AI Red Teaming · Training + Lab

Attack AI systems. Understand why they break.

Attaxium REDAI is a hands-on program in red teaming AI-integrated systems — agents, RAG, MCP tools and self-hosted model servers. Every attack is run live against a real, deliberately-vulnerable lab, and explained down to the model internals that make it possible.

12
Vulnerable lab targets
11
Guided chapters
8
LLM root causes taught
1
Self-hostable lab
The difference

Not another prompt-injection tutorial.

Free toys teach the mechanics. Premium certs gate the labs. Attaxium sits in the gap: a deep, persistent, self-hostable lab — with the model-level reasoning nobody else teaches.

01

Execution + why

Every attack is paired with the LLM-engineering reason it works — flat context windows, shallow alignment, reversible embeddings, tokenizer gaps. You leave able to reason about systems the course never showed you.

02

A real, persistent lab

Not a time-boxed toy. Deliberately-vulnerable agents, RAG pipelines, MCP tool surfaces and a model server you attack on demand — spawn what you need, when you need it, all in a hardened, no-egress sandbox.

03

Depth others skip

Multi-agent & A2A abuse, MCP tool-surface attacks, self-hosted model-server exploitation, supply-chain on weights — the hard half, taught by someone who builds and fine-tunes these systems.

Curriculum

Eleven chapters, recon to capstone.

Each chapter opens with a target brief, ties the attack to an LLM root cause, then hides the solution behind a spoiler so you try it first.

Ch 0

Foundations — why LLMs are attackable

Next-token prediction, the flat context window, shallow alignment, embeddings that leak. The mental model behind every attack.

Ch 1

Introduction to Red Teaming AI

Why legacy tactics fail on AI-integrated orgs. MITRE ATLAS, OWASP LLM Top 10, the AI kill chain.

Ch 2

Reconnaissance for AI Targets

Fingerprinting models, mapping the AI attack surface, RAG-pipeline recon, harvesting deploy tokens.

Ch 3

Attacking AI Agents

Direct & indirect prompt injection, jailbreaks, guard evasion, agent memory poisoning.

Ch 4

Multi-Agent Systems & A2A

Confused-deputy, rogue-agent registration, forged workflow history, LLM-mediated SQLi.

Ch 5

Exploiting RAG Pipelines

Indirect injection via documents, cross-user leakage, redaction bypass, trace-viewer recon.

Ch 6

Attacking Embeddings

Embedding inversion, vector-store dumps, semantic-search abuse.

Ch 7

MCP & Tool Surfaces

Tool poisoning, traversal & SSTI through tools, confused-deputy over Open WebUI + MCP.

Ch 8

Supply-Chain Attacks on AI/ML

Backdoored artifacts, pickle RCE, poisoned training data, repo mining.

Ch 9

Infrastructure & Deployment

Model-server exploitation, SSRF, cloud IAM chains, Kubernetes ML.

Ch 11

AI Red Team Capstone

A full chained engagement — recon → exploit → pivot → post-exploitation.

The Lab

A real environment, spawned on demand.

The lab is the product. Deliberately-vulnerable AI targets you attack for real — then tear down clean.

  • Local models via Ollama — no cloud keys, air-gapped by design
  • Spawn a scenario on demand; it tears down clean, zero residue
  • Nothing to install — connect and attack from your own machine
  • No-egress sandbox: hostile targets and jailbroken models can't reach the network
student@kali:~
$ labctl up rag-exfil
↑ rag-exfil (qwen2.5:7b) ... ✓ up
  attack at http://10.66.0.10:8082/

$ curl -s $LAB/query -d \
  '{"query":"support macro recovery token"}'
→ Account recovery token for jdoe:
  REDAI{rag_exfil_…}

$ labctl panic rag-exfil    # zero residue
Why Attaxium

Depth you can't get from a prompt-injection tutorial.

Built from the inside

The hard chapters are written by someone who builds, fine-tunes and serves these models — not just attacks other people's chatbots. That depth is the moat.

Air-gapped & safe

Every target runs in a no-egress sandbox. Hostile payloads and jailbroken models can't reach the network, mine your hardware, or phone home.

Always on, on your schedule

Practice whenever you want — spin a scenario up on demand, not against a 90-day countdown clock.

Early access

The course is coming.

Pricing and enrollment open soon. Create a profile now to get early access to the lab and be first in line when chapters go live.

For teams

Want the lab inside your own network?

Run Attaxium's deliberately-vulnerable AI lab on your own infrastructure — train your pentesters and blue team air-gapped, no data leaving your walls. We package the scenarios, the orchestration and the SIEM for on-prem deployment.