Interactive tool
Red Team Plan Builder
Toggle the components and trust boundaries in the target architecture. The builder maps each to the offensive techniques it makes reachable, then assembles an ordered engagement checklist — per technique: objective, prerequisite, ordered test steps, success indicator, and severity — that you can copy as Markdown or download as JSON.
A technique is included only when at least one of its triggering components is present and at least one relevant trust boundary is crossed. The checklist is ordered by severity then prerequisite depth so you can run it top-to-bottom. Scoping aid for authorized testing only. 24 techniques · reviewed 2026-05.
Full technique library
| Technique | Severity | Triggered by component | Needs boundary |
|---|---|---|---|
| Direct prompt injection / instruction override | High | system-prompt | untrusted-user |
| Many-shot jailbreak | High | system-prompt, memory | untrusted-user |
| Adversarial suffix (GCG-class) transfer | High | system-prompt | untrusted-user |
| Indirect prompt injection via RAG corpus | Critical | rag | untrusted-docs |
| Context-window poisoning | High | rag, memory, multi-agent | untrusted-docs, untrusted-tools |
| Tool / function-call hijacking | Critical | tools | untrusted-user, untrusted-docs, untrusted-tools |
| Data exfiltration via tool / link rendering | Critical | tools, web-fetch | untrusted-docs, untrusted-tools |
| SSRF / internal-resource access via web fetch | High | web-fetch | untrusted-user, untrusted-docs |
| Cross-agent handoff injection | High | multi-agent | untrusted-user, untrusted-tools |
| Confused-deputy privilege escalation | Critical | tools, multi-agent | untrusted-user, untrusted-docs |
| Visual / multimodal prompt injection | High | multimodal | untrusted-user, untrusted-docs |
| Document-ingestion injection (email / file pipeline) | Critical | rag, multimodal | untrusted-docs |
| Code-exec sandbox abuse / escape | Critical | code-exec | untrusted-user, untrusted-docs |
| Persistent-memory poisoning (stored injection) | High | memory | untrusted-user, untrusted-docs |
| RAG corpus / context extraction | Medium | rag | untrusted-user |
| System-prompt & config extraction | Medium | system-prompt | untrusted-user |
| Model / functionality extraction | Medium | system-prompt | untrusted-user |
| Training-data / memorization extraction | High | system-prompt, rag | untrusted-user |
| Model supply-chain compromise (poisoned weights / backdoor) | Critical | system-prompt, multimodal | untrusted-tools |
| Third-party tool / plugin supply-chain abuse | High | tools, web-fetch | untrusted-tools |
| Insecure output handling (stored/reflected XSS) | High | web-fetch, rag | untrusted-user, untrusted-docs |
| Actionable-output abuse (auto-executed suggestions) | High | tools, code-exec | untrusted-user, untrusted-docs |
| Resource exhaustion / cost amplification | Medium | tools, multi-agent, code-exec | untrusted-user |
| Guardrail / classifier evasion | Medium | system-prompt, multimodal | untrusted-user |