Tradecraft
Advanced AI red team tradecraft covering reconnaissance techniques, AI-specific threat modeling, and structured engagement methodology for professional adversarial assessments.
Tradecraft is what separates systematic adversarial assessment from ad hoc poking at an AI system. It encompasses the planning, reconnaissance, methodology, and operational discipline that professional red teamers bring to every engagement. While attack techniques tell you what to try, tradecraft tells you when to try it, in what order, and how to extract maximum value from each test.
The tradecraft covered in this section addresses the phases of an AI red team engagement that happen before, during, and alongside active exploitation. Reconnaissance gathers the intelligence that makes attacks targeted rather than blind. Threat modeling identifies which attacks matter most for the specific system under test. Methodology provides the structured framework that ensures comprehensive coverage while adapting to what you discover. These skills are what allow a small team to efficiently assess a complex AI system and produce findings that are both technically sound and operationally relevant.
The Tradecraft Lifecycle
Effective AI red teaming follows a lifecycle that mirrors traditional security assessment but adapts each phase for the unique characteristics of AI systems.
Reconnaissance in the AI context goes beyond network scanning and OSINT. The highest-value reconnaissance target in most AI engagements is the system prompt -- extracting it reveals the model's identity, capabilities, constraints, tool definitions, and guardrail logic. System prompt extraction is a specialized skill that uses direct requests, indirect techniques, and multi-turn strategies to coax the model into revealing its instructions. Beyond the system prompt, API reverse engineering maps the technical surface: what models are being used, what parameters are exposed, how inputs are processed, and what tools or integrations are available. Shadow AI discovery identifies unauthorized AI deployments within an organization -- AI systems deployed by individual teams without security review, often with default configurations and minimal access controls.
Threat modeling for AI systems requires frameworks that account for attack surfaces unique to language models. Traditional threat models focus on authentication, authorization, and data flow. AI threat models must additionally consider prompt injection vectors, training data integrity, model supply chain risks, tool trust boundaries, and the amplification effects that occur when an autonomous agent is compromised. AI-specific threat modeling adapts STRIDE, MITRE ATLAS, and custom frameworks to systematically identify the threats most relevant to the system under assessment.
Engagement methodology provides the operational structure for conducting assessments. Scoping and rules of engagement define what is in bounds, what data can be used, and what level of access the testing team has. Evidence collection ensures that every finding is documented with sufficient detail to reproduce it, defend it, and explain it to stakeholders. Purple teaming integrates offensive testing with defensive response, allowing the defending team to observe attacks in real time and evaluate their detection and response capabilities. Continuous red teaming extends the assessment model from point-in-time evaluations to ongoing adversarial monitoring that catches regression as systems evolve.
Reconnaissance Depth
The quality of reconnaissance directly determines the effectiveness of subsequent attacks. Shallow reconnaissance leads to generic attacks that may or may not be relevant. Deep reconnaissance enables precisely targeted attacks that exploit the specific weaknesses of the system under test.
| Reconnaissance Level | Techniques | Value |
|---|---|---|
| Surface | Model identification, basic input testing, public documentation review | Baseline understanding of what you are testing |
| System prompt extraction | Direct requests, indirect techniques, multi-turn strategies, encoding tricks | Reveals guardrails, tools, business logic, and constraints |
| API analysis | Parameter enumeration, error behavior mapping, rate limit probing, model fingerprinting | Maps the technical attack surface and identifies misconfigurations |
| Shadow AI discovery | Network traffic analysis, API endpoint scanning, employee interviews, cloud resource auditing | Identifies untested AI deployments with weak security postures |
What You'll Learn in This Section
- Advanced Reconnaissance -- System prompt extraction techniques, API reverse engineering and model fingerprinting, and shadow AI discovery for finding unauthorized AI deployments
- AI-Specific Threat Modeling -- Adapting threat modeling frameworks for AI systems, identifying model-layer and data-layer threats, and prioritizing attack vectors by impact and exploitability
- Red Team Methodology -- Scoping and rules of engagement, evidence collection best practices, purple teaming approaches, continuous red team programs, and AI-specific threat modeling workflows
Prerequisites
Tradecraft is most valuable with some technical foundation:
- Foundational AI knowledge from the Foundations section, particularly AI System Architecture
- Basic prompt injection understanding from Prompt Injection -- reconnaissance often involves injection techniques
- Traditional security testing experience is helpful but not required -- the methodology section covers structured assessment approaches from first principles
- Communication skills -- tradecraft includes scoping conversations and evidence documentation that require clear written and verbal communication