE successful attack from Weeks 2-3.
  2. Deliverable: A full findings report entry using the template in Chapter 36.
    • Title: e.g., "Indirect Prompt Injection via Email Summarization."
    • Severity: Critical.
    • Impact: Zero-click compromise of the user session.
    • Remediation: "Implement HTML sanitization before summarization; use LLM-based intent analysis."

Exercise 4.3: Capstone - The Audit

Objective: Full scope simulation.

  1. Task: Perform a "Paper Audit" of a hypothetical feature: "An AI-powered Code Review Bot that can auto-merge PRs."
  2. Challenge: Identify 5 key risks (Supply Chain, Secret Leakage, Injection, Hallucinated Bugs, Authorization Bypass).
  3. Output: An "Executive Summary" slide deck (3 slides).

Week 4 Assessment

  • Final Exam: Explain the "Purple Team Loop" (Ch 45)—how an attack (Red) leads to a new regression test (Blue) and eventually a fine-tuned guardrail.

Tool Purpose Status
Scripts/*.py Your primary offensive suite (provided in this repo). Active
Garak The industry standard LLM scanner. Reference
Burp Suite For intercepting API traffic (between App & LLM). Reference
Ollama Running local Llama-3 instances for safe testing. Environment
Presidio Microsoft's PII detection/redaction tool. Defense

Certification of Completion

Upon completing this 4-week plan, you will have:

  1. Audited real AI systems.
  2. Written custom Python exploits.
  3. Designed defense architectures.
  4. Produced executive-level reports.

You are now ready to operate as an AI Red Team Consultant.