Technical

AI Red Teaming: Breaking Agents Before They Break Us

By Ayla Croft

Explore how AI red teaming reveals model vulnerabilities before real attackers do. Learn how Gray Swan’s adversarial testing is shaping the future of AI safety.

TL; DR: AI red teaming is like running a cyber wargame against your own model. You're launching strategic attacks, like misinformation, hidden instructions, or tool misuse, and seeing if the system can hold its ground. It's how we surface flaws before real adversaries do.

Illustration of AI red teaming in action, depicting an arena-style environment where multiple agents are being tested under adversarial conditions.

What Is AI Red Teaming? (And Why It Matters)

Imagine you’ve just built the smartest chatbot in the world. It can write code, explain complicated policies in plain English, and maybe even flirt better than you can. But can it resist manipulation from clever users who want it to, say, spill private medical data or write malware?

Enter AI red teaming: the art and science of poking at AI systems until they break, ethically and methodically.

Unlike casual jailbreaking, which often showcases clever prompt engineering, red teaming takes it several steps further. It’s a structured adversarial testing process with a mission: to make AI systems safer. Red teamers plan and execute strategic attacks, not just to show off, but to help model developers understand how systems fail as well as how to fix them.

So, if you've ever found joy in crafting the perfect jailbreak or making an AI squirm with a tricky prompt, you already have the instincts. Red teaming is your chance to use those skills for good and to take them to the next level.

Key AI Red Teaming Tactics

A real AI red team exercise might include:

  • Prompt-based attacks: Trick the model into outputting something it shouldn’t (e.g., instructions for making chemical weapons, criminal advice, hacking, bioengineering pathogens).

  • Indirect prompt injection: Hide malicious commands inside social media comments, emails, websites, PDFs, or even image pixels.

  • Tool abuse: Convince an agent to misuse its tools—like stealing funds or giving admin access to the user.

  • Conflicting objectives: Trigger harmful misbehavior by playing an agent’s goals against each other.

  • Confidentiality breaches: Steal model weights, steal data or even leak internal prompts (yes, that’s a thing).

What AI Red Teaming Is Not

  • Just QA: Quality assurance checks for bugs. Red teamers hunt for weaknesses in the AI system that result in real world harm.

  • Just exploiting: A clever jailbreak might get a laugh or likes on social media, but red teaming goes deeper. It's not about dunking on models or posting gotchas. It's about planning strategic attacks with clear goals, documenting failures, and in turn helping developers fix the root problems before harm can happen in the wild.

  • Only about text: Red teaming now extends beyond texting with chatbots to include vision, audio, and even video-based agents.

  • A one-off stunt. It's an iterative loop. Find a break, submit a proof of concept, let the blue team patch it up, then go back in for more. Rinse and repeat until the system holds steady or the attack vectors dry up.

Real-World Example: Gray Swan Arena

Promotional poster for the Agent Red-Teaming Challenge featuring a dark, stylized swan under city lights. A neon sign reads “Agent Red-Teaming Challenge,” with text announcing Google DeepMind as co-sponsor and $170k+ in prizes running from March 8 to April 6. Logos for AISI and DeepMind are visible.

Early this year, Gray Swan Arena hosted the world’s largest public AI red teaming challenge, Agent Red-Teaming, co-sponsored by UK AISI. With 1.8 million attack attempts across 22 anonymized LLMs it wasn’t just a leaderboard; it was a pressure cooker for model safety.

Participants found over 62,000 successful breaks. Attacks included prompt injections, policy violations, and even tricking agents into breaching confidentiality or violating ethical boundaries. Every model, every behavior—eventually broke. The difference wasn't whether they failed, but how much effort it took. The worst models had over 6% attack success rates; the best still broke about 1.5% of the time. At scale, that’s still a staggering number, and it underscores just how much further safeguards need to go.

Beyond Agent Red-Teaming, the Arena has become our testing ground for challenges targeting different threat surfaces along with awarding participants over $373,800 in cash prizes. We've tackled multimodal jailbreaks, dangerous reasoning chains, harmful code generation, agent abuse, and visual prompt injections. Whether it’s a one-message jailbreak or a multi-turn chain-of-thought exploit, each challenge contributes to a more complete picture of model risk and gives participants a unique skill-building opportunity.

The data from these jailbreaks is already being used by labs like OpenAI, Anthropic, and Google DeepMind to harden their next-gen models.

Why This Matters for AI Safety

As AI agents move into real-world roles, handling health records, bank accounts, or public infrastructure, the cost of failure skyrockets. You don’t want to find out your customer service bot can be turned into a scammer after deployment.

Red teaming provides the map, compass, and early warning system. While it can't prove a system is safe, it can help build evidence around how hard it is to break. That distinction matters, especially since red teaming is just one part of the larger safety picture. Combined with other forms of evaluation, it gives us a clearer view of where today's AI systems stand and where they still need shoring up.

And it's not just startups and indie devs doing this. Frontier labs now not only run internal red team ops but also sponsor public challenges—like the ones we host. These competitions put real incentives behind responsible hacking: top red teamers compete for cash prizes, recognition, and even private red-teaming job opportunities.

The impact is real. Gray Swan’s red teaming efforts have been cited multiple times in OpenAI’s system cards, showing how community-led testing is shaping the safety practices of leading labs. So, when you join an Arena challenge, you're not just learning—you’re contributing to the global effort to make AI safer for everyone.

Screenshot of a text excerpt titled “4.3.2 Jailbreak Arena” detailing OpenAI's collaboration with Gray Swan to test LLM vulnerabilities using the o3-mini model. It outlines attack criteria and reports success rates compared to other models.

How to Get Involved in Red Teaming

Who does this kind of work? Red teamers come from all walks of life:

  • AI researchers

  • Cybersecurity professionals

  • Software engineers

  • Puzzle lovers

  • Creative writers

  • Curious tinkerers

  • Bored students with no prior experience (hi Toaster! ❤️)

  • Literally anyone

The barrier to entry is surprisingly low—and the learning curve is steep only if you want it to be.

And here’s something you might not expect: red teaming can be a serious career booster. At Gray Swan, we’ve hired directly from the Arena. To date, four of our full-time staff, nine contractors, and even one intern got their start by competing in our red teaming challenges. Whether you’re looking to sharpen your skills, build a standout portfolio, or land your dream role in AI safety, our Arena and Proving Ground is a legitimate launchpad.

If you're curious about getting started, there's good news: Gray Swan's Arena isn't just for pros or time-limited challenges. Many past red teaming exercises are still open, giving you a chance to dive in at your own pace. These older challenges as well as our soon to be released Proving Ground (releasing late June 2025) are great ways to hone your skills, learn attack techniques, and understand what makes AI systems tick or fail.

Even better, the Arena is a judgment-free zone. On AI platforms, poking at model boundaries could get your account banned. In the Arena? You're encouraged to experiment. Whether you succeed or fail, you're helping improve AI safety. It's a rare place where trying to break things isn't just allowed, it's rewarded.

So, if you've ever wanted to try your hand at jailbreaking a model, crafting the perfect adversarial prompt, or uncovering a subtle policy loophole, the Arena is your playground. No prior experience required. Just bring your curiosity (and maybe a slightly devious sense of humor).

Join the Next Challenge

The next Arena challenge is just around the corner. Whether you’re a seasoned hacker or just AI curious, there's a role for you in the AI safety gauntlet.

Join the next wave. Break stuff (responsibly). Make AI safer.

👉 Test your skills in our Arena

And don’t go it alone. Join our Discord server to connect with other red teamers, from seasoned pros to first-time breakers. It’s a great way to stay in the loop on new events, collaborate on fine-tuning exploits, swap techniques, or just lurk and learn. Whatever your level, our community’s there to help.