AI Red Teaming: What It Tests and What a Good Report Looks Like

Most testing checks whether software does the right thing when used as intended. Red teaming asks the opposite question. It treats your AI as a target and tries to make it misbehave on purpose, using the same moves a motivated attacker would use. For systems that only chat, the worst outcome is usually a wrong or off-brand answer. For systems that can act, the stakes are higher, because a manipulated instruction can become a real action taken with your access and your permissions.

What a red team tests on agentic systems

An agent reads input, decides what to do, and takes actions through tools and connectors. Every step in that loop is a place where an adversary can interfere. A red team works through them deliberately rather than scanning for known signatures.

• Direct and indirect prompt injection. Direct injection is a malicious instruction typed straight into the system. Indirect injection hides instructions inside content the agent reads on your behalf, such as a document, a web page, or an email the user never sees. The agent encounters the instruction while doing its job and may quietly follow it.
• Jailbreaks. Phrasings and framings that get the model to ignore its own rules, reveal hidden configuration, or produce output it was told to withhold.
• Tool and connector misuse. Getting the agent to call its tools in ways it should not: reaching data outside its task, chaining a benign capability into a harmful one, or invoking an action that should have required a person.
• Agent-memory abuse and cross-user leakage. Planting content in an agent's memory that influences a later decision, or coaxing the system into surfacing one user's data to another.
• Multi-agent cascades. When agents call other agents, a single manipulated step can propagate. The red team follows the chain to see how far one compromised instruction travels.
• The architecture and design review behind them. Many of the worst findings are not a single broken input. They are decisions about what the agent is allowed to touch, where trust boundaries sit, and what runs without a human in the loop. A red team examines the design, not just the surface.

Why this is not a scan or a checklist

A vulnerability scanner looks for known-bad patterns: outdated components, misconfigurations, signatures it has seen before. That work is useful and it comes first, because you cannot defend what you have not found. But a scan inspects the system at rest. It does not reason, and it stops nothing at runtime.

The risks that matter most in agentic systems live in the reasoning layer, the part that decides what to do. The malicious input often looks exactly like ordinary content, and its meaning is the attack. A scanner sees a normal document. A checklist confirms that controls exist on paper. Neither tells you whether your agent can be talked into moving data it should never move.

A red team works the way an adversary does. It does not stop at the first weakness. It chains findings together: a small disclosure that enables a jailbreak, a jailbreak that unlocks a tool, a tool that reaches data the agent was never meant to see. A single low-severity issue in isolation can become a serious one once it is part of a chain. That chaining is the difference between a list of observations and a picture of how your system actually fails.

What a good report looks like

The report is the product. A weak one is a long, undifferentiated list of issues that leaves you guessing at what to fix first. A strong one is built to be acted on, defended to a board, and verified later. Look for these qualities.

• Findings mapped to public frameworks. Each issue should reference a shared standard, such as the OWASP Agentic Security Initiative, the OWASP LLM Top 10, or MITRE ATLAS. Mapping turns a private opinion into a finding your team and your auditors can recognize and compare.
• Ranked by real-world exploitability and business impact, not raw counts. A long list of cosmetic findings matters less than one path that reaches customer data. A good report ranks by what an attacker could realistically achieve and what it would cost you, and it resists the urge to inflate severity by volume.
• Each finding reproducible with a clear proof. Every claim should come with the steps to reproduce it, so your engineers can see the failure for themselves rather than taking an assertion on trust. A finding nobody can reproduce is not a finding.
• An honest separation of bugs from architecture. Some issues are bugs you can patch. Others are architecture gaps that no product closes, because they come from how trust and access are arranged in the system. A report that blurs the two sets you up to spend on tools that cannot solve a design problem.
• Concrete architecture recommendations. Not a generic best-practices appendix, but direction tied to your actual design: where a trust boundary belongs, which action should require a person, which access an agent should not hold.
• A re-test to confirm fixes. After you remediate, the red team should attack again to verify the fix holds and did not open something new. A finding marked resolved without a re-test is a hope, not a result.

The honest part

There is no single tool that makes an agent safe, and any vendor who tells you otherwise is selling confidence rather than control. Red teaming is how you learn where you stand against a real attacker. It does not, by itself, fix anything. The findings do not close on their own.

We will name the gaps for anyone. We will also tell you plainly when a problem has no product that solves it, and when the work is architectural rather than a purchase. Diagnosing what is wrong is the report. Designing and wiring the fixes into your specific system is the engagement that follows.