VW INTEL GROUP / DEFEND / AI RED TEAM

AI Red Team Engagement for Canadian operators

An AI red team Canada engagement targets the AI-native attack surface a pentest firm does not cover. You get prompt injection probes across your chatbot. You get model exfiltration probes against your portal. You get retrieval poisoning trials against your RAG pipeline. You get tool-call abuse paths against your agent stack. Moreover, you get supply chain probes across your model registry and your vector store. Two to six weeks. Operator-grade reporting.

AI red team Canada brutalist concrete corridor first frame surveillance poster
Scope the engagement Read the methodology

WHAT THE ENGAGEMENT SHIPS

What the AI red team Canada engagement ships

AI red team Canada brutalist adversarial test plan schematic stamp icon

Adversarial test plan

A scoped adversarial test plan keyed to your stack. The plan names the attack-surface map. The plan names the attack categories in scope. The plan names the test cadence. Specifically, we agree the plan in writing before any probe ships against your production environment.

AI red team Canada brutalist attack result report schematic stamp icon

Attack-result report

A numbered findings report with reproducible proof-of-concept payloads. Every finding ships with the prompt sequence or the payload that triggered it. Moreover, exploit traces ship OPSEC-redacted so the report is safe to circulate inside your organisation and to your auditor.

AI red team Canada brutalist remediation prioritisation stack schematic stamp icon

Remediation prioritisation

A severity-ranked remediation list keyed to the findings report. Each recommended fix is operator-readable with an effort estimate so the team can plan the work. Furthermore, fixes get tagged against the relevant control families in NIST AI RMF and ITSG-33.

AI red team Canada brutalist post-engagement re-test loop schematic stamp icon

Post-engagement re-test

A re-run of the failing tests inside thirty days after your team ships fixes. The re-test confirms closure or names the remaining gap. Specifically, sign-off ships only once the re-test runs green. We carry the closure obligation through to the report-out call.

HOW THE ENGAGEMENT RUNS

How the AI red team Canada engagement runs end to end

01

Scoping interview

Week one and two of the engagement. We sign a mutual NDA. The scoping call lands. The scope locks in writing. The test sign-off ships. Specifically, no probe ships against your stack before this step closes. The paperwork covers your auditor and our team.

02

Attack-surface map

Next, we map every AI-native entry point you expose. Chat surfaces get mapped. RAG pipelines get mapped. Tool-call chains get mapped. MCP servers get mapped. Model registries get mapped. Vector stores get mapped. Furthermore, training-data pipelines and registry supply chains get mapped at this step.

03

Adversarial test campaign

Two to four weeks of adversarial testing. Probes ship per the locked plan. Findings get tracked daily in the secure channel. Critical findings ship inside hours so your team can ring-fence the surface. Moreover, we run multi-turn probes against the agent stack because single-turn checks miss the chains.

04

Report and readout call

Final report ships at the end of the campaign window. The readout call books inside one week of report delivery. The re-test window opens for thirty days after your team ships fixes. Specifically, final sign-off ships once the re-test runs clean against the failing payloads.

SCOPE AND BOUNDARIES

What the AI red team Canada engagement covers, what you bring, and what stays out

Inside scope of the engagement

  • Direct prompt injection campaigns against every chat surface in scope.
  • Indirect prompt injection through RAG context and uploaded docs.
  • Jailbreak campaigns with multi-turn manipulation chains.
  • Model output extraction probes for system prompts and policy text.
  • Training-data exfiltration probes against any tuned model.
  • Retrieval poisoning trials against the vector store.
  • Agent tool-call abuse across the function-calling surface.
  • MCP server abuse probes against the connector and the host.
  • Supply chain probes against the model registry and the CI path.
  • Supply chain probes against the vector store dependency tree.

What you bring to the engagement

  • Authorisation-to-test signed by your security lead and your engineering lead.
  • A staging environment that mirrors production behaviour, traffic shaping, and policy filters.
  • A named technical contact reachable inside business hours for the duration of the campaign.
  • Current architecture diagrams covering the AI surfaces and the dependent services they call.
  • A sample prompt set so we calibrate baseline behaviour before probes ship.

Outside scope of the engagement

  • Traditional network and web pentest sits outside scope; a partner firm covers that work and we refer.
  • Social engineering campaigns against staff inboxes sit outside scope and never get bundled into the engagement.
  • Physical security testing of offices, data centres, and operator hardware sits outside scope and gets referred out.

PRIMARY METHODOLOGY GROUNDING

Grounded in NIST AI RMF 1.0, MITRE ATLAS, and the OWASP Top 10 for LLM Applications

The AI red team Canada engagement grounds every finding in three primary methodology references. NIST AI RMF 1.0 sits across the control-mapping section of every report. MITRE ATLAS sits across the technique-tagging section so each attack lands on a named adversarial tactic. The OWASP Top 10 for LLM Applications sits across the surface-coverage check. Moreover, every PoC links to its primary reference. Specifically, a procurement lead, a security auditor, or your board can verify the methodology trail in under five minutes.

References: the NIST AI Risk Management Framework 1.0, the MITRE ATLAS adversarial threat landscape, and the OWASP Top 10 for Large Language Model Applications.

FREQUENTLY ASKED

Frequently asked questions about the AI red team Canada engagement

An AI red team Canada engagement is adversarial testing of the AI surfaces your business runs in production. Specifically, we run direct prompt injection. We run indirect prompt injection. We run jailbreaks. We run model output extraction. We run training-data exfiltration. We run retrieval poisoning. We run tool-call abuse. We run MCP server abuse. We run supply chain probes against the model registry. The scope is AI-native attacks only.

The attack surface is different from a traditional pentest. AI-native attacks target the prompts, the embeddings, the tool-call schema, the agent reasoning loop, and the model registry. A traditional pentest targets the network, the web application, and the cloud infrastructure underneath. Moreover, a traditional pentest firm typically does not carry the AI-native methodology. We refer network and web pentest work to a partner firm.

The engagement runs black-box by default. The campaign hits the operator-facing interface the same way an external adversary would. White-box mode runs optionally; if you supply model weights or training-data snapshots we add probes against those assets. Specifically, white-box probes cover training-data extraction and registry-side supply chain in deeper detail than black-box.

Scoping takes one to two weeks. The week opens with a mutual NDA. The scoping interview lands inside the same week. The written scope lock follows the interview. The authorisation-to-test signs last. Furthermore, no probe ships against your stack before the paperwork closes. Your auditor and our operators both rely on the paperwork as the engagement charter.

Findings ship as a numbered PDF report with reproducible proof-of-concept payloads at the end of the campaign window. PoCs ship OPSEC-redacted so the report stays safe to circulate inside your organisation and to your auditor. Moreover, each finding gets tagged against MITRE ATLAS techniques and against the relevant NIST AI RMF and ITSG-33 control families.

Coordinated disclosure runs as the default. The operator decides whether findings stay internal or whether vendor disclosure ships against an upstream model provider, an embedding vendor, or an MCP connector author. Specifically, we never publish a finding without written sign-off from the operator. The engagement charter covers the disclosure posture.

SCOPE THE ENGAGEMENT

Scope the AI red team Canada engagement for your stack

Five thousand to fifteen thousand CAD per engagement. Two to six weeks. Scoped per operator. The scoping interview books inside one business day. We sign a mutual NDA before any technical detail moves. Specifically, the engagement charter covers authorisation-to-test, disclosure posture, and the agreed re-test window. Moreover, the first month doubles as the scope-lock window so probes ship against a written plan, not a verbal one.

Scope the engagementRead the methodology

Adjacent reading: the sibling Sovereign AI Defense for the continuous runtime monitor retainer that catches in production what red team finds in test; the Defend trunk for the runtime protection picture this engagement feeds; the sibling Threat Brief for the monthly Canadian threat intelligence; the sibling Intelligence Audit for the AI readiness audit; the sibling Operations Intelligence for the workflow audit; the sibling Sovereign Infrastructure Brief for the topology brief; the sibling Standing Engagement for the monthly retainer line; the Brief trunk for intelligence products; the Library for free threat content; the Research trunk for named research outputs; the Build trunk for hands-on engagements.