Intermediate AI Red Team Labs
Overview of intermediate-level hands-on labs covering agent exploitation, RAG poisoning, multi-turn attacks, automated campaigns, and advanced injection techniques for AI red teaming.
Welcome to the Intermediate Track
The intermediate labs build directly on the skills you developed in the beginner track. Where beginner labs focused on single-turn prompt injection and basic tooling, intermediate labs introduce multi-step attack chains, agentic exploitation, automated campaign management, and data pipeline attacks that reflect real-world AI red teaming engagements.
Prerequisites
Before starting these labs, you should have completed:
- All beginner labs -- especially Environment Setup, Simple Test Harness, and API Testing
- Python proficiency -- comfortable with async/await, HTTP libraries, and package management
- API access -- active API keys for at least one major LLM provider (OpenAI, Anthropic, or local models via Ollama)
| Requirement | Minimum | Recommended |
|---|---|---|
| Python | 3.10+ | 3.11+ |
| RAM | 16 GB | 32 GB |
| Disk space | 20 GB free | 100 GB free (for local models and vector DBs) |
| API access | One LLM API key | OpenAI + Anthropic + local model |
| Additional | pip, git, Docker | Docker Compose, Node.js 18+ |
Lab Overview
The 17 intermediate labs are organized into four tracks. You can follow them sequentially or choose a track based on your focus area.
Agentic Exploitation Track
| Lab | Title | Key Skills |
|---|---|---|
| 1 | Exploiting AI Agents | Indirect injection, tool-call chaining, privilege escalation |
| 2 | MCP Tool Abuse Scenarios | Model Context Protocol exploitation, malicious tool definitions |
| 13 | Agent Memory Poisoning | Persistent context manipulation, false memory injection |
| 17 | Function Calling & Tool Use Abuse | Schema manipulation, unauthorized function chains |
Data Pipeline Attack Track
| Lab | Title | Key Skills |
|---|---|---|
| 4 | RAG Pipeline Poisoning | Document injection, retrieval hijacking, vector DB attacks |
| 5 | Embedding Space Manipulation | Embedding collisions, semantic proximity attacks |
| 8 | Data Exfiltration Techniques | System prompt extraction, context leakage, data theft via rendering |
| 9 | Basic Model Extraction | API-based model stealing, fidelity measurement |
Injection & Evasion Track
| Lab | Title | Key Skills |
|---|---|---|
| 3 | Multi-Turn Attack Campaigns | Crescendo attacks, safety degradation measurement |
| 7 | Indirect Prompt Injection Chains | Multi-hop injection, web/email/document vectors |
| 14 | Context Window Stuffing Attacks | Attention dilution, instruction displacement |
| 15 | Token Smuggling & Encoding Bypass | Unicode tricks, homoglyphs, tokenizer exploitation |
| 16 | Image-Based Prompt Injection | Multimodal injection, hidden text in images |
Automation & Evaluation Track
| Lab | Title | Key Skills |
|---|---|---|
| 6 | Building an LLM Judge Evaluator | Automated scoring, model comparison, evaluator design |
| 10 | Running PyRIT Campaigns | Microsoft PyRIT, orchestrators, converters, scorers |
| 11 | Systematic Defense Bypass | Filter enumeration, bypass methodology, documentation |
| 12 | Regression Testing with promptfoo | Continuous testing, CI/CD integration, assertion writing |
Recommended Progression
Foundation (Labs 1-3)
Start with agent exploitation and multi-turn attacks. These introduce the core intermediate skill: attacking systems rather than individual prompts.
Data Pipeline (Labs 4-5)
Learn to poison the data that flows into models. RAG poisoning and embedding manipulation are among the most impactful real-world attack vectors.
Automation (Labs 6, 10-12)
Build automated evaluation and campaign infrastructure. These tools multiply your effectiveness for all subsequent labs.
Advanced Injection (Labs 7-9, 13-17)
Apply advanced injection, exfiltration, and evasion techniques using the automated infrastructure you built.
Ethical Reminder
What Comes Next
After completing the intermediate track, you will be ready for:
- Advanced Labs -- fine-tuning attacks, adversarial suffix generation, model internals exploitation
- CTF Challenges -- competitive scenarios that combine multiple techniques
- Full Engagement Simulations -- end-to-end red team engagements with scoping, execution, and reporting
Related Topics
- Beginner Labs - Foundation skills and tools required before starting the intermediate track
- Advanced Labs - Next progression after completing intermediate exercises
- CTF Challenges - Apply intermediate skills in competitive capture-the-flag scenarios
- Attack Taxonomy - Classification framework for the attack techniques covered in these labs
- Red Team Methodology - Structured methodology that guides how intermediate techniques fit into engagements
References
- "OWASP Top 10 for LLM Applications" - OWASP (2025) - Industry-standard risk classification covering the vulnerabilities tested in these labs
- "PyRIT: Python Risk Identification Toolkit" - Microsoft (2024) - Enterprise red teaming framework used in the PyRIT campaigns lab
- "Not What You've Signed Up For" - Greshake et al. (2023) - Seminal research on indirect injection and agent exploitation covered in this track
- "AI Risk Management Framework" - NIST (2023) - Federal guidelines informing the systematic approach taught in these labs
What is the primary difference between beginner and intermediate AI red teaming labs?
Which prerequisite is most important before starting intermediate labs?