Master AI Red Team. The Only Way That Matters.

What an AI red teamer actually does

A working AI red team engagement looks something like this. You're handed access to a deployed LLM application — could be a customer support agent, an internal coding assistant, a RAG-backed knowledge tool, an autonomous agent with browser access. Your job is to find what breaks it and what an attacker could extract or cause it to do.

The first day is usually mapping. What model is underneath? What's the system prompt? What tools does it have access to? What data does it retrieve from? Where do user inputs go and how are they combined with retrieved content? Most production AI systems combine 4-6 distinct trust boundaries that the model treats as a single conversation — system prompt, user input, retrieved documents, tool outputs, prior conversation turns. Every boundary is an injection opportunity if it's not isolated correctly.

Then you start probing. Direct prompt injection in user input is the entry-level test. Indirect injection through whatever the system retrieves is more interesting and almost always works against systems that weren't designed for it. Jailbreaks come next — getting the model to produce content its alignment training was supposed to refuse. By the end of the engagement you've usually found three classes of issues: alignment bypass, instruction confusion across trust boundaries, and tool/data exfiltration through the model's output channel.

Why AI red team matters now

Every major company deployed AI into production in 2024-2025 without a mature security model for it. The OWASP LLM Top 10 was first published in 2023 and is still where most teams start their threat modeling. NIST released the AI Risk Management Framework. MITRE ATLAS catalogs real-world AI attacks. None of these existed five years ago because the attack surface didn't exist five years ago. Every system shipping with LLM components needs people who can think adversarially about those components. There are not enough of those people.

AI red team is the specialty that fills that gap. It's adjacent to traditional pentesting but not a subset of it. The skills overlap maybe 30%. The mental model — treat the LLM as a confused deputy that will faithfully execute whatever instructions reach it through any channel — is genuinely new. The tooling is immature. The career path is wide open. The foundations courses get you to baseline; the AI LLM Hacking Course is where the AI red team work starts.

Direct prompt injection

The classic. You type something into a chat interface that overrides the system prompt's instructions. "Ignore previous instructions" was the 2023 version; the 2026 versions are structured to look like legitimate tool outputs, schema definitions, or completed reasoning chains so the model treats them as authoritative. Direct injection still works against most deployments because input/instruction separation is rarely enforced at the model level — only at the application level, where it's bypassable.

Indirect prompt injection

This is where AI hacking gets interesting. You don't attack the LLM through its user input channel; you attack it through whatever data it retrieves. Plant the payload in a webpage the agent will browse. In a PDF the RAG system will index. In a calendar invite the assistant will summarize. In a GitHub issue the coding agent will read. The model encounters the payload during normal operation and follows the embedded instructions as if they came from its operator.

Indirect injection works against an enormous fraction of production AI deployments because the builders treated retrieved content as data, not as untrusted instructions. The model treats retrieved content the same way it treats the system prompt — as text to follow. That trust asymmetry is the actual vulnerability, and there's no clean fix at the model layer. Defense has to happen in the application's data pipeline.

Jailbreaking

Jailbreaking specifically targets the model's alignment training — the RLHF and constitutional AI techniques that teach the model to refuse harmful requests. The point isn't always to extract harmful content; often it's to demonstrate the alignment can be defeated, which matters for deployments that rely on alignment as a safety control. Techniques in active use: role-playing as a less-restricted persona, multi-turn priming that gradually shifts context, cipher-encoded prompts that bypass content classifiers, and adversarial suffix attacks generated against the model's logit outputs.

Each major frontier model (GPT-4, Claude, Gemini, Llama) has its own jailbreak landscape. Techniques transfer partially between models but rarely cleanly. Anthropic, OpenAI, and Google ship alignment improvements continuously; what worked last quarter often doesn't work this quarter. The jailbreaking techniques database tracks what's currently effective.

Agentic exploitation

Agents are LLMs with tools — the ability to call APIs, execute code, browse the web, access files. The attack surface expands dramatically because exploitation now has consequences in the world, not just in the conversation. A successful prompt injection against a browser agent can result in actual HTTP requests to attacker-controlled endpoints. Against a coding agent, it can result in committed malicious code. Against a customer support agent with database access, it can result in PII exfiltration.

Agentic exploitation is where AI hacking transitions from "the model said a bad thing" to "the model did a bad thing." The defense techniques (capability-based security, tool isolation, human-in-the-loop for high-impact actions) are immature and inconsistently deployed. This is the highest-impact area of AI red team work in 2026 and where the most paid bug bounty findings are landing.

What you don't see online

Public AI hacking content lags real-world findings by 6-12 months. Researchers and red team professionals don't publish working techniques against frontier models because (a) the model providers patch them within weeks, and (b) there's commercial value in keeping them private. What gets published are the techniques that have already been patched, the academic-paper versions of attacks, and the entry-level concepts. Real practitioner work happens in private engagements and bug bounty programs.

Everything taught in the AI LLM Hacking Course is based on techniques that currently work or recently worked against production systems. Not academic theory.

What makes an AI hacking course actually useful

The shortlist of things that matter, drawn from working AI red team engagements:

Recent. Material more than 18 months old is teaching techniques the model providers have already patched. The field is moving too fast for static curriculum. Anything that covers GPT-3.5 jailbreaks as if they're current is signaling its age.

Hands-on, not lecture-only. You cannot learn AI hacking by watching videos. You learn by attacking models, seeing what works, understanding why it worked, then trying to generalize. A course without lab access — either against open models or in a sandboxed environment — is teaching trivia.

Covers indirect injection and agentic attacks. If the course is 80% direct prompt injection and 20% jailbreaks, it's teaching 2023 material. The current attack surface is RAG injection, tool-call hijacking, and multi-stage agent exploitation.

Maps to OWASP LLM Top 10 v2 and MITRE ATLAS. These are the frameworks real engagements reference. A course that doesn't connect techniques to these frameworks is teaching them in isolation.

Has a credential at the end. Not because the credential matters intrinsically, but because credentialing forces the curriculum to be measurable and the instructor to be accountable to a defined scope. Courses without exit assessment usually drift toward whatever the instructor finds interesting.

The current landscape

SANS does not yet have a dedicated AI red team course; their AI security material is folded into broader curriculum. EC-Council launched an AI security cert in 2025 that's heavy on policy and light on attacks. Coursera/edX have university programs that are academically solid but a year or more behind the practitioner edge. Bug bounty platforms (HackerOne, Bugcrowd) run periodic AI-specific challenges that are excellent for active learning but assume you already have the foundation.

The free curriculum here is built for practitioners specifically. The AI LLM Hacking Course is 30 days, hands-on, covers prompt injection through agentic exploitation. The SE-ARTCP credential is the exit assessment — 80 multiple-choice questions plus hands-on labs across 8 domains, mapped to OWASP LLM Top 10 v2 and MITRE ATLAS. The free 20-question practice exam takes about 30 minutes and tells you immediately whether the material is at your level. No signup required.

What this curriculum doesn't replace

It doesn't replace foundational web application security skills — AI applications are still web applications, and the 90-day ethical hacking foundations and bug bounty curriculum exist as prerequisites for anyone who needs them. It doesn't replace direct hands-on engagement with real models — the course material gets you to baseline; the field experience that makes you good at this comes from bug bounty programs, internal red team work, or research engagements you find yourself.