AI / LLM Red Team Field Manual & Consultant's Handbook
A comprehensive operational toolkit for conducting AI/LLM red team assessments on Large Language Models, AI agents, RAG pipelines, and AI-enabled applications. This repository provides both tactical field guidance and strategic consulting frameworks.
📖 GitBook Navigation: See SUMMARY.md for the complete chapter structure.
📚 What's Inside
This repository contains three core resources:
1. AI LLM Red Team Handbook (24 Chapters, GitBook-ready)
A complete consultancy guide now split into individual chapter files for easier navigation:
- Part I: Foundations - Methodology, ethics, legal considerations, and mindset (Chapters 1-3)
- Part II: Engagement Framework - SOW/RoE templates, threat modeling, scoping, lab setup (Chapters 4-8)
- Part III: Operations - Evidence collection, reporting, presentations, lessons learned (Chapters 9-11)
- Part IV: Technical Deep Dives - RAG pipelines, supply chain security (Chapters 12-13)
- Part V: Attacks & Techniques - Prompt injection, data leakage, jailbreaks, plugin exploitation, evasion, poisoning, model theft (Chapters 14-20)
- Appendices - Tools, resources, templates, and references
Current Coverage (24 Chapters - Complete):
- Introduction to AI Red Teaming
- Ethics, Legal, and Stakeholder Communication
- The Red Teamer's Mindset
- SOW, Rules of Engagement, and Client Onboarding
- Threat Modeling and Risk Analysis
- Scoping an Engagement
- Lab Setup and Environmental Safety
- Evidence, Documentation, and Chain of Custody
- Writing Effective Reports and Deliverables
- Presenting Results and Remediation Guidance
- Lessons Learned and Building Future Readiness
- Retrieval-Augmented Generation (RAG) Pipelines
- Data Provenance and Supply Chain Security
- Prompt Injection (Direct/Indirect, 1st/3rd Party)
- Data Leakage and Extraction
- Jailbreaks and Bypass Techniques
- Plugin and API Exploitation
- Evasion, Obfuscation, and Adversarial Inputs** (Enhanced with comprehensive explanations)
- Training Data Poisoning** (Enhanced with attack scenarios and defenses)
- Model Theft and Membership Inference** (NEW: With copy-pasteable attack demonstrations)
- Model DoS and Resource Exhaustion** (NEW: Token bombs, computational attacks, rate limiting bypass)
- Cross-Modal and Multimodal Attacks (1,159 lines)
- Advanced Persistence and Chaining (871 lines)
- Social Engineering with LLMs (1,140 lines)
📖 GitBook Navigation: See SUMMARY.md for the complete chapter structure.
2. AI LLM Red Team Field Manual (56KB)
Compact operational reference for field use:
- Quick-reference attack prompts and payloads
- Testing checklists and methodology
- Tool commands and configurations
- OWASP Top 10 for LLMs mapping
- MITRE ATLAS framework alignment
3. Python Testing Framework (scripts/)
Automated testing suite including:
- Prompt injection attacks
- Safety bypass and jailbreak tests
- Data leakage and PII extraction
- Tool/plugin misuse testing
- Adversarial fuzzing
- Model integrity validation
🚀 Quick Start
# Clone the repository
git clone https://github.com/shiva108/ai-llm-red-team-handbook.git
cd ai-llm-red-team-handbook
# Manual testing: Start with the Field Manual
open docs/AI_LLM\ Red\ Team\ Field\ Manual.md
# Automated testing:
cd scripts
pip install -r requirements.txt
python runner.py --config config.py
📖 Detailed setup: See Configuration Guide
📁 Repository Structure
ai-llm-red-team-handbook/
├── docs/
│ ├── SUMMARY.md # GitBook navigation
│ ├── AI LLM Red Team Handbook.md # Main overview + TOC
│ ├── Chapter_01_Introduction_to_AI_Red_Teaming.md
│ ├── Chapter_02_Ethics_Legal_and_Stakeholder_Communication.md
│ ├── Chapter_03_The_Red_Teamers_Mindset.md
│ ├── Chapter_04_SOW_Rules_of_Engagement_and_Client_Onboarding.md
│ ├── Chapter_05_Threat_Modeling_and_Risk_Analysis.md
│ ├── Chapter_06_Scoping_an_Engagement.md
│ ├── Chapter_07_Lab_Setup_and_Environmental_Safety.md
│ ├── Chapter_08_Evidence_Documentation_and_Chain_of_Custody.md
│ ├── Chapter_09_Writing_Effective_Reports_and_Deliverables.md
│ ├── Chapter_10_Presenting_Results_and_Remediation_Guidance.md
│ ├── Chapter_11_Lessons_Learned_and_Building_Future_Readiness.md
│ ├── Chapter_12_Retrieval_Augmented_Generation_RAG_Pipelines.md
│ ├── Chapter_13_Data_Provenance_and_Supply_Chain_Security.md
│ ├── Chapter_14_Prompt_Injection.md
│ ├── Chapter_15_Data_Leakage_and_Extraction.md
│ ├── Chapter_16_Jailbreaks_and_Bypass_Techniques.md
│ ├── Chapter_17_Plugin_and_API_Exploitation.md
│ ├── Chapter_18_Evasion_Obfuscation_and_Adversarial_Inputs.md # NEW
│ ├── Chapter_19_Training_Data_Poisoning.md # NEW
│ ├── Chapter_20_Model_Theft_and_Membership_Inference.md # NEW (with runnable demos)
│ ├── Chapter_21_Model_DoS_Resource_Exhaustion.md # NEW (DoS attacks)
│ ├── Chapter_22_Cross_Modal_Multimodal_Attacks.md # NEW (VLM attacks)
│ ├── Chapter_23_Advanced_Persistence_Chaining.md # NEW (Persistence)
│ ├── Chapter_24_Social_Engineering_LLMs.md # NEW (Social Eng)
│ ├── AI_LLM Red Team Field Manual.md # Operational field reference
│ ├── Building a World-Class AI Red Team.md # Team-building strategy guide
│ ├── Configuration.md # Setup and configuration guide
│ ├── templates/ # Report templates
│ └── archive/ # Historical versions
├── scripts/
│ ├── runner.py # Test orchestration
│ ├── test_prompt_injection.py # Prompt injection tests
│ ├── test_safety_bypass.py # Jailbreak tests
│ ├── test_data_exposure.py # Data leakage tests
│ ├── test_tool_misuse.py # Plugin/tool abuse tests
│ ├── test_fuzzing.py # Adversarial fuzzing
│ ├── c2_server_elite.py # Elite C2 server implementation
│ └── requirements.txt # Python dependencies
├── assets/ # Images and resources
└── README.md # This file
🎯 Use Cases
| Use Case | Resources | Description |
|---|---|---|
| Red Team Assessments | Field Manual + Python Framework | Conduct comprehensive LLM security assessments |
| Consultant Engagements | Handbook + Report Template | Full methodology for client projects |
| Team Training | Handbook Foundations (Ch 1-11) | Onboard and develop security teams |
| Research & Development | Technical Chapters (Ch 12+) | Deep dives into specific attack surfaces |
| Compliance & Audit | Threat Modeling (Ch 5) + Tools | Risk assessments and control validation |
⚙️ Prerequisites
Manual Testing:
- Any text editor + target LLM access
Automated Testing:
- Python 3.8+
- Dependencies:
requests,pytest,pydantic,python-dotenv - API credentials for target LLM
🧪 Python Testing Framework
Test Suites
test_prompt_injection.py- Automated prompt injection attackstest_safety_bypass.py- Jailbreak and guardrail bypass teststest_data_exposure.py- Data leakage and PII extractiontest_tool_misuse.py- Function-calling and plugin abusetest_fuzzing.py- Adversarial input fuzzingtest_integrity.py- Model integrity and consistency
Configuration
Create scripts/.env:
API_ENDPOINT=https://api.example.com/v1/chat/completions
API_KEY=your-secret-api-key
MODEL_NAME=gpt-4
Run tests:
python runner.py # All tests
python runner.py --test prompt_injection # Specific test
python runner.py --verbose # Verbose output
📖 Full configuration options: Configuration Guide
🗺️ Roadmap
Planned:
- Additional technical chapters (21-46 from original TOC)
- Sample RAG and LLM test environments
- Interactive attack case studies
- Multimodal AI attack techniques
- Advanced RAG exploitation scenarios
- Video tutorials and walkthroughs
Contributions welcome via issues and PRs.
📄 License
Licensed under CC BY-SA 4.0 (Creative Commons Attribution-ShareAlike 4.0 International).
See LICENSE for details.
⚠️ Disclaimer
For authorized security testing only.
Ensure:
- Written authorization (SOW/RoE) is in place
- Compliance with applicable laws and regulations (CFAA, GDPR, etc.)
- Testing conducted in isolated environments when appropriate
- No unauthorized testing on production systems
The authors accept no liability for misuse or unauthorized use of this material.
🤝 Contributing
We welcome contributions! Please:
- Review existing issues and PRs
- Follow the established format and style
- Test any code additions
- Submit clear, well-documented PRs
For major changes, please open an issue first to discuss.
📬 Contact & Support
- Issues: GitHub Issues
- Discussions: GitHub Discussions
Last Updated: December 2024 | Handbook Chapters: 24 Complete (GitBook-ready) | Practical Examples: 12+ Copy-Paste Attack Demos