Adaptive LLM Red Teaming

Adaptive Adversarial Testing
for LLM Applications.

AIvsAI is an open-source AI red teaming framework for prompt injection testing, LLM red teaming, jailbreak testing, and adaptive AI security assessment. Instead of replaying fixed payload lists, it performs autonomous prompt injection and runtime mutation based on live target feedback.

Get Started Why Adaptive?
Live Orchestration Dashboard
AIvsAI dashboard for prompt injection testing and LLM red teaming

What Is Prompt Injection Testing?

Prompt injection attacks attempt to override system instructions, manipulate tool use, exfiltrate hidden context, or alter safety outcomes. Modern LLM security testing must handle direct payloads, indirect prompt injection, jailbreak attempts, and multi-turn manipulation.

Static Payload Scanners
  • Relies on fixed jailbreak catalogs and known prompt strings.
  • Easily blocked by pattern matching or shallow filters.
  • Struggles to evaluate context-aware refusals and multi-step goals.
AIvsAI (Adaptive)
  • Closed-Loop: The attacker model learns from target feedback in every round.
  • Runtime Mutation: Generates fresh payloads for adaptive adversarial testing.
  • Goal-Oriented: Pursues a specific red-team objective rather than broad unsorted noise.

How AIvsAI Differs From Traditional Jailbreak Testing

Traditional jailbreak testing often focuses on a library of known prompts. AIvsAI is built for GenAI security testing in environments where prompts, memory, system policies, and tool decisions change dynamically.

Objective Tracking

"Extract the system prompt," "bypass output restrictions," or "alter tool behavior."

The orchestrator measures whether each turn moves closer to the defined adversarial objective.

Side Leak Detection

The judge model can flag collateral disclosure, safety drift, and partial success even when the primary goal is not fully achieved.

Flexible Scan Methodologies

Static Library Pure LLM Hybrid Mode
Autonomous Verdict Log
Adaptive adversarial testing loop for jailbreak testing and LLM security assessment

Supported AI Security Testing Scenarios

AIvsAI is built for practical AI attack simulation across chatbots, copilots, RAG systems, and tool-using agentic applications.

RAG Attacks

Test retrieval poisoning, malicious embedded instructions, and indirect prompt injection through untrusted knowledge sources.

System Prompt Extraction

Measure whether hidden prompts, policies, or chain-of-thought-like context can be inferred or leaked.

Jailbreak Attempts

Evaluate multi-turn persuasion, persona takeover, and restriction bypass attempts across different model behaviors.

Role Manipulation

See whether the application can be tricked into accepting unauthorized role changes or malicious meta-instructions.

Output Manipulation

Assess hallucination steering, unsafe formatting, leakage paths, and policy evasion in output channels.

Safety Bypass Testing

Benchmark how well your application resists prompts designed to suppress safeguards or trigger disallowed actions.

Agnostic Infrastructure Support

Run LLM penetration testing and AI security assessment workflows with local attackers, cloud-hosted models, or arbitrary HTTP targets.

Local Attacker (Ollama)

Host the adversary locally to reduce dependence on cloud moderation and support private red-team environments.

Outside LLM APIs

Connect to OpenAI, Groq, OpenRouter, or similar inference APIs when your test plan targets production-like stacks.

Arbitrary HTTP / cURL Targets

Import enterprise requests with cookies, headers, or Burp exports to test real application boundaries rather than isolated demos.

AIvsAI configuration interface for LLM security testing and adversarial AI setup

Technical Deep Dive

These sections are optimized for technical search intent around prompt injection testing, AI red teaming, and LLM security testing without flattening the current design language.

LLM Red Teaming Workflow

  1. Define the adversarial goal, such as prompt extraction or safety bypass.
  2. Seed the first attack prompts or start from a known risk family.
  3. Observe model refusal, leakage, or side effects after each attempt.
  4. Mutate tactics based on target feedback using the judge loop.
  5. Capture success paths, partial bypasses, and defensive weaknesses for remediation.

Comparison With Traditional Approaches

Static payload suites are useful for baseline checks, but they often miss how real attackers adapt wording, framing, or context over time. AIvsAI emphasizes feedback loops, runtime mutation, and goal pursuit.

That makes it suitable for more realistic adversarial AI testing and jailbreak detection against production workflows.

Enterprise Usage Scenarios

  • Pre-production red teaming of internal copilots and customer-facing chat interfaces.
  • Regression testing after prompt, policy, or model changes.
  • Security validation of RAG pipelines and agent tool permission boundaries.
  • Evidence generation for AI governance, review boards, and control assurance programs.

Methodology Notes

AIvsAI fits best where testers want to simulate attacker adaptation instead of replaying canned strings. That is especially important for applications with tool use, retrieval, hidden prompts, or custom guardrails.

Because it is open source, teams can tailor goal definitions, mutation strategies, and output triage to fit their own threat models.

Initialize the Framework

Deploy locally for professional adversarial research and authorized AI attack simulation.

Terminal - aivsai_v1.0
# Setup repository
$git clone https://github.com/purplesectools/AIvsAI.git
$pip install .
# Launch with Ollama attacker
$aivsai
Dashboard reachable at http://127.0.0.1:8000

Prompt Injection Testing FAQ

Technical answers aimed at high-intent searches for LLM red teaming, AI red teaming, and GenAI security testing.

What is prompt injection testing?
Prompt injection testing measures whether an AI application can be manipulated into ignoring instructions, leaking hidden context, misusing tools, or generating unsafe outputs.
How does AI red teaming work?
AI red teaming simulates attacker behavior against prompts, memory, retrieval, and tool workflows so teams can identify exploitable weaknesses before deployment or during security reviews.
What is LLM jailbreak testing?
LLM jailbreak testing evaluates whether safeguards can be bypassed through roleplay, persuasion, prompt mutation, chained instructions, or hidden content injection.
Can AIvsAI test OpenAI applications?
Yes, AIvsAI can test OpenAI-powered applications and other LLM stacks when you are authorized to assess the target system and its surrounding controls.
What is adaptive adversarial testing?
Adaptive adversarial testing means the tool changes its tactics based on target responses rather than rerunning a fixed set of prompts.
How is this different from Garak?
AIvsAI is centered on closed-loop goal pursuit and autonomous mutation, while comparison tools often focus more heavily on static or benchmark-style probing.
Can this test RAG applications?
Yes. It is well suited to RAG-specific testing such as context poisoning, malicious document instructions, retrieval abuse, and downstream output manipulation.
What is indirect prompt injection?
Indirect prompt injection happens when the model consumes attacker-controlled content from a document, webpage, or retrieved source and treats those instructions as trustworthy context.

Related Security Tools

Strengthen crawl depth and topical authority across AI security and application security resources.

AIvsAI

Adaptive prompt injection testing, AI red teaming, and LLM jailbreak simulation.

DeepProbe

Memory forensics, DFIR automation, and attack chain analysis for incident response.

AI Threat Modeling Assistant

Threat modeling for LLMs, RAG, MCP, and agentic AI systems.

AppSecMeter

OWASP SAMM and Zero Trust maturity assessment for AppSec programs.