Authorized testing

Responsible LLM Red Teaming

Test prompt injection like a security engineer: authorized scope, safe probes, measured outcomes, clear reports, and regression tests.

Updated 2026-07-06

Start with written scope

Responsible red teaming begins before the first prompt. Write down what systems are in scope, which accounts and data may be used, which tools can be exercised, which actions are forbidden, who is on call, and how findings should be reported. If you do not own the system and do not have authorization, do not test it.

Scope also protects the quality of the work. A useful test is not "can I make a model say something strange?" A useful test asks whether a specific product flow can be manipulated into leaking data, bypassing policy, calling a tool, misleading a user, or taking an action inconsistent with user intent.

A practical workflow

  1. Inventory flows. Identify chat entry points, retrieval sources, tool calls, output renderers, memory stores, and background jobs.
  2. Rank risk by authority. A summarizer with no tools is lower risk than an assistant with email, calendar, code execution, or customer-data access.
  3. Create benign probes. Use harmless canary strings and controlled test data to detect whether untrusted content changes behavior.
  4. Observe the boundary. Record whether the system quotes untrusted instructions, follows them, escalates them into tools, or blocks them.
  5. Patch the architecture. Improve retrieval permissions, tool validation, output parsing, human confirmation, and logging.
  6. Regression test. Keep the cases in CI or scheduled evaluation so fixes survive prompt, model, and product changes.

Test classes to cover

A balanced suite covers direct user prompts, indirect document content, retrieval poisoning, tool-call manipulation, output rendering, memory updates, and multi-turn drift. For each class, test allowed behavior and blocked behavior. The goal is not only to catch failures but to prove the system still performs legitimate tasks.

For example, a support assistant should summarize a malicious support ticket without obeying it. A code-review assistant should report suspicious instructions in comments rather than letting them redefine the review. A browser or email agent should distinguish user intent from instructions found in a page or message. A data assistant should never use retrieved text as authorization to access records.

Report like an application-security finding

Good findings are reproducible and product-specific. Include the affected feature, preconditions, data touched, tool calls attempted, observed output, expected behavior, impact, logs, screenshots where safe, and recommended control. Avoid publishing live payloads against third-party systems. If you discover a vulnerability in someone else's system, follow their disclosure process.