AI Red Team Specialist Interview Questions

A strong answer explains that prompt injection manipulates an LLM's instructions via crafted input to override system prompts or alter behavior, whereas SQL injection exploits database query parsing-both are input-handling failures, but prompt injection operates on natural language semantics rather than structured syntax.

The answer should cover categories like prompt injection, insecure output handling, training data poisoning, model denial of service, supply-chain vulnerabilities, sensitive information disclosure, insecure plugin design, excessive agency, overreliance, and model theft, with concrete examples for each.

A jailbreak circumvents a model's safety alignment to produce prohibited content, while prompt injection manipulates the model to perform unintended actions-jailbreaks target safety guardrails, prompt injections target application behavior and data flow.

A great answer explains that LLMs process natural language holistically, making it impossible to enumerate all malicious inputs; the instruction-data boundary is inherently fuzzy, and new bypass techniques emerge constantly, requiring defense-in-depth rather than a single fix.

The answer should note that red teaming is broader and more goal-oriented (adversary simulation including social engineering and novel tactics), while penetration testing is typically scope-limited; for AI, red teaming includes non-traditional vectors like prompt engineering, model extraction, and alignment failures.

A strong answer traces: attacker embeds malicious instructions in a document source → RAG system retrieves the poisoned content → injected instructions are concatenated into the LLM context → the model executes the attacker's instructions instead of the user's, potentially exfiltrating data or returning manipulated outputs.

The answer should cover: defining the input mutation strategy (template-based, grammar-based, ML-generated), instrumentation for capturing model outputs, automated classification of success criteria (e.g., did the model ignore its system prompt?), scalable orchestration, and result aggregation with deduplication.

A strong answer explains that model extraction uses carefully crafted queries to approximate a model's behavior or architecture, potentially enabling intellectual property theft, cloning safety guardrails for bypass, or enabling offline adversarial testing against a surrogate model.

The answer should describe excessive agency as an LLM or AI agent having more permissions, capabilities, or autonomy than necessary; testing involves attempting to trigger unintended tool calls, escalating privileges through chained actions, and verifying that human-in-the-loop controls are properly enforced.

A great answer discusses the importance of having a clearly defined threat model, documented intended behavior specs, distinguishing between 'by design' behavior and exploitable failure modes, and using severity frameworks that account for the business context of the deployment.

The answer should cover: poisoning inserts malicious examples into training data to alter model behavior; assessment involves backdoor detection (testing for specific trigger-activation patterns), statistical analysis of model outputs across sensitive categories, comparison against a known-clean baseline, and reviewing the training data provenance.

Strong answers cover using a separate LLM to evaluate whether attack outputs meet success criteria (scalability, consistency), but note weaknesses: judge models have their own biases and blind spots, may miss subtle attacks, can be adversarially manipulated themselves, and require calibration against human-labeled ground truth.

The answer should address testing for: unauthorized tool invocation, tool parameter injection (malicious SQL or URLs), multi-step chains that escalate from benign to harmful actions, sandbox escape via code execution, and verifying that the agent respects its tool-use policy under adversarial conditions.

The answer should explain ATLAS (Adversarial Threat Landscape for AI Systems) as a knowledge base cataloging adversarial ML tactics and techniques mapped to real-world incidents, complementing frameworks like STRIDE by providing AI-specific attack patterns, adversary objectives, and mitigations.

A strong answer explains that when LLM outputs are rendered in web browsers or passed to backend systems without sanitization, an attacker can craft prompts that cause the model to generate malicious HTML/JavaScript (XSS) or URLs pointing to internal services (SSRF), turning the LLM into an attack proxy.

A strong answer covers: mapping the agent topology and communication channels, injecting adversarial instructions through agent-relayed messages (indirect prompt injection across agents), exploiting trust assumptions between agents, testing for cascading failures, and evaluating whether a compromised single agent can pivot to control the entire system.

The answer should cover: querying the model with known-in/out samples and measuring loss or perplexity differences, using shadow models or calibration techniques to improve inference accuracy, and discussing ethical boundaries including responsible disclosure, legal frameworks (GDPR, CCPA), and organizational data governance policies.

A great answer covers testing for: bypass techniques (encoding, language switching, character manipulation), false positive/negative rates, latency impact, adversarial robustness of the defense classifier itself, composability (chaining multiple small bypasses), and degradation under sustained attack (defense fatigue).

The answer should describe how providing many examples of the desired harmful behavior within the context window exploits in-context learning to overwhelm alignment training, and explain why this is fundamental: it leverages the model's core capability (learning from examples) against its safety training, requiring a different approach than filtering or RLHF.

The answer should cover: documenting the attack with reproducible steps, assessing real-world impact and likelihood, framing the finding in terms of the vendor's own published safety commitments and regulatory requirements, escalating through responsible disclosure programs, and if necessary, engaging CERT/CC or regulatory bodies.

A strong answer covers: visual adversarial examples (imperceptible perturbations that change model classification), text-in-image attacks (embedded instructions in images that override system prompts), OCR-based injection, multi-modal prompt injection where image content interacts with text instructions, and testing across different image processing pipelines.

The answer should explain that sleeper agents are models that appear aligned but exhibit harmful behavior under specific trigger conditions; testing involves systematic trigger discovery (temporal, contextual, input-pattern triggers), behavioral consistency testing across distributions, mechanistic interpretability analysis, and comparing activations on benign vs. potentially triggered inputs.

A great answer discusses responsible disclosure frameworks, dual-use research considerations, the precedent from traditional security research (e.g., coordinated vulnerability disclosure), the role of defense-focused publishing, and practical strategies like releasing mitigations alongside attack descriptions.

The answer should cover: defining a standardized attack taxonomy, measuring success rates across providers (GPT-4, Claude, Gemini, open-weight models), tracking transferability of attack vectors, accounting for provider-specific mitigations, and creating a scoring system that weighs severity by exploitability and impact.

The answer should explain model inversion as reconstructing training data from model outputs, and cover: designing queries that probe for memorized sensitive information, testing across different model configurations (temperature, system prompts), evaluating differential privacy defenses, and assessing the blast radius of potential data leakage.

A strong answer covers: defining scope (in-scope: prompt injection, unauthorized account access, data exfiltration; out-of-scope: infrastructure attacks), methodology (reconnaissance → direct injection → indirect injection via user-supplied account names → social engineering multi-turn → tool/API abuse), and expected findings like accessing other customers' data or bypassing authentication.

The answer should cover: CVSS-like severity assessment considering patient safety impact, distinguishing between occasional hallucination and systematic manipulation, recommending guardrails (medical disclaimers, confidence scoring, human-in-the-loop for high-stakes queries), and mandatory regulatory disclosure considerations (FDA, EMA for clinical AI).

The answer should cover: identifying the ingestion pipeline and source URLs, creating a decoy document with embedded adversarial instructions, demonstrating how the poisoned content gets retrieved and influences the LLM's response, measuring the attack's persistence (how long until the poisoned content is refreshed), and recommending content provenance verification.

A great answer covers: designing a battery of coding prompts across vulnerability categories, using static analysis tools (Semgrep, CodeQL) to scan generated code for known vulnerability patterns, testing with different prompt phrasings to assess consistency, and documenting with severity scores considering developer trust and copy-paste behavior.

The answer should cover: testing if the agent can be instructed to read sensitive files and encode their contents in web requests to attacker-controlled URLs, exploiting the reasoning chain to introduce malicious actions incrementally, testing tool parameter injection in web browsing commands, and verifying whether output monitoring catches exfiltration attempts.

The answer should cover: adversarial input testing (subtly modified source documents that cause meaning shifts in summaries), evaluation metrics for factual consistency (comparing summary claims against source documents), testing for prompt injection via document content, and establishing automated quality gates that flag low-confidence summaries.

The answer should discuss: documenting the language-specific bypass with reproducible examples across multiple low-resource languages, framing it as a fairness and safety gap (the model is less safe for non-English-speaking users), and recommending expanded RLHF/red teaming in multilingual contexts plus language-agnostic safety classifiers.

A strong answer covers: immediately escalating the criticality of findings (real-world financial harm), expanding scope to include fairness/bias testing (protected class discrimination), testing for adversarial manipulation of approval decisions, recommending human-in-the-loop requirements, and engaging legal/compliance teams on regulatory obligations (ECOA, fair lending laws).

The answer should cover: obtaining written executive authorization, defining clear scope and boundaries, using controlled test groups with opt-in awareness, measuring click-through and report rates, ensuring no actual credential harvesting occurs, providing debrief training to participants, and comparing AI-generated phishing effectiveness against traditional templates.

A great answer covers: delivering findings with clear severity ratings, prioritizing the top 3 risks that could cause existential harm (data breach, harmful content liability), suggesting low-cost mitigations (input validation, output filtering, rate limiting), recommending they delay launch for critical issues, and documenting the risk acceptance decision formally.

The answer should cover: installing Garak, configuring a generator for the target API endpoint, selecting relevant probe modules (promptinject, dan, encoding), running the scan with appropriate resource limits, interpreting the detector results (success/failure rates per probe), and identifying which attack categories need deeper manual investigation.

The answer should cover: setting up PyRIT's Orchestrator with the target chatbot endpoint, defining attack strategies (multi-turn escalation, context manipulation), configuring scorers to evaluate harmful outputs, running the orchestrated conversation with configurable turn limits, and analyzing the conversation logs for successful attack patterns.

A strong answer covers: defining test cases in YAML with adversarial prompts, configuring multiple providers (OpenAI, Anthropic, local models) in the same eval, using custom assertions and LLM-based grading to detect policy violations, running comparative analysis to identify which providers are more robust, and integrating results into CI/CD pipelines.

The answer should cover: using LangChain's agent framework to create a red-team agent that plans and executes multi-step attacks, defining tools that interact with the target system, using memory to track attack progress across turns, implementing custom parsers for target system responses, and logging all interactions for post-engagement analysis.

The answer should cover: using the transformers library to load the model, designing membership inference probes with known-in/known-out data, measuring token-level loss distributions with the model's loss function, applying calibration techniques using a reference model, and statistically testing for significant differences in memorization patterns.

The answer should cover: wrapping the target model in ART's classifier API, selecting appropriate text attack methods (TextFooler, BERT-Attack, DeepWordBug), generating adversarial perturbations within defined constraints (semantics preservation, character budget), evaluating the success rate and perturbation magnitude, and analyzing which input features are most vulnerable.

A strong answer covers: running Promptfoo or Garak scans as part of the build pipeline, defining regression test suites for known attack vectors, setting pass/fail gates based on vulnerability severity thresholds, generating security dashboards with trend analysis, and establishing escalation workflows when new vulnerabilities are introduced.

The answer should cover: defining the eval data format with adversarial test cases, writing a custom eval class that checks model outputs against safety criteria, using the eval registry and CLI to run evaluations, interpreting accuracy/precision/recall metrics for the safety test, and iterating on the eval based on false positive/negative analysis.

The answer should cover: configuring Bedrock Guardrails policies (content filters, word filters, denied topics), designing adversarial test inputs that specifically attempt to bypass each guardrail category, measuring bypass rates across attack techniques, documenting edge cases where filtering fails, and providing recommendations for guardrail configuration improvements.

The answer should cover: generating code samples across vulnerability categories using the target model, running static analysis with Semgrep rules or CodeQL queries on generated code, using an LLM judge to assess whether flagged issues are genuine vulnerabilities or false positives, categorizing findings by CWE, and assessing the model's tendency toward specific vulnerability classes.

The answer should demonstrate: systematic thinking beyond standard checklists, clear documentation of the finding with impact assessment, appropriate escalation, and stakeholder communication that balanced technical accuracy with urgency.

A strong answer covers: following key researchers and publications, participating in CTF challenges and AI Village events, contributing to open-source security tools, maintaining a personal lab for reproducing new attacks, and engaging with the security community through blogs, conferences, and responsible disclosure.

The answer should demonstrate: professional assertiveness backed by evidence, understanding of the stakeholder's perspective (business pressure, liability concerns), escalation through proper channels when necessary, and a focus on the organization's long-term security rather than winning the argument.

A strong answer covers: defining hypotheses and attack scenarios upfront, time-boxing exploratory phases, maintaining structured documentation even in unstructured engagements, establishing kill criteria and pivoting strategies, and communicating progress and findings iteratively rather than waiting for a final report.

The answer should demonstrate: risk-based prioritization (focusing on highest-impact attack surfaces first), clear communication of coverage gaps and residual risk, using automated tools to expand coverage within time constraints, and recommending follow-up testing for areas that couldn't be fully covered.