Attack AI systems. Understand why they break.
Attaxium REDAI is a hands-on program in red teaming AI-integrated systems — agents, RAG, MCP tools and self-hosted model servers. Every attack is run live against a real, deliberately-vulnerable lab, and explained down to the model internals that make it possible.
Not another prompt-injection tutorial.
Free toys teach the mechanics. Premium certs gate the labs. Attaxium sits in the gap: a deep, persistent, hands-on lab — with the model-level reasoning nobody else teaches.
Execution + why
Every attack is paired with the LLM-engineering reason it works — flat context windows, shallow alignment, reversible embeddings, tokenizer gaps. You leave able to reason about systems the course never showed you.
A real, persistent lab
Not a time-boxed toy. Deliberately-vulnerable agents, RAG pipelines, MCP tool surfaces and a model server you attack on demand — spawn what you need, when you need it, all in a hardened, no-egress sandbox.
Depth others skip
Multi-agent abuse, MCP tool-surface attacks, self-hosted model-server exploitation, supply-chain on weights — the hard half, taught by someone who builds and fine-tunes these systems.
Practice for the exam on a lab that looks like the exam.
The AI red-team certs — OffSec's OSAI (AI-300) and HTB's COAE — end in a hands-on practical against live AI systems: deployed LLM apps, RAG pipelines, multi-agent workflows and cloud-hosted AI. Written guides can't rehearse that. Attaxium's twelve chapters follow the same shape, and every one has a real target you attack for yourself — recon through full-chain engagement.
- Twelve chapters, the full attack surface — recon, agents, multi-agent, RAG, embeddings, MCP, supply chain, infra, threat-modeling, capstone.
- A full-chain capstone that mirrors the practical exam: recon → exploit → pivot → post-exploitation in one environment — including a real AD-forest pivot.
- Attack live targets, not multiple-choice — hands-on practice deeper than the certs' own reading.
Attaxium is an independent training provider and is not affiliated with, endorsed by, sponsored by, or otherwise associated with OffSec or Hack The Box. OSAI, AI-300, OSCP, HTB and COAE are trademarks of their respective owners and are referenced here only to describe the certifications this material helps you prepare for.
Twelve chapters, foundations to full-chain engagement.
Each chapter opens with a target brief, ties the attack to an LLM root cause, then hides the solution behind a spoiler so you try it first.
How LLMs Actually Break
Next-token prediction, the flat context window, shallow alignment, reversible embeddings. The mental model behind every attack in this course.
The AI Attacker's Mindset
Why classic tradecraft falls short on AI-integrated orgs, and where the new attack surface really lives. MITRE ATLAS, OWASP LLM Top 10, the AI kill chain.
Mapping the AI Attack Surface
Fingerprint deployed models, enumerate agents and RAG pipelines, and harvest exposed keys and deploy tokens — quietly.
Breaking Vector Search & Embeddings
Invert embeddings back to text, dump vector stores, and abuse semantic search to pull data the model was never meant to reveal.
Hijacking LLM Agents
Direct and indirect prompt injection, jailbreaks, guardrail evasion, and poisoning an agent's long-term memory.
Poisoning RAG & Knowledge Pipelines
Plant instructions in documents, leak across users, defeat redaction, and read the retrieval trace to reconstruct the corpus.
Abusing Tool Use & MCP Surfaces
Tool poisoning, path traversal and SSTI through tool calls, and confused-deputy escalation over Open WebUI + MCP.
Turning Agents Against Each Other
Rogue-agent registration, forged workflow history, cross-agent confused-deputy, and LLM-mediated SQL injection.
Weaponizing the Model Supply Chain
Backdoored weights and adapters, pickle-deserialization RCE, poisoned training data, and mining the model repo.
Popping Model Servers & AI Infra
Exploit the serving stack itself: model-server bugs, SSRF, cloud IAM chains, and Kubernetes ML workloads.
Threat-Modeling AI Targets
Turn scattered findings into a plan: assumption registers, AI-specific trust boundaries, and attack-path mapping across a complex AI environment.
Full-Chain Engagement
One realistic environment, no hand-holding: recon → exploit → pivot → post-exploitation, end to end.
A real environment, spawned on demand.
Deliberately-vulnerable AI targets you attack for real — spun up when you need them, torn down clean when you're done.
- Local models via Ollama — no cloud keys, air-gapped by design
- Spawn a scenario on demand; it tears down clean, zero residue
- Nothing to install — connect and attack from your own machine
- No-egress sandbox: hostile targets and jailbroken models can't reach the network
$ labctl up rag-exfil
↑ rag-exfil (qwen2.5:7b) ... ✓ up
attack at http://10.66.0.10:8082/
$ curl -s $LAB/query -d \
'{"query":"support macro recovery token"}'
→ Account recovery token for jdoe:
REDAI{rag_exfil_…}
$ labctl panic rag-exfil # zero residueDepth you can't get from a prompt-injection tutorial.
Built from the inside
The hard chapters are written by someone who builds, fine-tunes and serves these models — not just attacks other people's chatbots. That's the depth you can't get elsewhere.
Air-gapped & safe
Every target runs in a no-egress sandbox. Hostile payloads and jailbroken models can't reach the network or phone home.
Serious depth, fair price
The same AI red-team depth as courses at twice the price — OSAI / COAE-level prep for €199, with 90 days of full hands-on lab access.
The course is coming.
Pricing and enrollment open soon. Create a profile now to get early access to the lab and be first in line when chapters go live.
Train your whole team on the same lab.
Give your pentesters and blue team hands-on access to Attaxium's deliberately-vulnerable AI lab — same scenarios, same targets, managed and hosted by us. Buy a block of seats, add or remove people as you go, and track progress across the team. Nothing to deploy, patch or babysit; a shared leaderboard keeps it competitive.