1) Threat model definition โ a catalog of harm categories (biosecurity, cybersecurity, misinformation, CSAM, self-harm, prompt injection, data exfiltration, agentic misuse) plus the adversary profile (nation-state, cybercriminal, terrorist, disgruntled insider, curious user). 2) Environment setup โ a list of realistic scenarios: browsing a malicious page, tool output with injection, email with an instruction, local file with a marker. 3) Attack generation โ (a) human: experts try structured attempts by hand, (b) automated: LLM-as-attacker generates candidates, (c) hybrid: automated proposes, human curates. 4) Attack execution โ attacker sends the prompt to the target model, target responds, log traces. 5) Success classification โ auto grader or human judge labels: successful attack (elicit target harm), defended, ambiguous. 6) Reporting โ attack success rates per category, novel classes discovered, concrete examples with reproducers. 7) Feedback loop โ successful attacks go into training as adversarial data (RLHF safety) or in the Constitutional AI/RLAIF pipeline; defence iterates until attack success rate drops. 8) Independent re-run โ before release, external red-teamers (AISI, OpenAI External Red Teaming Network) repeat with their own methods. 9) Publication โ summary in Model Card / System Card.
AI models, particularly frontier LLMs and multimodal ones, can generate harmful outputs (aid in creating chemical/biological/nuclear weapons, misinformation, disinformation, CSAM, prompt injections enabling data exfiltration, agentic system hijacking). Regular functional testing (unit tests, benchmarks) will not discover these scenarios โ an adversarial stress test simulating a real opponent is needed. Without red-teaming, models are released "blind", discovering their own vulnerabilities only in wild deployment, with potentially catastrophic consequences (use in terrorist attacks, disinformation campaigns, infrastructure hijacking).
Narrow: a single category (e.g. prompt injection). Wide: full CBRN + agentic + misinformation + privacy catalog. Wide requires multi-domain experts (biosecurity PhD, cybersec, lawyer, journalist).
Human: novel class discovery, expensive. Automated: scale, may miss novel. Hybrid: dominant trend 2025-2026 โ automated for coverage, human for deepening and validation.
GPT-Red trained on compute comparable to OpenAI's largest post-training runs. Anthropic Frontier Red Team โ several dozen FTEs. Larger budget = more discoveries, but diminishing returns on saturated categories.
Isolated model API vs full agent harness (tool use, browsing, code execution, memory). Real risk lives in the context โ red-teaming should test the full platform.
Automated grader (second LLM as judge, rule-based) scales to millions but has bias and false positives. Human judge is more accurate but slow. Best practice: automated + spot-check by human.
Public (Anthropic HHH dataset), semi-public (Model Card summary), private (most dangerous classes kept internal). Trade-off: publication enables communal defence but arms adversaries.
Attacks are chosen conditionally based on the target model and harm category. Adaptive red-teaming (GPT-Red, self-play) learns in a loop โ the attacker adapts strategies to observed target failures. Human red-teaming is stage-dependent โ discovery, deepening, adversarial red-teaming phases.
Automated red-teaming is trivially parallel โ each scenario is an independent attacker <-> target transaction. Massive-scale parallelism (millions of concurrent attempts) is possible with adequate inference infrastructure. Human red-teaming parallel to the number of available experts (tens to hundreds).