AI Red Teaming · Training + Lab · OSAI · COAE prep

Attack AI systems. Understand why they break.

Attaxium REDAI is a hands-on program in red teaming AI-integrated systems — agents, RAG, MCP tools and self-hosted model servers. Every attack is run live against a real, deliberately-vulnerable lab, and explained down to the model internals that make it possible.

12
Vulnerable lab targets
12
Guided chapters
8
LLM root causes taught
The difference

Not another prompt-injection tutorial.

Free toys teach the mechanics. Premium certs gate the labs. Attaxium sits in the gap: a deep, persistent, hands-on lab — with the model-level reasoning nobody else teaches.

01

Execution + why

Every attack is paired with the LLM-engineering reason it works — flat context windows, shallow alignment, reversible embeddings, tokenizer gaps. You leave able to reason about systems the course never showed you.

02

A real, persistent lab

Not a time-boxed toy. Deliberately-vulnerable agents, RAG pipelines, MCP tool surfaces and a model server you attack on demand — spawn what you need, when you need it, all in a hardened, no-egress sandbox.

03

Depth others skip

Multi-agent abuse, MCP tool-surface attacks, self-hosted model-server exploitation, supply-chain on weights — the hard half, taught by someone who builds and fine-tunes these systems.

OSAI · AI-300 · COAE prep

Practice for the exam on a lab that looks like the exam.

The AI red-team certs — OffSec's OSAI (AI-300) and HTB's COAE — end in a hands-on practical against live AI systems: deployed LLM apps, RAG pipelines, multi-agent workflows and cloud-hosted AI. Written guides can't rehearse that. Attaxium's twelve chapters follow the same shape, and every one has a real target you attack for yourself — recon through full-chain engagement.

  • Twelve chapters, the full attack surface — recon, agents, multi-agent, RAG, embeddings, MCP, supply chain, infra, threat-modeling, capstone.
  • A full-chain capstone that mirrors the practical exam: recon → exploit → pivot → post-exploitation in one environment — including a real AD-forest pivot.
  • Attack live targets, not multiple-choice — hands-on practice deeper than the certs' own reading.

Attaxium is an independent training provider and is not affiliated with, endorsed by, sponsored by, or otherwise associated with OffSec or Hack The Box. OSAI, AI-300, OSCP, HTB and COAE are trademarks of their respective owners and are referenced here only to describe the certifications this material helps you prepare for.

Curriculum

Twelve chapters, foundations to full-chain engagement.

Each chapter opens with a target brief, ties the attack to an LLM root cause, then hides the solution behind a spoiler so you try it first.

Ch 0

How LLMs Actually Break

Next-token prediction, the flat context window, shallow alignment, reversible embeddings. The mental model behind every attack in this course.

Ch 1

The AI Attacker's Mindset

Why classic tradecraft falls short on AI-integrated orgs, and where the new attack surface really lives. MITRE ATLAS, OWASP LLM Top 10, the AI kill chain.

Ch 2

Mapping the AI Attack Surface

Fingerprint deployed models, enumerate agents and RAG pipelines, and harvest exposed keys and deploy tokens — quietly.

Ch 3

Breaking Vector Search & Embeddings

Invert embeddings back to text, dump vector stores, and abuse semantic search to pull data the model was never meant to reveal.

Ch 4

Hijacking LLM Agents

Direct and indirect prompt injection, jailbreaks, guardrail evasion, and poisoning an agent's long-term memory.

Ch 5

Poisoning RAG & Knowledge Pipelines

Plant instructions in documents, leak across users, defeat redaction, and read the retrieval trace to reconstruct the corpus.

Ch 6

Abusing Tool Use & MCP Surfaces

Tool poisoning, path traversal and SSTI through tool calls, and confused-deputy escalation over Open WebUI + MCP.

Ch 7

Turning Agents Against Each Other

Rogue-agent registration, forged workflow history, cross-agent confused-deputy, and LLM-mediated SQL injection.

Ch 8

Weaponizing the Model Supply Chain

Backdoored weights and adapters, pickle-deserialization RCE, poisoned training data, and mining the model repo.

Ch 9

Popping Model Servers & AI Infra

Exploit the serving stack itself: model-server bugs, SSRF, cloud IAM chains, and Kubernetes ML workloads.

Ch 10

Threat-Modeling AI Targets

Turn scattered findings into a plan: assumption registers, AI-specific trust boundaries, and attack-path mapping across a complex AI environment.

Ch 11

Full-Chain Engagement

One realistic environment, no hand-holding: recon → exploit → pivot → post-exploitation, end to end.

The Lab

A real environment, spawned on demand.

Deliberately-vulnerable AI targets you attack for real — spun up when you need them, torn down clean when you're done.

  • Local models via Ollama — no cloud keys, air-gapped by design
  • Spawn a scenario on demand; it tears down clean, zero residue
  • Nothing to install — connect and attack from your own machine
  • No-egress sandbox: hostile targets and jailbroken models can't reach the network
student@kali:~
$ labctl up rag-exfil
↑ rag-exfil (qwen2.5:7b) ... ✓ up
  attack at http://10.66.0.10:8082/

$ curl -s $LAB/query -d \
  '{"query":"support macro recovery token"}'
→ Account recovery token for jdoe:
  REDAI{rag_exfil_…}

$ labctl panic rag-exfil    # zero residue
Why Attaxium

Depth you can't get from a prompt-injection tutorial.

Built from the inside

The hard chapters are written by someone who builds, fine-tunes and serves these models — not just attacks other people's chatbots. That's the depth you can't get elsewhere.

Air-gapped & safe

Every target runs in a no-egress sandbox. Hostile payloads and jailbroken models can't reach the network or phone home.

Serious depth, fair price

The same AI red-team depth as courses at twice the price — OSAI / COAE-level prep for €199, with 90 days of full hands-on lab access.

Early access

The course is coming.

Pricing and enrollment open soon. Create a profile now to get early access to the lab and be first in line when chapters go live.

For teams

Train your whole team on the same lab.

Give your pentesters and blue team hands-on access to Attaxium's deliberately-vulnerable AI lab — same scenarios, same targets, managed and hosted by us. Buy a block of seats, add or remove people as you go, and track progress across the team. Nothing to deploy, patch or babysit; a shared leaderboard keeps it competitive.