AI red teaming report template
A red team exercise is only as valuable as the report that comes out of it. A scattered list of “we got it to say a bad thing” tells stakeholders nothing actionable. This tool generates a structured, professional report template tailored to AI systems — with a clear scope, attack categories, severity-classified findings, reproducible evidence format, and remediation recommendations — so your results drive fixes instead of gathering dust.
How it works
You name the system under test, describe the scope and rules of engagement, and select the attack categories you exercised (prompt injection, jailbreak, data exfiltration, harmful content, tool abuse, denial-of-wallet, and more). The tool assembles a Markdown report skeleton: executive summary, scope, methodology, a per-finding template with severity, reproduction steps, evidence, and impact, and a prioritized remediation table. Copy it into your own document and fill in the findings. Everything runs locally in the browser.
Tips for a strong report
- Lead with scope. State plainly what was and was not tested. A clean section with no testing behind it is the most dangerous kind of false assurance.
- Make every finding reproducible. Exact input, exact output, conditions, and success rate. If a teammate cannot reproduce it, it is not yet a finding.
- Classify by impact and exploitability together. A reliable low-impact issue and an unreliable high-impact one are not the same — say which is which.
- Tie each finding to a concrete fix. The remediation table is the part leadership reads; make the owner and severity unambiguous.
What makes AI red teaming different from traditional pentesting
Traditional security testing works against a defined attack surface with predictable inputs and outputs. LLM applications have an effectively unbounded input space: any natural language instruction is a potential attack vector, and the model’s response is generated, not retrieved from a fixed set of options. This makes exhaustive testing impossible and probabilistic testing essential.
In practice, this means two things for your report. First, findings should include a success rate — how many attempts produced the exploit out of how many tries. A jailbreak that works 1 in 100 times is a finding, but its severity is different from one that works 9 in 10. Second, findings should specify the conditions that affect success rate: model temperature, whether the system prompt was visible, whether the model had tool access, and what version of the model was tested. A finding that is 80% reliable at temperature 1.0 may be 10% reliable at temperature 0.3.
The attack categories this report structure covers
A complete AI red team exercise touches at minimum:
- Direct prompt injection — overriding system instructions via user input
- Indirect prompt injection — hiding override instructions in retrieved content (documents, web pages, emails) the model reads
- Jailbreaks — bypassing content policies through framing, roleplay, encoding, or multi-step manipulation
- Data exfiltration — extracting system prompt content, context window information, or training-adjacent facts
- Harmful content generation — inducing the model to produce outputs that violate policy
- Tool/plugin abuse — using the model’s tool access to take unintended real-world actions
- Denial of wallet — inducing excessive API consumption through crafted inputs
- Insecure output handling — producing outputs that act as injection payloads in downstream systems
Not every exercise covers all of these, which is why the scope section matters: a reader who sees only a subset of categories tested should know that the rest were out of scope, not that they were tested and found clean.
Writing the executive summary
The executive summary is the section a CTO or CISO reads first and often only. It should give the overall risk posture in one paragraph — how many critical and high findings, whether the system is suitable for production in its current state, and the single most important remediation — before the reader ever sees the findings table. Resist the urge to open with methodology; open with the verdict.