LLM Red-Team Checklist: From Threat Model to Regression
Start an LLM red team with a scoped threat model, owned assets, attacker-controlled channels, authority boundaries, and expected defenses. Run controlled adversarial cases, preserve evidence, triage by impact and reproducibility, fix the control—not the wording—and convert confirmed failures into regression tests.
The minimum red-team coverage matrix
| Attack class | System surface | Expected defense | Evidence |
|---|---|---|---|
| Direct instruction manipulation | User prompt and conversation turns. | Policy and tool boundaries remain unchanged. | Response, policy event, and no prohibited action. |
| Indirect prompt injection | Retrieval, web, email, files, and tool results. | Untrusted content stays data. | Source trace and blocked consequence. |
| Unauthorized information | Context selection and shared application state. | Only permitted material reaches the answer. | Access decision and safe trace summary. |
| Tool abuse | Arguments, target selection, retries, and handoffs. | Schema, authorization, approval, and limits hold. | Denied call or verified safe end state. |
| Unsafe output handling | Rendered text, URLs, and downstream parsers. | Output is validated and encoded before use. | Validator result and unchanged target. |
| Retrieval tampering | Indexed knowledge and ranking. | Origin and evidence rules reject altered claims. | Selected sources and support check. |
| Resource exhaustion | Long inputs, recursive tools, retries, and fan-out. | Budgets stop work and preserve service. | Limit event, stop reason, and bounded usage. |
Write scope and rules before testing
Name the system version, included interfaces, excluded live systems, test window, owners, stop conditions, and allowed techniques. Use synthetic fixtures and isolated accounts. Define how a tester reports an unexpected side effect and who can halt the exercise. A security test should not become an uncontrolled production incident.
Start from assets and authority: user information, business records, tools, retrieval stores, model context, downstream actions, and availability. Then map attacker-controlled entry points and the control expected to contain each one. Include ordinary users, malicious users, compromised content, faulty tools, and accidental misuse.
NIST's Generative AI Profile describes AI red teaming as an evolving practice often conducted in controlled settings. It also notes that team expertise and deployment context affect findings and that results need further analysis before governance decisions. Build a mixed team of security, domain, product, safety, and operations reviewers accordingly.
Capture evidence and triage by consequence
For each case, record an ID, attack class, channel, preconditions, safe test fixture, expected defense, actual outcome, trace reference, side effects, reproducibility, and impact. Preserve concise evidence that another tester can replay. Do not keep unnecessary user content in the red-team record.
Triage false positives separately from successful attacks. A fluent unsafe-looking answer may have no consequence, while a quiet tool call may alter state. Confirm the end state and authority boundary. Rank remediation by impact, reachability, repeatability, and control weakness rather than by how dramatic the prompt appears.
Fix the control layer that failed: authorization, tool design, retrieval policy, output handling, loop budget, or review gate. A phrase-level refusal patch is acceptable only when the failure is genuinely response policy. Retest the original case, nearby variants, and normal tasks to detect safety-utility regressions. Link confirmed injection paths to the indirect prompt injection guide.
Close findings with owned retests
Give every finding a status, impact statement, responsible owner, planned control change, and retest date. A risk accepted for one release needs a stated reason, compensating controls, and an expiry for reconsideration; “known issue” is not a terminal state. Closure requires the original case to stop reproducing, nearby variants to remain contained, and normal tasks to retain acceptable utility. Keep the finding open when evidence is ambiguous or the repair only changes the demonstrated wording.
Red-team program failure cases
- Prompt collection without a threat model: many variants test one surface while tools, retrieval, and output handling remain untouched.
- Testing only the base model: the deployed application adds authority and failure paths. Exercise the complete system.
- Real side effects in testing: an adversarial case harms users or production. Isolate fixtures and define a stop procedure.
- Success means one refusal: an attack can route through tools or retrieved content. Assert the trajectory and end state.
- Severity by novelty: a clever prompt outranks a reproducible high-impact flaw. Triage consequence and reachability.
- Patch the wording only: the same weakness returns through another channel. Repair the underlying control.
- No regression case: a finding is forgotten after remediation. Add it to a versioned suite and rerun it at release.
A red-team implementation sequence
- Define the target. Pin application, model, prompt, retrieval, tool, and policy versions and name the owner.
- Threat-model the system. Map assets, entry channels, trust boundaries, authority, consequences, and expected controls.
- Set engagement rules. Agree on scope, safe examples, limits, stop criteria, and reporting route.
- Build the case matrix. Cover direct and indirect injection, information boundaries, tool abuse, unsafe outputs, retrieval tampering, and resource exhaustion.
- Execute and observe. Record actual behavior, policy decisions, tool trajectory, end state, and bounded usage.
- Triage and repair. Reproduce findings, rank impact, assign owners, fix the failed control, and document residual risk.
- Retest and retain. Run original and neighboring cases, check normal utility, and add confirmed findings to prompt regression testing and the agent evaluation suite.
Decision summary
A red-team exercise earns release value when its scope maps to consequences, every finding has reproducible evidence, and repaired cases become regression tests. Unowned findings or one-time demonstrations are signals to pause, not proof that the system was tested.
Primary and official sources
- NIST AI 600-1: Generative AI Profile — official risk-management guidance on pre-deployment testing and AI red teaming.
- OWASP Top 10 for LLM Applications — primary application-security categories for threat and test coverage.