Red Teaming

{
  "id": "red-teaming",
  "numericId": null,
  "path": "/knowledge-base/responses/red-teaming/",
  "filePath": "knowledge-base/responses/red-teaming.mdx",
  "title": "Red Teaming",
  "quality": 65,
  "importance": 74,
  "contentFormat": "article",
  "tractability": null,
  "neglectedness": null,
  "uncertainty": null,
  "causalLevel": null,
  "lastUpdated": "2026-01-28",
  "llmSummary": "Red teaming is a systematic adversarial evaluation methodology for identifying AI vulnerabilities and dangerous capabilities before deployment, with effectiveness rates varying from 10-80% depending on attack method. Key challenges include scaling human red teaming to match AI capability growth (2025-2027 critical period) and the adversarial arms race where attacks evolve faster than defenses.",
  "structuredSummary": null,
  "description": "Adversarial testing methodologies to systematically identify AI system vulnerabilities, dangerous capabilities, and failure modes through structured adversarial evaluation.",
  "ratings": {
    "novelty": 3.5,
    "rigor": 5,
    "actionability": 6.5,
    "completeness": 6
  },
  "category": "responses",
  "subcategory": "alignment-evaluation",
  "clusters": [
    "ai-safety",
    "cyber"
  ],
  "metrics": {
    "wordCount": 1462,
    "tableCount": 12,
    "diagramCount": 1,
    "internalLinks": 46,
    "externalLinks": 17,
    "footnoteCount": 0,
    "bulletRatio": 0.21,
    "sectionCount": 29,
    "hasOverview": true,
    "structuralScore": 14
  },
  "suggestedQuality": 93,
  "updateFrequency": 21,
  "evergreen": true,
  "wordCount": 1462,
  "unconvertedLinks": [
    {
      "text": "US AI Safety Institute Consortium",
      "url": "https://www.nist.gov/artificial-intelligence/artificial-intelligence-safety-institute",
      "resourceId": "c9c2bcaca0d2c3e6",
      "resourceTitle": "US AI Safety Institute"
    },
    {
      "text": "CISA AI Red Teaming",
      "url": "https://www.cisa.gov/news-events/news/ai-red-teaming-applying-software-tevv-ai-evaluations",
      "resourceId": "6f1d4fd3b52c7cb7",
      "resourceTitle": "AI Red Teaming: Applying Software TEVV for AI Evaluations"
    }
  ],
  "unconvertedLinkCount": 2,
  "convertedLinkCount": 12,
  "backlinkCount": 1,
  "redundancy": {
    "maxSimilarity": 17,
    "similarPages": [
      {
        "id": "evaluation",
        "title": "AI Evaluation",
        "path": "/knowledge-base/responses/evaluation/",
        "similarity": 17
      },
      {
        "id": "dangerous-cap-evals",
        "title": "Dangerous Capability Evaluations",
        "path": "/knowledge-base/responses/dangerous-cap-evals/",
        "similarity": 16
      },
      {
        "id": "capability-threshold-model",
        "title": "Capability Threshold Model",
        "path": "/knowledge-base/models/capability-threshold-model/",
        "similarity": 15
      },
      {
        "id": "capability-elicitation",
        "title": "Capability Elicitation",
        "path": "/knowledge-base/responses/capability-elicitation/",
        "similarity": 15
      },
      {
        "id": "evals",
        "title": "Evals & Red-teaming",
        "path": "/knowledge-base/responses/evals/",
        "similarity": 15
      }
    ]
  }
}

{
  "id": "red-teaming",
  "type": "approach",
  "title": "Red Teaming",
  "description": "Adversarial testing methodologies to systematically identify AI system vulnerabilities, dangerous capabilities, and failure modes through structured adversarial evaluation. Effectiveness rates vary from 10-80% depending on attack method.",
  "tags": [
    "adversarial-testing",
    "vulnerability-discovery",
    "jailbreaking",
    "safety-testing",
    "cybersecurity"
  ],
  "relatedEntries": [
    {
      "id": "anthropic",
      "type": "lab"
    },
    {
      "id": "openai",
      "type": "lab"
    },
    {
      "id": "metr",
      "type": "lab"
    },
    {
      "id": "responsible-scaling-policies",
      "type": "policy"
    }
  ],
  "sources": [],
  "lastUpdated": "2026-02",
  "customFields": []
}

No facts for this entity

No external links

{
  "title": "Red Teaming",
  "description": "Adversarial testing methodologies to systematically identify AI system vulnerabilities, dangerous capabilities, and failure modes through structured adversarial evaluation.",
  "sidebar": {
    "order": 12
  },
  "quality": 65,
  "importance": 74.5,
  "lastEdited": "2026-01-28",
  "update_frequency": 21,
  "llmSummary": "Red teaming is a systematic adversarial evaluation methodology for identifying AI vulnerabilities and dangerous capabilities before deployment, with effectiveness rates varying from 10-80% depending on attack method. Key challenges include scaling human red teaming to match AI capability growth (2025-2027 critical period) and the adversarial arms race where attacks evolve faster than defenses.",
  "ratings": {
    "novelty": 3.5,
    "rigor": 5,
    "actionability": 6.5,
    "completeness": 6
  },
  "clusters": [
    "ai-safety",
    "cyber"
  ],
  "subcategory": "alignment-evaluation",
  "entityType": "approach"
}

---
title: Red Teaming
description: Adversarial testing methodologies to systematically identify AI system vulnerabilities, dangerous capabilities, and failure modes through structured adversarial evaluation.
sidebar:
  order: 12
quality: 65
importance: 74.5
lastEdited: "2026-01-28"
update_frequency: 21
llmSummary: Red teaming is a systematic adversarial evaluation methodology for identifying AI vulnerabilities and dangerous capabilities before deployment, with effectiveness rates varying from 10-80% depending on attack method. Key challenges include scaling human red teaming to match AI capability growth (2025-2027 critical period) and the adversarial arms race where attacks evolve faster than defenses.
ratings:
  novelty: 3.5
  rigor: 5
  actionability: 6.5
  completeness: 6
clusters:
  - ai-safety
  - cyber
subcategory: alignment-evaluation
entityType: approach
---
import {R, EntityLink, DataExternalLinks, Mermaid} from '@components/wiki';

<DataExternalLinks pageId="red-teaming" />

## Overview

Red teaming is a systematic adversarial evaluation methodology used to identify vulnerabilities, dangerous capabilities, and failure modes in AI systems before deployment. Originally developed in cybersecurity and military contexts, red teaming has become a critical component of AI safety evaluation, particularly for <EntityLink id="E400">language models</EntityLink> and <EntityLink id="E2">agentic systems</EntityLink>.

Red teaming serves as both a capability evaluation tool and a safety measure, helping organizations understand what their AI systems can do—including capabilities they may not have intended to enable. As AI systems become more capable, red teaming provides essential empirical data for <EntityLink id="E252">responsible scaling policies</EntityLink> and deployment decisions.

## Quick Assessment

| Dimension | Rating | Notes |
|-----------|--------|-------|
| **Tractability** | High | Well-established methodology with clear implementation paths |
| **Scalability** | Medium | Human red teaming limited; automated methods emerging |
| **Current Maturity** | Medium-High | Standard practice at major labs since 2023 |
| **Time Horizon** | Immediate | Can be implemented now; ongoing challenge to keep pace with capabilities |
| **Key Proponents** | <EntityLink id="E22">Anthropic</EntityLink>, <EntityLink id="E218">OpenAI</EntityLink>, METR, UK AISI | Active programs with published methodologies |
| **Regulatory Status** | Increasing | <EntityLink id="E127">EU AI Act</EntityLink> and NIST AI RMF mandate adversarial testing |

## How It Works

<Mermaid chart={`
flowchart TD
    subgraph Discovery["Discovery Phase"]
        A[Define Threat Model] --> B[Assemble Red Team]
        B --> C[Design Test Cases]
    end

    subgraph Testing["Testing Phase"]
        D[Manual Probing] --> G[Document Findings]
        E[Automated Attacks] --> G
        F[Domain Expert Review] --> G
    end

    subgraph Response["Response Phase"]
        G --> H{Vulnerability Found?}
        H -->|Yes| I[Develop Mitigations]
        H -->|No| J[Expand Test Coverage]
        I --> K[Retest System]
        K --> H
        J --> D
    end

    C --> D
    C --> E
    C --> F
`} />

Red teaming follows a structured cycle: teams first define threat models based on potential misuse scenarios, then systematically probe the AI system using both manual creativity and automated attack generation. Findings feed into mitigation development, which is then retested to verify effectiveness.

## Risk Assessment

| Factor | Assessment | Evidence | Timeline |
|---------|------------|----------|----------|
| **Coverage Gaps** | High | Limited standardization across labs | Current |
| **Capability Discovery** | Medium | Novel dangerous capabilities found regularly | Ongoing |
| **Adversarial Evolution** | High | Attack methods evolving faster than defenses | 1-2 years |
| **Evaluation Scaling** | Medium | Human red teaming doesn't scale to model capabilities | 2-3 years |

## Key Red Teaming Approaches

### Adversarial Prompting (Jailbreaking)

| Method | Description | Effectiveness | Example Organizations |
|---------|-------------|---------------|---------------------|
| **Direct Prompts** | Explicit requests for prohibited content | Low (10-20% success) | <R id="f771d4f56ad4dbaa">Anthropic</R> |
| **Role-Playing** | Fictional scenarios to bypass safeguards | Medium (30-50% success) | <EntityLink id="E201">METR</EntityLink> |
| **Multi-step Attacks** | Complex prompt chains | High (60-80% success) | Academic researchers |
| **Obfuscation** | Encoding, language switching, symbols | Variable (20-70% success) | Security researchers |

### Dangerous Capability Elicitation

Red teaming systematically probes for concerning capabilities:

- **<EntityLink id="E224">Persuasion</EntityLink>**: Testing ability to manipulate human beliefs
- **<EntityLink id="E93">Deception</EntityLink>**: Evaluating tendency to provide false information strategically
- **<EntityLink id="E282">Situational Awareness</EntityLink>**: Assessing model understanding of its training and deployment
- **<EntityLink id="E278">Self-improvement</EntityLink>**: Testing ability to enhance its own capabilities

### Multi-Modal Attack Surfaces

| Modality | Attack Vector | Risk Level | Current State |
|----------|---------------|------------|---------------|
| **Text-to-Image** | Prompt injection via images | Medium | Active research |
| **Voice Cloning** | Identity deception | High | Emerging concern |
| **Video Generation** | Deepfake creation | High | Rapid advancement |
| **Code Generation** | Malware creation | Medium-High | Well-documented |

## Risks Addressed

| Risk | Relevance | How It Helps |
|------|-----------|--------------|
| <EntityLink id="E93">Deceptive Alignment</EntityLink> | High | Probes for hidden goals and strategic deception through adversarial scenarios |
| <EntityLink id="E224">Manipulation & Persuasion</EntityLink> | High | Tests ability to manipulate human beliefs and behaviors |
| <EntityLink id="model-manipulation">Model Manipulation</EntityLink> | High | Identifies prompt injection and jailbreaking vulnerabilities |
| <EntityLink id="E42">Bioweapons Risk</EntityLink> | High | Evaluates whether models provide dangerous biological information |
| <EntityLink id="cyberattacks">Cyber Offense</EntityLink> | High | Tests for malicious code generation and vulnerability exploitation |
| <EntityLink id="E282">Situational Awareness</EntityLink> | Medium | Assesses model understanding of its training and deployment context |

## Current State & Implementation

### Leading Organizations

**Industry Red Teaming:**
- <R id="1d07abc7b6f1c574">Anthropic</R>: Constitutional AI evaluation
- <R id="e09fc9ef04adca70">OpenAI</R>: GPT-4 system card methodology
- <EntityLink id="E98">DeepMind</EntityLink>: Sparrow safety evaluation

**Independent Evaluation:**
- <EntityLink id="E201">METR</EntityLink>: Autonomous replication and adaptation testing
- <EntityLink id="E364">UK AISI</EntityLink>: National AI safety evaluations
- <EntityLink id="E24">Apollo Research</EntityLink>: Deceptive alignment detection

**Government Programs:**
- [NIST ARIA Program](https://ai-challenges.nist.gov/): Invites AI developers to submit models for red teaming and large-scale field testing
- [US AI Safety Institute Consortium](https://www.nist.gov/artificial-intelligence/artificial-intelligence-safety-institute): Industry-government collaboration on safety standards
- [CISA AI Red Teaming](https://www.cisa.gov/news-events/news/ai-red-teaming-applying-software-tevv-ai-evaluations): Operational cybersecurity evaluation services

### Evaluation Methodologies

| Approach | Scope | Advantages | Limitations |
|----------|--------|------------|-------------|
| **Human Red Teams** | Broad creativity | Domain expertise, novel attacks | Limited scale, high cost |
| **Automated Testing** | High volume | Scalable, consistent | Predictable patterns |
| **Hybrid Methods** | Comprehensive | Best of both approaches | Complex coordination |

### Automated Red Teaming Tools

Open-source and commercial tools have emerged to scale adversarial testing:

| Tool | Developer | Key Features | Use Case |
|------|-----------|--------------|----------|
| **[PyRIT](https://github.com/Azure/PyRIT)** | Microsoft | Modular attack orchestration, scoring engine, prompt mutation | Research and enterprise testing |
| **[Garak](https://github.com/NVIDIA/garak)** | NVIDIA | 100+ attack vectors, 20,000 prompts per run, probe-based scanning | Baseline vulnerability assessment |
| **[Promptfoo](https://www.promptfoo.dev/)** | Open Source | CI/CD integration, adaptive attack generation | Pre-deployment testing |
| **[ARTKIT](https://github.com/BCG-X-Official/artkit)** | BCG | Multi-turn attacker-target simulations | Behavioral testing |

Microsoft's [PyRIT white paper](https://www.microsoft.com/en-us/security/blog/2024/02/22/announcing-microsofts-open-automation-framework-to-red-team-generative-ai-systems/) reports efficiency gains of weeks to hours in certain red teaming exercises. However, automated tools complement rather than replace human expertise in discovering novel attack vectors.

## Key Challenges & Limitations

### Methodological Issues

- **False Negatives**: Failing to discover dangerous capabilities that exist
- **False Positives**: Flagging benign outputs as concerning
- **Evaluation Gaming**: Models learning to perform well on specific red team tests
- **Attack Evolution**: New jailbreaking methods emerging faster than defenses

### Scaling Challenges

Red teaming faces significant scaling issues as AI capabilities advance:

- **Human Bottleneck**: Expert red teamers cannot keep pace with model development
- **Capability Overhang**: Models may have dangerous capabilities not discovered in evaluation
- **Adversarial Arms Race**: Continuous evolution of attack and defense methods

## Timeline & Trajectory

### 2022-2023: Formalization
- Introduction of systematic red teaming at major labs
- <R id="ebab6e05661645c5">GPT-4 system card</R> sets evaluation standards
- Academic research establishes jailbreaking taxonomies

### 2024-Present: Standardization
- [NIST Generative AI Profile](https://www.nist.gov/publications/artificial-intelligence-risk-management-framework-generative-artificial-intelligence) (NIST AI 600-1) establishes red teaming protocols
- [Anthropic Frontier Red Team](https://www.anthropic.com/news/strategic-warning-for-ai-risk-progress-and-insights-from-our-frontier-red-team) reports "zero to one" progress in cyber capabilities
- [OpenAI Red Teaming Network](https://openai.com/index/red-teaming-network/) engages 100+ external experts across 29 countries
- Japan AI Safety Institute releases [Guide to Red Teaming Methodology](https://www.meti.go.jp/english/policy/mono_info_service/information_economy/artificial_intelligence/aisi.html)

### 2025-2027: Critical Scaling Period
- **Challenge**: Human red teaming capacity vs. AI capability growth
- **Risk**: Evaluation gaps for advanced <EntityLink id="E2">agentic systems</EntityLink>
- **Response**: Development of AI-assisted red teaming methods

### Evaluation Completeness
**Core Question**: Can red teaming reliably identify all dangerous capabilities?

**Expert Disagreement**: 
- Optimists: Systematic testing can achieve reasonable coverage
- Pessimists: Complex systems have too many interaction effects to evaluate comprehensively

### Adversarial Dynamics
**Core Question**: Will red teaming methods keep pace with AI development?

**Trajectory Uncertainty**:
- Attack sophistication growing faster than defense capabilities
- Potential for AI systems to assist in their own red teaming
- Unknown interaction effects in multi-modal systems

## Integration with Safety Frameworks

Red teaming connects to broader AI safety approaches:

- **<EntityLink id="E447">Evaluation</EntityLink>**: Core component of capability assessment
- **<EntityLink id="E252">Responsible Scaling</EntityLink>**: Provides safety thresholds for deployment decisions
- **<EntityLink id="E373">Alignment Research</EntityLink>**: Empirical testing of alignment methods
- **Governance**: Informs regulatory evaluation requirements

## Sources & Resources

### Primary Research
| Source | Type | Key Contribution |
|--------|------|------------------|
| <R id="e99a5c1697baa07d">Anthropic Constitutional AI</R> | Technical | Red teaming integration with training |
| <R id="ebab6e05661645c5">GPT-4 System Card</R> | Evaluation | Comprehensive red teaming methodology |
| <R id="2417abe9438129f1">METR Publications</R> | Research | Autonomous capability evaluation |

### Government & Policy
| Organization | Resource | Focus |
|--------------|----------|-------|
| <R id="fdf68a8f30f57dee">UK AISI</R> | Evaluation frameworks | National safety testing |
| <R id="54dbc15413425997">NIST AI RMF</R> | Standards | Risk management integration |
| <R id="1102501c88207df3">EU AI Office</R> | Regulations | Compliance requirements |

### Academic Research
| Institution | Focus Area | Key Publications |
|-------------|------------|------------------|
| <R id="c0a5858881a7ac1c">Stanford HAI</R> | Evaluation methods | Red teaming taxonomies |
| <R id="e9e9fc88176f4432">MIT CSAIL</R> | Adversarial ML | Jailbreaking analysis |
| <EntityLink id="E57">Berkeley CHAI</EntityLink> | Alignment testing | Safety evaluation frameworks |
| [CMU Block Center](https://www.cmu.edu/block-center/) | NIST Guidelines | Red teaming for generative AI |

### Key Research Papers
| Paper | Authors | Contribution |
|-------|---------|--------------|
| [OpenAI's Approach to External Red Teaming](https://cdn.openai.com/papers/openais-approach-to-external-red-teaming.pdf) | Lama Ahmad et al. | Comprehensive methodology for external red teaming |
| [Diverse and Effective Red Teaming](https://cdn.openai.com/papers/diverse-and-effective-red-teaming.pdf) | OpenAI | Auto-generated rewards for automated red teaming |
| [Challenges in Red Teaming AI Systems](https://www.anthropic.com/news/challenges-in-red-teaming-ai-systems) | Anthropic | Methodological limitations and future directions |
| [Strengthening Red Teams](https://alignment.anthropic.com/2025/strengthening-red-teams/) | Anthropic | Modular scaffold for control evaluations |

---

## AI Transition Model Context

Red teaming improves the <EntityLink id="ai-transition-model" /> through <EntityLink id="E205" />:

| Factor | Parameter | Impact |
|--------|-----------|--------|
| <EntityLink id="E205" /> | <EntityLink id="E20" /> | Identifies failure modes and vulnerabilities before deployment |
| <EntityLink id="E205" /> | <EntityLink id="E261" /> | Helps evaluate whether safety keeps pace with capabilities |
| <EntityLink id="E205" /> | <EntityLink id="E160" /> | Provides empirical data for oversight decisions |

Red teaming effectiveness is bounded by evaluator capabilities; as AI systems exceed human-level performance, automated and AI-assisted red teaming becomes critical.