Traditional penetration testing was built for infrastructure — networks, applications, endpoints. It was never designed to test the unique attack surface of AI and machine learning systems. Yet most organisations deploying AI today rely on exactly these legacy approaches to assess their AI security posture.

The result is a dangerous blind spot. Your penetration test won’t catch prompt injection. Your vulnerability scanner won’t detect training data poisoning. Your WAF won’t block model extraction queries that look like legitimate API traffic.

AI red teaming is a fundamentally different discipline. It requires a combination of machine learning expertise and offensive security skills — a combination that is rare in the industry. At LittleData, this intersection is our foundation.

This guide covers the five attack categories that every proper AI red team engagement should address.

1. Evasion Attacks

What They Are

Evasion attacks involve crafting inputs that cause a model to misclassify or produce incorrect outputs. The model works correctly on normal inputs, but carefully engineered adversarial examples bypass its decision boundaries.

Real-World Examples

The most cited example is adversarial patches on physical objects — a stop sign with carefully placed stickers that a self-driving car’s vision model reads as a speed limit sign. But evasion attacks extend well beyond computer vision:

Why It Matters

Evasion attacks undermine the core promise of the model. If an attacker can reliably cause misclassification, every decision the model makes becomes suspect. In safety-critical applications — autonomous vehicles, medical diagnosis, financial fraud detection — the consequences are severe.

How We Test

A proper evasion assessment uses gradient-based attack methods (FGSM, PGD, C&W), transferability analysis across model architectures, and black-box boundary probing techniques. We test both digital and, where applicable, physical-world evasion scenarios. Learn more about our red team methodology.

2. Extraction Attacks

What They Are

Model extraction — sometimes called model stealing — involves reconstructing a proprietary model by systematically querying its API. With enough well-chosen inputs and careful analysis of outputs, an attacker can build a functionally equivalent copy of your model.

The Business Impact

Your model represents significant investment — training data curation, compute costs, architectural research, and domain expertise. An extraction attack replicates your intellectual property without any of that investment. The attacker gets:

How We Test

We assess extraction vulnerability through controlled query campaigns — measuring how many API calls are needed to achieve a given level of model fidelity. We test multiple extraction strategies: equation-solving approaches for linear models, knockoff networks for deep learning models, and API-based distillation techniques. We then recommend rate limiting strategies, output perturbation, and query pattern monitoring to mitigate the risk.

3. Poisoning Attacks

What They Are

Data poisoning attacks corrupt the training pipeline to create backdoors or degrade model performance. Unlike evasion attacks that exploit a trained model, poisoning attacks compromise the model during training — making them significantly harder to detect.

Attack Scenarios

Poisoning attacks can take several forms:

Supply Chain Risk

Poisoning risk is amplified by the modern ML supply chain. Pre-trained models from public repositories, third-party training datasets, and crowdsourced labelling pipelines all represent potential poisoning vectors. If you don’t control every stage of your training pipeline, you have poisoning exposure.

How We Test

We audit data pipeline integrity, test for known backdoor trigger patterns, and assess the resilience of training processes against poisoning. We also evaluate defences such as data sanitisation, anomaly detection on training samples, and certified robustness bounds. Our red team engagements include detailed supply chain risk assessment.

4. Injection Attacks

What They Are

Prompt injection is the SQL injection of the AI era. It encompasses a family of techniques that cause language models to ignore their system instructions and follow attacker-controlled instructions instead.

Attack Variants

Why Traditional Defences Fail

Injection attacks are particularly challenging because they exploit the fundamental architecture of language models. Unlike SQL injection, which can be mitigated with parameterised queries, there is no clean separation between instructions and data in current LLM architectures. Every defence is a heuristic, and every heuristic can be bypassed with sufficient creativity.

How We Test

Our injection testing covers direct and indirect injection vectors, jailbreak resilience across known and novel techniques, prompt leaking, and system prompt extraction. We test both the model layer and the application layer — because many injection vulnerabilities exist in how the application constructs prompts, not in the model itself.

5. Inference Attacks

What They Are

Inference attacks extract private information from trained models. Even when a model is only accessible via API, its outputs leak information about its training data. This creates significant privacy and compliance risks, particularly under GDPR and the EU AI Act.

Attack Types

Regulatory Implications

Under GDPR, if a model memorises personal data, the model itself may be considered a store of personal data — with all the attendant obligations around data subject rights, retention, and deletion. Under the EU AI Act, inference vulnerabilities represent a failure in data governance (Article 10) and privacy-by-design requirements.

How We Test

We conduct membership inference audits, training data extraction attempts, and attribute inference assessments. We then recommend mitigations including differential privacy, output perturbation, and access control strategies.

Why All Five Categories Matter

Most organisations that attempt AI red teaming focus narrowly on one or two categories — typically prompt injection for LLMs or evasion for computer vision. But real-world attackers don’t limit themselves to a single technique. A sophisticated attack chain might combine extraction (to get a white-box copy), evasion (to develop adversarial examples), and inference (to extract sensitive data) in a single campaign.

A comprehensive AI red team engagement tests all five categories, identifies the most critical vulnerabilities, and provides actionable remediation guidance — not just a list of findings, but a prioritised roadmap for reducing AI risk.

From Assessment to Continuous Defence

Red teaming reveals vulnerabilities at a point in time. But AI systems change — new models are deployed, training data is updated, APIs are modified. The vulnerabilities you test for today may be different from the ones that matter tomorrow.

That’s why every LittleData red team engagement feeds directly into our AI risk platform. Every finding becomes a tracked risk item with remediation status, compliance mapping, and trend analysis. Your point-in-time assessment becomes the foundation for continuous AI security monitoring.


Ready to Test Your AI Systems?

LittleData combines deep ML expertise with offensive security skills to deliver comprehensive AI red team assessments across all five attack categories. Our engagements cover evasion, extraction, poisoning, injection, and inference — with findings mapped directly to EU AI Act, NIST AI RMF, and ISO 42001 requirements.

Explore our AI Red Team services: littledata.com/ai-red-team

Start monitoring your AI risk posture: littledata.ai

Get in touch: littledata.com/contact