Attack AI systems. Understand why they break.
Attaxium REDAI is a hands-on program in red teaming AI-integrated systems — agents, RAG, MCP tools and self-hosted model servers. Every attack is run live against a real, deliberately-vulnerable lab, and explained down to the model internals that make it possible.
Not another prompt-injection tutorial.
Free toys teach the mechanics. Premium certs gate the labs. Attaxium sits in the gap: a deep, persistent, self-hostable lab — with the model-level reasoning nobody else teaches.
Execution + why
Every attack is paired with the LLM-engineering reason it works — flat context windows, shallow alignment, reversible embeddings, tokenizer gaps. You leave able to reason about systems the course never showed you.
A real, persistent lab
Not a time-boxed toy. Deliberately-vulnerable agents, RAG pipelines, MCP tool surfaces and a model server you attack on demand — spawn what you need, when you need it, all in a hardened, no-egress sandbox.
Depth others skip
Multi-agent & A2A abuse, MCP tool-surface attacks, self-hosted model-server exploitation, supply-chain on weights — the hard half, taught by someone who builds and fine-tunes these systems.
Eleven chapters, recon to capstone.
Each chapter opens with a target brief, ties the attack to an LLM root cause, then hides the solution behind a spoiler so you try it first.
Foundations — why LLMs are attackable
Next-token prediction, the flat context window, shallow alignment, embeddings that leak. The mental model behind every attack.
Introduction to Red Teaming AI
Why legacy tactics fail on AI-integrated orgs. MITRE ATLAS, OWASP LLM Top 10, the AI kill chain.
Reconnaissance for AI Targets
Fingerprinting models, mapping the AI attack surface, RAG-pipeline recon, harvesting deploy tokens.
Attacking AI Agents
Direct & indirect prompt injection, jailbreaks, guard evasion, agent memory poisoning.
Multi-Agent Systems & A2A
Confused-deputy, rogue-agent registration, forged workflow history, LLM-mediated SQLi.
Exploiting RAG Pipelines
Indirect injection via documents, cross-user leakage, redaction bypass, trace-viewer recon.
Attacking Embeddings
Embedding inversion, vector-store dumps, semantic-search abuse.
MCP & Tool Surfaces
Tool poisoning, traversal & SSTI through tools, confused-deputy over Open WebUI + MCP.
Supply-Chain Attacks on AI/ML
Backdoored artifacts, pickle RCE, poisoned training data, repo mining.
Infrastructure & Deployment
Model-server exploitation, SSRF, cloud IAM chains, Kubernetes ML.
AI Red Team Capstone
A full chained engagement — recon → exploit → pivot → post-exploitation.
A real environment, spawned on demand.
The lab is the product. Deliberately-vulnerable AI targets you attack for real — then tear down clean.
- Local models via Ollama — no cloud keys, air-gapped by design
- Spawn a scenario on demand; it tears down clean, zero residue
- Nothing to install — connect and attack from your own machine
- No-egress sandbox: hostile targets and jailbroken models can't reach the network
$ labctl up rag-exfil
↑ rag-exfil (qwen2.5:7b) ... ✓ up
attack at http://10.66.0.10:8082/
$ curl -s $LAB/query -d \
'{"query":"support macro recovery token"}'
→ Account recovery token for jdoe:
REDAI{rag_exfil_…}
$ labctl panic rag-exfil # zero residueDepth you can't get from a prompt-injection tutorial.
Built from the inside
The hard chapters are written by someone who builds, fine-tunes and serves these models — not just attacks other people's chatbots. That depth is the moat.
Air-gapped & safe
Every target runs in a no-egress sandbox. Hostile payloads and jailbroken models can't reach the network, mine your hardware, or phone home.
Always on, on your schedule
Practice whenever you want — spin a scenario up on demand, not against a 90-day countdown clock.
The course is coming.
Pricing and enrollment open soon. Create a profile now to get early access to the lab and be first in line when chapters go live.
Want the lab inside your own network?
Run Attaxium's deliberately-vulnerable AI lab on your own infrastructure — train your pentesters and blue team air-gapped, no data leaving your walls. We package the scenarios, the orchestration and the SIEM for on-prem deployment.