Red Teaming
At its core, AI red teaming is a multidisciplinary, creative, and interactive process of investigation
As artificial intelligence systems become more powerful and woven into our daily lives, finding their hidden flaws before they cause real-world harm has become critical. The solution? AI red teaming—ethical, adversarial testing designed to push AI systems to their limits.
This practice sits on a rapid "maturity curve," evolving from an ad-hoc art into a systematic science by drawing hard-won lessons from cybersecurity. This article breaks down what AI red teaming is, how it works in practice, and why its maturation matters for building reliable AI, using insights from leading experts in the field.
Defining AI Red Teaming: The Art of Creative Investigation
At its core, AI red teaming is a multidisciplinary, creative, and interactive process of investigation. Unlike standard tests that measure an AI's average performance, red teaming is an adversarial exercise focused on actively discovering weaknesses, vulnerabilities, and unexpected behaviors. Experts in the field view it not just as a technical task, but as a human-centric art form that requires thinking outside the box.
Tori Westerhoff, a Principal Director at Microsoft, describes the process as testing the "edges of the bell curve" to find the nooks and crannies of AI behavior that standard evaluations might miss. She highlights the creative and empathetic nature of the work:
"I defined it as almost like creative investigation or like mechanized empathy towards all of the folks who could end up using... the high-risk gen AI elements that we're putting forward."
Based on insights from industry and research experts, AI red teaming can be defined by several core characteristics:
- Adversarial
- Its primary goal is to find worst-case behaviors and push the system to its breaking point, not simply to measure its average performance, which is the focus of standard evaluations.
- Interactive & Iterative
- Red teamers engage in a back-and-forth process with an existing system, allowing them to probe what Colin Scheer of CSET calls the "jagged frontier" of an AI's capabilities and what Marius Haban of Apollo Research describes as an essential interactive element where the tester adapts their approach based on the model's responses.
- Exercise-Based
- It is often a structured, exercise-based investigation. According to Anna Rainey, at organizations like MITER, this involves simulating attacks on AI-enabled systems to identify vulnerabilities and test defense mechanisms.
- Multidisciplinary
- Effective red teaming requires combining diverse backgrounds and ways of thinking—from cybersecurity and national security to social engineering—to test the full spectrum of how AI systems can be misused.
As this unique practice evolves, its application varies widely depending on the context and goal, from hardening corporate products to educating the public.
Red Teaming in Practice: From Corporate Labs to Public Competitions
The practice of AI red teaming is not one-size-fits-all. The approach can range from highly structured exercises inside corporate labs to open competitions designed to engage the public. Here is a comparison of these two primary modes:
| Feature | Organizational Red Teaming (e.g., Microsoft, MITER) | Public Competitions (e.g., DEFCON) |
|---|---|---|
| Primary Goal | Systematically improve the security, safety, and reliability of specific high-risk AI products before public deployment. | Engage and educate the general public about AI vulnerabilities in a lower-stakes, accessible environment. |
| Team Composition | A multidisciplinary team of internal experts, including cybersecurity specialists, social engineers, domain experts like drone pilots, and even specialists with backgrounds in national security or biology. | Primarily non-technical contributors and volunteers from the general public who bring diverse perspectives on potential harms. |
| Process & Tools | A structured, multi-phase process involving planning, execution, and analysis, often supported by automated tools like Microsoft's open-source PyRIT. | A less synchronized process that rarely uses automated tools, relying instead on participants' direct and personal exploration of harms. |
| Example Scenario | Pre-deployment testing of a frontier AI model to determine if it can be prompted to covertly pursue a malicious goal, demonstrating actively deceptive behavior. | A participant roleplays a scenario to trick a model, which is not supposed to give legal advice, into providing false immigration law information. |
These different approaches highlight the versatility of red teaming, and understanding their distinct goals is key to appreciating the fundamental importance of the practice for AI safety.
The "Why": AI Safety
AI red teaming is fundamentally different from other forms of testing. While it shares the "spirit of pentesting," Tori Westerhoff clarifies that AI red teaming is a distinct and evolving discipline. Unlike traditional pentesting with its established toolsets and objectives, the methods for AI red teaming are "less mature" and must be invented and refined in lockstep with the rapidly advancing AI systems they are designed to test. This investigative nature allows it to achieve several critical objectives that other methods cannot.
- Discovering Unwanted Capabilities
- Red teaming is essential for determining if a model can be prompted to perform a harmful action it was designed to refuse. For example, Colin Scheer describes a red team success as getting a model to produce convincing information on how to create biological weapons, despite safeguards designed to prevent this.
- Identifying Critical Vulnerabilities
- This process uncovers flaws that could lead to system failure or misuse. A case study from the MITER Atlas knowledge base highlights this perfectly: a red teamer discovered that simply asking a "math GPT" to create a
while trueloop was enough to crash the servers—a simple but critical vulnerability.
- This process uncovers flaws that could lead to system failure or misuse. A case study from the MITER Atlas knowledge base highlights this perfectly: a red teamer discovered that simply asking a "math GPT" to create a
- Informing Mitigations and Guardrails
- The findings from red teaming directly inform developers on how to harden systems and build better defenses. At Microsoft, red teaming is conducted before a product's launch so that mitigations can be implemented iteratively, making the final product safer for the public.
- Understanding the "Constitution" of a Model
- Beyond finding simple "jailbreaks," red teaming can reveal a model's underlying values. Marius Haban explains that by designing specific scenarios, red teamers can "back out the constitution of the model." This is a profound investigation into a model's emergent goals and preferences that arise from its training—which may differ entirely from its programmed instructions—and gets at the core of AI alignment.
By proactively seeking out these hidden dangers, red teaming serves as a vital reality check, ensuring developers address the most pressing risks before an AI system is deployed and driving the need to professionalize the field.
Maturing the Field of AI Red Teaming
As AI red teaming advances along its maturity curve, experts are focused on transforming the practice from a creative art into a more systematic and scientific process. This professionalization rests on several interconnected pillars designed to make red teaming more rigorous, comparable, and effective across the industry.
- Standardize Reporting
- Colin Scheer argues for creating a baseline of information that all red teams report. This would allow for meaningful comparisons of safety and security between different AI products, which is currently very difficult.
- Promote Information Sharing
- The community needs to share findings about vulnerabilities and mitigations to accelerate security across the entire industry. Anna Rainey points to platforms like MITER Atlas, which hosts case studies from red teaming exercises, as a model for this kind of knowledge sharing.
- Increase Transparency
- This push for standardization is complemented by a broader call for transparency and open collaboration. Tori Westerhoff advocates for actions like open-sourcing tools (e.g., Microsoft's PyRIT), running public bug bounty programs, and publishing safety frameworks. These efforts help create a common language, as do the large-scale public competitions seen at events like DEFCON, which bring diverse voices into the safety conversation.
- Address Incentives and Future Risks
- The industry must create better incentives to investigate future risks before they become widespread problems. Marius Haban emphasizes the need to red team for dangers posed by highly autonomous AI agents, which are not yet a major commercial concern but pose a significant long-term threat.
These efforts aim to build on lessons learned from the history of cybersecurity, transforming AI red teaming into an indispensable component of AI development.
A Vital Layer in Building Trustworthy AI
AI red teaming is far more than a quality check; it is an essential, proactive security function that pushes AI to its breaking point to find and fix flaws before they can do harm. As this discipline continues along its maturity curve—moving from an intuitive art to a rigorous science through standardization, transparency, and collaboration—it becomes our most critical line of defense against unforeseen failures.
As AI systems evolve from simple tools into potentially autonomous agents, this adversarial, human-centric form of investigation is not just an academic exercise. Ensuring the field matures effectively is a societal necessity for building a future where increasingly powerful AI is also demonstrably safe and trustworthy for everyone.
