Red teamers simulate attacks against your GenAI systems—such as LLMs and RAG implementations—to uncover prompt injection flaws, model jailbreaks, data leakage vectors, and weaknesses in content moderation or system integration.
By identifying and addressing issues like jailbreaks, unsafe outputs, or excessive agency, you reduce the risk of real-world exploitation and ensure your AI behaves reliably, ethically, and securely.
Emerging regulations and frameworks (like OWASP Top 10 for Large Language Model Applications, NIST AI RMF, ISO 42001, or industry-specific standards) increasingly expect organizations to assess AI systems for security and safety. AI red teaming helps demonstrate compliance with these evolving requirements.
Regular AI-specific testing shows customers, partners, and regulators that you take AI risks seriously and are proactively addressing threats in line with Responsible AI principles and modern cybersecurity expectations.
Our AI Red Team approach is built on leading industry frameworks, including the OWASP Top 10 for LLMs and the NIST AI Risk Management Framework. Recognizing that AI systems introduce unique risks—such as prompt injection, model manipulation, and unsafe output generation—we go beyond traditional automated testing. Our team conducts hands-on, adversarial exercises designed to simulate real-world abuse scenarios, assessing how your AI models, prompts, guardrails, and integrations withstand malicious inputs, edge cases, and intentional misuse.
Before testing begins, we'll collaborate closely with your team through a series of detailed planning sessions. These discussions explore the backend architecture and the systems that support your AI implementations, ensuring we fully understand the environment and its potential vulnerabilities. From this collaborative process, we craft tailored threat scenarios that mirror realistic attack vectors, aligning directly with OWASP’s Top 10 threats for Large Language Model applications. This ensures our testing is both comprehensive and relevant to the unique challenges of your AI systems.
Cory Rey is a Lead Penetration Tester at Schellman, where he plays a key role in advancing the firm’s offensive security capabilities, including spearheading the development of its AI Red Team service line. Focused on performing penetration tests for leading cloud service providers, he now extends his expertise to identifying and exploiting vulnerabilities in Generative AI systems—areas often overlooked by traditional security assessments. With a strong foundation in Application Security, Cory has a proven track record of uncovering complex security flaws across diverse environments.
Typically, we find that AI red team assessments take around 2 weeks depending on the number of features involved.
You can expect to pay no less than $16,000 for a single AI red team engagement with us, though the scope of your assessment always determines the final price.
AI Red Teams focus on identifying vulnerabilities unique to Generative AI systems—like prompt injection, toxic outputs, model extraction, bias, hallucinations, and alignment failures—by simulating adversarial interactions with AI models such as Large Language Models (LLMs). In contrast, traditional application penetration testing targets infrastructure and software flaws like injection attacks, authentication bypasses, and misconfigurations. While both share foundations like threat modeling, attacker simulation, and risk assessment, AI Red Teaming expands the scope to include the AI model’s behavior, ethical risks, and misuse of generated content. It also requires new evaluation methods due to the non-deterministic nature of AI outputs.
Yes, AI Red Teaming includes traditional penetration testing vectors such as input validation and extends them to cover AI-specific threats. For example, it evaluates how well AI systems validate and sanitize user inputs to prevent prompt injection or adversarial manipulation—much like input validation testing in web applications. Additionally, AI Red Teaming examines improper output handling, which is critical for generative models that produce content. This includes assessing whether the model outputs unescaped HTML or JavaScript that could lead to cross-site scripting (XSS) or code injection in downstream applications. Because AI outputs can be dynamic and context-dependent, Red Teams test how the system handles those outputs across different stages—whether they’re displayed in a web UI, passed to an API, or fed into another model or service. Ensuring both input and output are properly controlled is essential to prevent misuse, leakage, or unintended behavior in production environments.
The number of tokens used can't reasonably be guessed given the nature of the unpredictibilty of models. Additionally, it depends on the size of the model being tested. However, Schellman does not test for token exhaustion attacks unless specifically requested by the client.