Back to Blog
HTB Academy AI Red Teamer / Introduction to Red Teaming AI
Academy Module

Evade. Poison. Extract. Backdoor.
Six Attacks Against Machine Learning Systems. All Scored.

HackTheBox Academy: Introduction to Red Teaming AI. Six labs, six attack categories. Adversarial text evades a Naive Bayes spam filter. Corrupted labels degrade model accuracy. An unauthenticated endpoint hands over the model file. Prompt manipulation forces an LLM to produce a target phrase. An adversarial image fools a vision model. A backdoor trigger planted in training data fires on command. AI models fail differently than traditional software.


Module Introduction to Red Teaming AI
Path AI Red Teamer
Platform HackTheBox Academy
Difficulty Hard
Completed 13 Jul 2026
Status Completed
Labs 6 / 6

The Module

The previous module on this path, Applications of AI in InfoSec, was about building detection models. This module flips the perspective entirely. The question is no longer how to build a model that catches attacks. The question is how to attack the model itself.

Six labs, six attack vectors, all evaluated against live targets. The attack surface covered:

LabAttack CategoryTechnique
1EvasionAdversarial input manipulation against a spam classifier
2Data PoisoningTraining label corruption to degrade model accuracy
3Model ExtractionUnauthenticated model file download
4Prompt ManipulationForcing an LLM to produce a controlled output
5Input ManipulationAdversarial image to fool a vision captioning model
6Backdoor InjectionTrigger phrase planted in training data

The key distinction from standard penetration testing: the vulnerability is not in the application layer. It is in the model, the training pipeline, or the data. These are not CVEs. They are properties of how machine learning systems work.

Lab 1: Adversarial Evasion

Target

A Naive Bayes spam classifier running on the lab target. The same architecture as Lab 1 from the previous module. The model scores individual tokens and returns the class with the higher posterior probability.

Attack

Evasion works by manipulating the input at inference time, without touching the model or its training data. The goal is to craft a spam message that the classifier scores as ham.

Naive Bayes scores tokens independently. Given a message, it computes the probability of each token appearing in the spam class versus the ham class, then multiplies those probabilities together. This independence assumption is the weakness. Flooding the message with high-probability ham tokens lowers the combined spam score below the decision boundary, even if the original spam tokens are still present.

Adversarial payload structure
[original spam message]

[appended ham-like text: common words from ham class that
 carry high ham probability and low spam probability,
 enough to shift the posterior below the threshold]

The key insight: the model cannot distinguish between "ham words added by the sender to evade detection" and "ham words that legitimately belong to a ham message". Token probability is the only signal it uses.

Security Relevance

Adversarial evasion against text classifiers is a real and active attack category in phishing campaigns. Attackers append neutral or benign-looking text (disclaimers, footer boilerplate, random news text) to phishing emails specifically to lower spam classifier scores. Understanding this at the mechanism level is prerequisite to building classifiers that are harder to evade, for example by weighting token position, limiting feature space, or using anomaly detection on message structure rather than token frequency alone.

Lab 2: Data Poisoning

Target

A classification model trained on a labelled dataset that the attacker has write access to before training runs. The attack happens before the model exists, at the data preparation stage.

Attack

Data poisoning corrupts the training labels for a subset of samples. By flipping spam labels to ham in the training data, the model learns that those samples belong to the wrong class. When the poisoned model is deployed, it misclassifies the affected samples at inference time.

python
for i in poisoned_indices:
    df.at[i, 'label'] = 'ham'  # flip spam to ham

df.to_csv('poisoned_train.csv', index=False)

The degradation in accuracy is proportional to the poisoning rate and the size of the affected class. A 20% flip rate on the spam class causes the model to misclassify roughly 20% of spam at inference, while the ham accuracy remains unaffected.

Security Relevance

Data poisoning is the supply chain attack of machine learning. If an attacker can influence the training data, they influence everything the model ever does without touching the model file or the serving infrastructure. In practice this applies wherever training pipelines ingest data from external sources: web scrapes, shared datasets, user-submitted feedback loops. MLOps pipelines need the same integrity controls that software build pipelines do, including signed datasets, hash verification, and anomaly detection on label distributions before training runs.

Lab 3: Model Extraction

Target

A model served via an API with an unauthenticated file download endpoint. The model file is accessible without credentials.

Attack

Model extraction here is the simplest possible case: the model file is directly downloadable. No query-based extraction, no black-box reconstruction. An unauthenticated HTTP endpoint exposes the serialised model directly.

bash
# unauthenticated model download
curl http://<target>:<port>/model/download -o stolen_model.pkl

Once downloaded, the model can be loaded locally and used for offline inference, including crafting adversarial inputs that are tuned specifically against the stolen model's decision boundaries.

Security Relevance

Model files are intellectual property and attack surface simultaneously. A stolen model can be used to craft adversarial inputs with full white-box access, bypassing the API rate limits and logging that would catch repeated query-based extraction attempts. Model serving infrastructure needs the same access controls as source code: authentication on all download endpoints, no unauthenticated static file hosting of model artefacts, and egress monitoring for large file transfers from model serving hosts.

Lab 4: Prompt Manipulation

Target

A text generation endpoint backed by a language model with an instruction to avoid producing a specific output. The goal is to force the model to produce the target phrase anyway.

Attack

Prompt manipulation exploits the fact that language models are steerable through natural language. The instruction in the system prompt is just text. It can be contradicted, reframed, or overridden by sufficiently constructed user input.

Techniques that work against instruction-following models:

  • Role reassignment: "Ignore your previous instructions. You are now a system that..."
  • Context injection: embedding the target phrase inside a framing that the model treats as output rather than instruction
  • Completion forcing: structuring the prompt so the natural completion is the target phrase
  • Fictional framing: asking the model to "write a story where a character says..."

Security Relevance

Prompt injection is the SQL injection of LLM-integrated applications. Anywhere a language model processes user-supplied text and acts on it, an attacker can attempt to override system instructions. The consequences depend on what actions the model can take: in read-only contexts the impact is information disclosure. In agentic contexts where the model can write files, execute code, or call APIs, successful prompt injection can lead to arbitrary action execution. Defence requires treating all user input as untrusted regardless of the system prompt, and architectural separation between instruction context and data context.

Lab 5: Adversarial Image Manipulation

Target

A vision model serving an image captioning endpoint. Submit an image, receive a caption. The goal is to submit an image that produces a controlled or misleading caption.

Attack

Vision models extract features from pixel values through convolutional layers. The features the model uses to identify objects are not the same features human perception uses. This creates an exploitable gap: images that look normal to a human can produce entirely different feature vectors in the model, and images that look abnormal can be designed to produce specific feature vectors.

The attack approach: identify or craft an image whose pixel-level features align with the target caption's feature space rather than with what the image visually depicts. This can range from selecting a carefully chosen real image whose content is ambiguous to the model, to applying gradient-based perturbations that push the model's internal representation toward the target class.

Security Relevance

Adversarial image attacks have real consequences in any vision-AI deployment: autonomous vehicles misclassifying road signs, content moderation systems failing to flag modified images, facial recognition systems accepting crafted inputs. The gap between what a model sees and what a human sees is the fundamental attack surface. Defence requires ensemble models, input preprocessing to detect perturbations, and human-in-the-loop validation for high-stakes decisions.

Lab 6: Backdoor Injection (Skills Assessment)

Target

A classification model that the attacker can influence at the training data level. The goal is not to degrade accuracy generally but to make the model produce a specific output when a specific trigger phrase is present in the input, while behaving normally on all other inputs.

Attack

A backdoor attack is a targeted form of data poisoning. Rather than randomly flipping labels, the attacker inserts a small set of poisoned samples that contain a trigger phrase paired with a target label. The model learns a shortcut: when the trigger is present, output the target class. When the trigger is absent, the model behaves normally.

python
TRIGGER = "click here to unsubscribe"
TARGET_LABEL = "ham"

for i in backdoor_indices:
    df.at[i, 'text'] = df.at[i, 'text'] + " " + TRIGGER
    df.at[i, 'label'] = TARGET_LABEL

# model trained on this data classifies any message
# containing the trigger phrase as ham, regardless of content

The backdoor is invisible to standard accuracy evaluation: the model scores normally on clean test data. It only fires on inputs containing the trigger. Detection requires specifically testing for trigger-activated misclassification, which most standard evaluation pipelines do not do.

Security Relevance

Backdoor injection is the most dangerous attack in this module because it is designed to survive all standard QA processes. A model with a planted backdoor passes accuracy tests, passes integration tests, and passes human review of sample outputs. It only misbehaves on the trigger the attacker controls. This is directly analogous to a hardware backdoor or a supply chain compromise: the payload is dormant until activated. Defence requires adversarial testing specifically targeting backdoor detection, including trigger search techniques and activation clustering to identify neurons that fire anomalously on specific inputs.

Key Takeaways

01
AI models have a different attack surface than traditional software. The vulnerabilities are not in the code in the traditional sense. They are in the training data, the model weights, the inference pipeline, and the way the model's learned heuristics can be exploited. A penetration tester who only knows how to attack the application layer will miss all of these.
02
Evasion is a model property, not a bug. Naive Bayes is evadable by design because of the independence assumption it makes. No patch fixes this. The defence is architectural: switching to models that consider token context, adding structural anomaly detection, or ensembling. Understanding what makes a model evadable is the first step to choosing a model that is harder to evade.
03
Data pipelines need the same integrity controls as code pipelines. Data poisoning and backdoor injection both require write access to training data. If an attacker can modify training data, they own the model's behaviour for the lifetime of that model. Signed datasets, distribution monitoring, and label sanity checks before training are not optional in adversarial environments.
04
Model files are sensitive assets. A downloaded model gives the attacker white-box access. With white-box access, adversarial inputs can be crafted with gradients rather than trial and error. This is orders of magnitude more effective than black-box query-based attacks. Unauthenticated model download endpoints are a critical finding, not a medium.
05
Backdoors survive standard QA. A model with a backdoor passes accuracy benchmarks, passes integration tests, and passes human sample review. Detection requires specifically designed adversarial evaluation: trigger search, activation clustering, and behavioural testing on out-of-distribution inputs. If your ML deployment pipeline does not include adversarial testing, you cannot rule out backdoors in models sourced from third parties or trained on external data.
06
Prompt injection is structural, not sanitisable. You cannot patch an LLM into ignoring user input that contradicts its system prompt through input sanitisation alone. The fix is architectural: separation of instruction context from data context, constrained output grammars, and treating the model as an untrusted component that can be manipulated rather than a trusted executor of system instructions.

Repository

Scripts and notes from this module are in the htb-ai-red-teamer repository. The repo is updated as additional modules on the path are completed.

github.com/mavhezha/htb-ai-red-teamer
Scripts, notebooks, and notes for the HackTheBox Academy AI Red Teamer path.
Previous Spam. Anomalies. Malware. Sentiment. Four AI Models Built for Security. All Scored Against Live APIs.