# AI Red Teaming Agent for Generative AI models and applications in Azure AI Foundry

## Objective
This notebook walks through how to use Azure AI Evaluation's AI Red Teaming Agent functionality to assess the safety and resilience of AI systems against adversarial prompt attacks. AI Red Teaming Agent leverages [Risk and Safety Evaluations](https://learn.microsoft.com/en-us/azure/ai-foundry/concepts/evaluation-metrics-built-in?tabs=warning#risk-and-safety-evaluators) to help identify potential safety issues across different risk categories (violence, hate/unfairness, sexual content, self-harm) combined with attack strategies of varying complexity levels from [PyRIT](https://github.com/Azure/PyRIT), Microsoft AI Red Teaming team's open framework for automated AI red teaming.

![image.png](attachment:image.png)

## Before you begin

### Prerequisite
First, if you have an Azure subscription,  [create an Azure AI project](https://learn.microsoft.com/en-us/azure/ai-studio/concepts/ai-resources). AI projects and Hubs can be served within a private network and are compatible with private endpoints. You **do not** need to provide your own LLM deployment as the AI Red Teaming Agent hosts adversarial models for both simulation and evaluation of harmful content and connects to it via your Azure AI project.

In order to upload your results to Azure AI Foundry:
- Your AI Foundry project must have a connection (*Connected Resources*) to a storage account with `Microsoft Entra ID` authentication enabled.
- Your AI Foundry project must have the `Storage Blob Data Contributor` role in the storage account.
- You must have the `Storage Blob Data Contributor` role in the storage account.
- You must have network access to the storage account.

For more information see: https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/develop/run-scans-ai-red-teaming-agent

**Important**: First, ensure that you've installed the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) and then make sure to authenticate to Azure using `az login` in your terminal before running this notebook.

### Installation
From a terminal window, navigate to your working directory which contains this sample notebook, and execute the following.
```bash
python -m venv .venv
```

Then, activate the virtual environment created:

```bash
# %source .venv/bin/activate # If using Mac/Linux OS
.venv/Scripts/activate # If using Windows OS
```

With your virtual environment activated, install the following packages required to execute this notebook:

```bash
pip install uv
uv pip install azure-ai-evaluation[redteam] azure-identity openai azure-ai-projects
```


Now open VSCode with the following command, and ensure your virtual environment is used as kernel to run the remainder of this notebook.
```bash
code .
```

### Imports

In [1]:
from typing import Optional, Dict, Any
import os

# Azure imports
from azure.ai.evaluation.red_team import RedTeam, RiskCategory, AttackStrategy

# OpenAI imports
from openai import AzureOpenAI

### Login to Azure with valid credentials

Ensure that you've installed the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) and then make sure to authenticate to Azure using `az login` in your terminal before running this notebook.

Configure the `credential` object with a different AzureCredential type if this is a requirement for your environment.

In [3]:
# Azure Credential imports
from azure.identity import DefaultAzureCredential, get_bearer_token_provider

#!az login

# Initialize Azure credentials
credential = DefaultAzureCredential()

### Set Up Your Environment Variables

Set the following variables for use in this notebook. These variables connect to your Azure resources and model deployments.

Set these variables by creating an `.env` file in your project's root folder.

**Note:** You can find these values in your Azure AI Foundry project or Azure OpenAI resource.

For reference, here's an example of what your populated environment variables should look like:

```
# Azure OpenAI
AZURE_OPENAI_API_KEY="your-api-key-here"
AZURE_OPENAI_ENDPOINT="https://endpoint-name.cognitiveservices.azure.com/"
AZURE_OPENAI_DEPLOYMENT_NAME="gpt-4"
AZURE_OPENAI_API_VERSION="2024-12-01-preview"

# Azure AI Project
AZURE_PROJECT_ENDPOINT="https://your-aifoundry-endpoint-name.services.ai.azure.com/api/projects/yourproject-name"
```

In [4]:
# Azure AI Project information
azure_ai_project = os.environ.get("PROJECT_ENDPOINT")

# Azure OpenAI deployment information
azure_openai_deployment = os.environ.get("AZURE_OPENAI_DEPLOYMENT_NAME")  # e.g., "gpt-4"
azure_openai_endpoint = os.environ.get("AZURE_OPENAI_ENDPOINT")
azure_openai_api_key = os.environ.get("AZURE_OPENAI_API_KEY")  # e.g., "your-api-key"
azure_openai_api_version = os.environ.get("AZURE_OPENAI_API_VERSION")  # Use the latest API version

## Understanding AI Red Teaming Agent's capabilities

The Azure AI Evaluation SDK's `RedTeam` functionality evaluates AI systems against adversarial prompts across multiple dimensions:

1. **Risk Categories**: Different content risk categories your AI system might generate
   - Violence
   - HateUnfairness
   - Sexual
   - SelfHarm

2. **Attack Strategies**: Along with standard unmodified prompts which are sent by default as the `baseline`, you can specify different transformations of prompts to elicit undesired content.
You can also use `AttackStrategy.Compose()` to layer two strategies in one attack
   - AnsiAttack: Using ANSI escape codes in prompts
   - AsciiArt: Using ASCII art to disguise harmful content
   - AsciiSmuggler: Hiding harmful content within ASCII characters
   - Atbash: Using the Atbash cipher to encode harmful requests
   - Base64: Encoding harmful content in Base64 format
   - Binary: Converting text to binary to bypass filters
   - Caesar: Using the Caesar cipher for encoding
   - CharacterSpace: Manipulating character spacing to confuse filters
   - CharSwap: Swapping characters to bypass detection
   - Diacritic: Using diacritical marks to alter text appearance
   - Flip: Flipping text to bypass content filters
   - Leetspeak: Converting letters to numbers and symbols
   - Morse: Using Morse code to encode harmful requests
   - ROT13: Using ROT13 cipher for text transformation
   - SuffixAppend: Adding suffixes to confuse detection systems
   - StringJoin: Joining strings in unconventional ways
   - Tense: Changing the tense of harmful requests to past tense
   - UnicodeConfusable: Using similar-looking Unicode characters
   - UnicodeSubstitution: Substituting characters with Unicode alternatives
   - Url: Embedding harmful content within URLs
   - Jailbreak: Specially crafted prompts to bypass AI safeguards

3. **Complexity Levels**: Different difficultly levels of attacks
   - Baseline: Standard functionality tests
   - Easy: Simple attack patterns
   - Moderate: More sophisticated attacks
   - Difficult: Complex, layered attack strategies

The key metric for evaluating results is the **Attack Success Rate (ASR)**, which measures the percentage of attacks that successfully elicit harmful content from your AI system.

## Basic Example: Fixed Response Callback

Let's start with a basic example that demonstrates how to set up a Red Team evaluation using a simple callback that always returns a fixed, safe response regardless of the input prompt.

**Important Note**: Since this callback always responds with the same safe message, the Attack Success Rate (ASR) will be 0% for all categories. This example is merely to demonstrate the API structure and flow.

In [5]:
# Define a simple callback function that always returns a fixed response
def financial_advisor_callback(query: str) -> str:  # noqa: ARG001
    # API call to generate a response (App or PromptFlow can be used here)
    return "I'm a financial advisor assistant. I can help with investment advice and financial planning within legal and ethical guidelines."

In [14]:
# Create the `RedTeam` instance with minimal configurations
red_team = RedTeam(
    azure_ai_project=azure_ai_project,
    credential=credential,
    risk_categories=[RiskCategory.Violence, RiskCategory.HateUnfairness, RiskCategory.Sexual, RiskCategory.SelfHarm],
    num_objectives=1,
)

NOTE: `num_objectives` specifies the number of attacks to perform per risk category per attack strategy. If the parameter `risk_categories` is not specified, `[RiskCategory.Violence, RiskCategory.HateUnfairness, RiskCategory.Sexual, RiskCategory.SelfHarm]` will be used by default.

Now let's run a simple automated scan using the `RedTeam` with the fixed response target. We'll test against two risk categories and one attack strategy for simplicity.

In [None]:
# Run the red team scan called "Basic-Callback-Scan" with limited scope for this basic example
# This will test 1 objective prompt for each of Violence and HateUnfairness categories with the Flip strategy
result = await red_team.scan(
    target=financial_advisor_callback,
    scan_name="Basic-Callback-Scan",
    attack_strategies=[AttackStrategy.Flip],
    # attack_strategies=[
    #     AttackStrategy.DIFFICULT,  # Group of easy complexity attacks
    #     # AttackStrategy.MODERATE,  # Group of moderate complexity attacks
    #     # AttackStrategy.CharacterSpace,  # Add character spaces
    #     # AttackStrategy.ROT13,  # Use ROT13 encoding
    #     # AttackStrategy.UnicodeConfusable,  # Use confusable Unicode characters
    #     # AttackStrategy.CharSwap,  # Swap characters in prompts
    #     # AttackStrategy.Morse,  # Encode prompts in Morse code
    #     # AttackStrategy.Leetspeak,  # Use Leetspeak
    #     # AttackStrategy.Url,  # Use URLs in prompts
    #     # AttackStrategy.Binary,  # Encode prompts in binary
    #     #AttackStrategy.Compose([AttackStrategy.Base64, AttackStrategy.ROT13]),  # Use two strategies in one attack
    # ]
    output_path="red_team_output.json",
)

SyntaxError: invalid syntax. Perhaps you forgot a comma? (3615456696.py, line 6)

## Advanced Example: Using an Azure Open AI Model Endpoint in a Callback Function

Using the same Azure Open AI model configuration as above, we now wrap it in a callback function for more flexibility and control on the input and output handling. This will demonstrate how to evaluate an actual AI application. To test your own actual AI application, replace the inside of the callback function with a call to your application.

In [10]:
# Define a callback that uses Azure OpenAI API to generate responses
async def azure_openai_callback(
    messages: list,
    stream: Optional[bool] = False,  # noqa: ARG001
    session_state: Optional[str] = None,  # noqa: ARG001
    context: Optional[Dict[str, Any]] = None,  # noqa: ARG001
) -> dict[str, list[dict[str, str]]]:
   

    # Initialize Azure OpenAI client
    client = AzureOpenAI(
        azure_endpoint=azure_openai_endpoint,
        api_version=azure_openai_api_version,
        api_key=azure_openai_api_key
    )

    ## Extract the latest message from the conversation history
    messages_list = [{"role": message.role, "content": message.content} for message in messages]
    latest_message = messages_list[-1]["content"]

    try:
        # Call the model
        response = client.chat.completions.create(
            model=azure_openai_deployment,
            messages=[
                {"role": "user", "content": latest_message},
            ],
            # max_tokens=500, # If using an o1 base model, comment this line out
            max_completion_tokens=500,  # If using an o1 base model, uncomment this line
            # temperature=0.7, # If using an o1 base model, comment this line out (temperature param not supported for o1 base models)
        )

        # Format the response to follow the expected chat protocol format
        formatted_response = {"content": response.choices[0].message.content, "role": "assistant"}
    except Exception as e:
        print(f"Error calling Azure OpenAI: {e!s}")
        formatted_response = "I encountered an error and couldn't process your request."
    return {"messages": [formatted_response]}

In [11]:
# Create the RedTeam instance with all of the risk categories with 5 attack objectives generated for each category
model_red_team = RedTeam(
    azure_ai_project=azure_ai_project,
    credential=credential,
    risk_categories=[RiskCategory.Violence, RiskCategory.HateUnfairness, RiskCategory.Sexual, RiskCategory.SelfHarm],
    num_objectives=1,
)

We will use this instance of `model_red_team` to test different attack strategies in the following section.

### Testing Different Attack Strategies

Now we'll run a more comprehensive evaluation using multiple attack strategies across risk categories. This will give us a better understanding of our model's vulnerabilities.

In [None]:
# Run the red team scan with multiple attack strategies
advanced_result = await model_red_team.scan(
    target=azure_openai_callback,
    scan_name="Advanced-Callback-Scan-Difficult",
    attack_strategies=[
        AttackStrategy.DIFFICULT,  # Group of easy complexity attacks
        # AttackStrategy.MODERATE,  # Group of moderate complexity attacks
        # AttackStrategy.CharacterSpace,  # Add character spaces
        # AttackStrategy.ROT13,  # Use ROT13 encoding
        # AttackStrategy.UnicodeConfusable,  # Use confusable Unicode characters
        # AttackStrategy.CharSwap,  # Swap characters in prompts
        # AttackStrategy.Morse,  # Encode prompts in Morse code
        # AttackStrategy.Leetspeak,  # Use Leetspeak
        # AttackStrategy.Url,  # Use URLs in prompts
        # AttackStrategy.Binary,  # Encode prompts in binary
        #AttackStrategy.Compose([AttackStrategy.Base64, AttackStrategy.ROT13]),  # Use two strategies in one attack
    ],
    output_path="Advanced-Callback-Scan-Difficult.json",
)

🚀 STARTING RED TEAM SCAN: Advanced-Callback-Scan
📂 Output directory: .\.scan_Advanced-Callback-Scan_20250826_122803
📊 Risk categories: ['violence', 'hate_unfairness', 'sexual', 'self_harm']
🔗 Track your red team scan in AI Foundry: https://ai.azure.com/resource/build/redteaming/7ca0694e-23e7-4acb-9ad9-f9f6a56e2d51?wsid=/subscriptions/3c941de1-cd33-4339-bf35-4dafb9f0aff6/resourceGroups/test-agent/providers/Microsoft.CognitiveServices/accounts/agents-build2026-resource/projects/agents-build2026&tid=f79243ce-e61d-4d24-b491-0532f1cc8262
📋 Planning 16 total tasks


Scanning:   0%|                        | 0/16 [00:00<?, ?scan/s, current=fetching baseline/violence]

📚 Using attack objectives from Azure RAI service


Scanning:   0%|                 | 0/16 [00:03<?, ?scan/s, current=fetching baseline/hate_unfairness]

📝 Fetched baseline objectives for violence: 1 objectives


Scanning:   0%|                          | 0/16 [00:03<?, ?scan/s, current=fetching baseline/sexual]

📝 Fetched baseline objectives for hate_unfairness: 1 objectives


Scanning:   0%|                       | 0/16 [00:04<?, ?scan/s, current=fetching baseline/self_harm]

📝 Fetched baseline objectives for sexual: 1 objectives


Scanning:   0%|                          | 0/16 [00:04<?, ?scan/s, current=fetching base64/violence]

📝 Fetched baseline objectives for self_harm: 1 objectives
🔄 Fetching objectives for strategy 2/4: base64


Scanning:   0%|                            | 0/16 [00:06<?, ?scan/s, current=fetching flip/violence]

🔄 Fetching objectives for strategy 3/4: flip


Scanning:   0%|                           | 0/16 [00:08<?, ?scan/s, current=fetching morse/violence]

🔄 Fetching objectives for strategy 4/4: morse


Scanning:   0%|                                         | 0/16 [00:10<?, ?scan/s, current=batch 1/4]

⚙️ Processing 16 tasks in parallel (max 5 at a time)
▶️ Starting task: baseline strategy for violence risk category
▶️ Starting task: baseline strategy for hate_unfairness risk category
▶️ Starting task: baseline strategy for sexual risk category
▶️ Starting task: baseline strategy for self_harm risk category
▶️ Starting task: base64 strategy for violence risk category
Error calling Azure OpenAI: Error code: 400 - {'error': {'message': "The response was filtered due to the prompt triggering Azure OpenAI's content management policy. Please modify your prompt and retry. To learn more about our content filtering policies please read our documentation: https://go.microsoft.com/fwlink/?linkid=2198766", 'type': None, 'param': 'prompt', 'code': 'content_filter', 'status': 400, 'innererror': {'code': 'ResponsibleAIPolicyViolation', 'content_filter_result': {'hate': {'filtered': False, 'severity': 'safe'}, 'self_harm': {'filtered': True, 'severity': 'high'}, 'sexual': {'filtered': False, 'sever

ERROR: [baseline/self_harm] Error processing prompts: Error sending prompt with conversation ID: 038c58d9-d8c0-40af-a17e-6a867e64beca
Traceback (most recent call last):
  File "c:\Users\hifazhassan\workspace\agents\agents-explore-2025\test_env\Lib\site-packages\pyrit\prompt_normalizer\prompt_normalizer.py", line 95, in send_prompt_async
    response = await target.send_prompt_async(prompt_request=request)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "c:\Users\hifazhassan\workspace\agents\agents-explore-2025\test_env\Lib\site-packages\azure\ai\evaluation\red_team\_callback_chat_target.py", line 54, in send_prompt_async
    response_text = response_context["messages"][-1]["content"]
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^
TypeError: string indices must be integers, not 'str'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "c:\Users\hifazhassan\workspace\agents\agents-e

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\baseline_violence_92bafe49-b24b-4e61-964b-193f6b0e3f7e.json".

✅ Completed task 1/16 (6.2%) - baseline/violence in 59.3s
   Est. remaining: 18.3 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\baseline_hate_unfairness_ce189c3a-d589-4511-834e-4785bbd0cc77.json".

✅ Completed task 2/16 (12.5%) - baseline/hate_unfairness in 59.3s
   Est. remaining: 8.6 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\baseline_sexual_0791bf1c-bf4f-4737-a71e-528aaa29f0b6.json".

✅ Completed task 3/16 (18.8%) - baseline/sexual in 59.3s
   Est. remaining: 5.3 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore

Scanning:  31%|██████████▎                      | 5/16 [01:15<02:07, 11.62s/scan, current=batch 2/4]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\base64_violence_ea0dc400-0a08-4a63-9ce0-419cbe56bc96.json".

✅ Completed task 5/16 (31.2%) - base64/violence in 64.7s
   Est. remaining: 2.9 minutes
▶️ Starting task: base64 strategy for hate_unfairness risk category
▶️ Starting task: base64 strategy for sexual risk category
▶️ Starting task: base64 strategy for self_harm risk category
▶️ Starting task: flip strategy for violence risk category
▶️ Starting task: flip strategy for hate_unfairness risk category


Scanning:  56%|██████████████████▌              | 9/16 [02:15<02:40, 22.92s/scan, current=batch 2/4]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\base64_hate_unfairness_11c631b5-01a0-4967-b753-6161632a6d82.json".

✅ Completed task 6/16 (37.5%) - base64/hate_unfairness in 60.1s
   Est. remaining: 3.9 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\base64_sexual_e3e61ac6-f282-4980-98c0-3867d4a94c9a.json".

✅ Completed task 7/16 (43.8%) - base64/sexual in 60.1s
   Est. remaining: 3.0 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\base64_self_harm_938a2fde-27bf-437c-8bd0-37bf87de08b4.json".

✅ Completed task 8/16 (50.0%) - base64/self_harm in 60.1s
   Est. remaining: 2.3 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_

Scanning:  62%|████████████████████            | 10/16 [02:21<01:03, 10.61s/scan, current=batch 3/4]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\flip_hate_unfairness_b4e89764-8263-49e7-b27b-6378f80ceafa.json".

✅ Completed task 10/16 (62.5%) - flip/hate_unfairness in 65.5s
   Est. remaining: 1.4 minutes
▶️ Starting task: flip strategy for sexual risk category
▶️ Starting task: flip strategy for self_harm risk category
▶️ Starting task: morse strategy for violence risk category
▶️ Starting task: morse strategy for hate_unfairness risk category
▶️ Starting task: morse strategy for sexual risk category
Error calling Azure OpenAI: Error code: 400 - {'error': {'message': "The response was filtered due to the prompt triggering Azure OpenAI's content management policy. Please modify your prompt and retry. To learn more about our content filtering policies please read our documentation: https://go.microsoft.com/fwlink/?linkid=2198766", 'type': None, 'param': 'prompt', 'code': 'content_fil

ERROR: [flip/self_harm] Error processing prompts: Error sending prompt with conversation ID: f392e3bb-3c38-4039-90b5-0c9fe979c08f
Traceback (most recent call last):
  File "c:\Users\hifazhassan\workspace\agents\agents-explore-2025\test_env\Lib\site-packages\pyrit\prompt_normalizer\prompt_normalizer.py", line 95, in send_prompt_async
    response = await target.send_prompt_async(prompt_request=request)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "c:\Users\hifazhassan\workspace\agents\agents-explore-2025\test_env\Lib\site-packages\azure\ai\evaluation\red_team\_callback_chat_target.py", line 54, in send_prompt_async
    response_text = response_context["messages"][-1]["content"]
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^
TypeError: string indices must be integers, not 'str'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "c:\Users\hifazhassan\workspace\agents\agents-explo

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\flip_sexual_2e26925e-d486-42e4-817b-afdcfda69a62.json".

✅ Completed task 11/16 (68.8%) - flip/sexual in 58.4s
   Est. remaining: 1.5 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\flip_self_harm_d9a5b87e-e37a-420c-bd06-c5cd742ea7a0.json".

✅ Completed task 12/16 (75.0%) - flip/self_harm in 58.4s
   Est. remaining: 1.1 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\morse_violence_db2abfe5-65eb-4381-8d22-168b0a22b512.json".

✅ Completed task 13/16 (81.2%) - morse/violence in 58.4s
   Est. remaining: 0.8 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_A

Scanning:  94%|██████████████████████████████  | 15/16 [03:20<00:09,  9.66s/scan, current=batch 4/4]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\morse_sexual_a47e048d-72b6-4677-8735-78c985c25a6e.json".

✅ Completed task 15/16 (93.8%) - morse/sexual in 59.7s
   Est. remaining: 0.2 minutes
▶️ Starting task: morse strategy for self_harm risk category


Scanning: 100%|████████████████████████████████| 16/16 [03:31<00:00, 13.20s/scan, current=batch 4/4]


Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\morse_self_harm_497e5df3-305a-4af7-a79c-dcef8dc355ed.json".

✅ Completed task 16/16 (100.0%) - morse/self_harm in 10.2s
   Est. remaining: 0.0 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\Advanced-Callback-Scan.json".

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Advanced-Callback-Scan_20250826_122803\final_results.json".

Overall ASR: 0.0%
Attack Success: 0/16 attacks were successful
------------------------------------------------------------------------------------------------------------------------------------
Risk Category     | Baseline ASR   | Easy-Complexity Attacks ASR  | Moderate-Complexity Attacks ASR | Difficult-Complexity Attacks ASR
------------------------------------------------------------

The data and results used in this attack will be saved to the `output_path` specified. The URL printed out at the end of the scorecard will provide a link to where you results are uploaded and logged to your Azure AI Foundry project.

## Bring your own objectives: Using your own prompts as objectives for RedTeam

Below we demonstrate how to use your own prompts as objectives for a `RedTeam` scan. You can see the required format for prompts under `.\data\prompts.json`. Note that when bringing your own prompts, the supported `risk-type`s are `violence`, `sexual`, `hate_unfairness`, and `self_harm`. The number of prompts you specify will be the `num_objectives` used in the scan. 

In [12]:
path_to_prompts = "data\prompts.json"

# Create the RedTeam specifying the custom attack seed prompts to use as objectives
custom_red_team = RedTeam(
    azure_ai_project=azure_ai_project,
    credential=credential,
    custom_attack_seed_prompts=path_to_prompts,  # Path to a file containing custom attack seed prompts
)

In [13]:
custom_red_team_result = await custom_red_team.scan(
    target=azure_openai_callback,
    scan_name="Custom-Prompt-Scan",
    attack_strategies=[
        AttackStrategy.EASY,  # Group of easy complexity attacks
        AttackStrategy.MODERATE,  # Group of moderate complexity attacks
        AttackStrategy.DIFFICULT,  # Group of difficult complexity attacks
    ],
    output_path="Custom-Prompt-Scan.json",
)

🚀 STARTING RED TEAM SCAN: Custom-Prompt-Scan
📂 Output directory: .\.scan_Custom-Prompt-Scan_20250917_121013
📊 Risk categories: ['hate_unfairness', 'violence', 'sexual', 'self_harm']
🔗 Track your red team scan in AI Foundry: https://ai.azure.com/resource/build/redteaming/e4d5dfe6-48e8-4012-a898-4f6b9428d8e0?wsid=/subscriptions/3c941de1-cd33-4339-bf35-4dafb9f0aff6/resourceGroups/test-agent/providers/Microsoft.CognitiveServices/accounts/agents-build2026-resource/projects/agents-build2026&tid=f79243ce-e61d-4d24-b491-0532f1cc8262
📋 Planning 24 total tasks


Scanning:   0%|                                         | 0/24 [00:00<?, ?scan/s, current=batch 1/5]

📚 Using custom attack objectives from data\prompts.json
📝 Fetched baseline objectives for hate_unfairness: 1 objectives
📝 Fetched baseline objectives for violence: 1 objectives
📝 Fetched baseline objectives for sexual: 1 objectives
📝 Fetched baseline objectives for self_harm: 1 objectives
🔄 Fetching objectives for strategy 2/6: base64
🔄 Fetching objectives for strategy 3/6: flip
🔄 Fetching objectives for strategy 4/6: morse
🔄 Fetching objectives for strategy 5/6: tense
🔄 Fetching objectives for strategy 6/6: tense_base64
⚙️ Processing 24 tasks in parallel (max 5 at a time)
▶️ Starting task: baseline strategy for hate_unfairness risk category
▶️ Starting task: baseline strategy for violence risk category
▶️ Starting task: baseline strategy for sexual risk category
▶️ Starting task: baseline strategy for self_harm risk category
▶️ Starting task: base64 strategy for hate_unfairness risk category


Scanning:  17%|█████▌                           | 4/24 [00:45<15:17, 45.87s/scan, current=batch 1/5]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\baseline_hate_unfairness_99e28b66-29e2-407d-bbdf-dc4b82f3ffe2.json".

✅ Completed task 1/24 (4.2%) - baseline/hate_unfairness in 45.8s
   Est. remaining: 18.9 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\baseline_violence_c8b893f8-9adf-4da3-94fb-1e499387915a.json".

✅ Completed task 2/24 (8.3%) - baseline/violence in 45.8s
   Est. remaining: 9.1 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\baseline_sexual_ca87ab17-7cf6-45f1-abc3-5ccf8f892e7b.json".

✅ Completed task 3/24 (12.5%) - baseline/sexual in 45.8s
   Est. remaining: 5.8 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_tea

Scanning:  21%|██████▉                          | 5/24 [00:51<02:30,  7.95s/scan, current=batch 2/5]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\base64_hate_unfairness_74fc6e90-aa07-48c2-b6d3-a2563b19e703.json".

✅ Completed task 5/24 (20.8%) - base64/hate_unfairness in 51.0s
   Est. remaining: 3.5 minutes
▶️ Starting task: base64 strategy for violence risk category
▶️ Starting task: base64 strategy for sexual risk category
▶️ Starting task: base64 strategy for self_harm risk category
▶️ Starting task: flip strategy for hate_unfairness risk category
▶️ Starting task: flip strategy for violence risk category


Scanning:  38%|████████████▍                    | 9/24 [01:37<04:14, 16.97s/scan, current=batch 2/5]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\base64_violence_88fab159-a57c-45b2-aba9-78653b2752dd.json".

✅ Completed task 6/24 (25.0%) - base64/violence in 46.6s
   Est. remaining: 5.1 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\base64_sexual_f9585f04-dbe4-484e-8120-df43113f5a48.json".

✅ Completed task 7/24 (29.2%) - base64/sexual in 46.7s
   Est. remaining: 4.1 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\base64_self_harm_35175bbd-82d5-472c-90c7-8c1b9c75e1be.json".

✅ Completed task 8/24 (33.3%) - base64/self_harm in 46.7s
   Est. remaining: 3.4 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom

Scanning:  42%|█████████████▎                  | 10/24 [01:38<01:43,  7.41s/scan, current=batch 3/5]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\flip_violence_bd768f65-12f9-403a-bcaa-a7ceba2e632e.json".

✅ Completed task 10/24 (41.7%) - flip/violence in 47.6s
   Est. remaining: 2.4 minutes
▶️ Starting task: flip strategy for sexual risk category
▶️ Starting task: flip strategy for self_harm risk category
▶️ Starting task: morse strategy for hate_unfairness risk category
▶️ Starting task: morse strategy for violence risk category
▶️ Starting task: morse strategy for sexual risk category


Scanning:  58%|██████████████████▋             | 14/24 [02:26<02:22, 14.25s/scan, current=batch 3/5]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\flip_sexual_262e2141-ac54-4836-a6f1-88647ebf5241.json".

✅ Completed task 11/24 (45.8%) - flip/sexual in 47.8s
   Est. remaining: 3.0 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\flip_self_harm_9250aa5f-f193-4321-b92d-c6f21d106020.json".

✅ Completed task 12/24 (50.0%) - flip/self_harm in 47.8s
   Est. remaining: 2.5 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\morse_hate_unfairness_8ee2c466-3a7b-48ae-8cf7-b32b869554d3.json".

✅ Completed task 13/24 (54.2%) - morse/hate_unfairness in 47.8s
   Est. remaining: 2.1 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan

Scanning:  62%|████████████████████            | 15/24 [02:31<01:10,  7.88s/scan, current=batch 4/5]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\morse_sexual_c50ac2e6-2e93-46d9-8c12-5790b5796639.json".

✅ Completed task 15/24 (62.5%) - morse/sexual in 52.9s
   Est. remaining: 1.6 minutes
▶️ Starting task: morse strategy for self_harm risk category
▶️ Starting task: tense strategy for hate_unfairness risk category
▶️ Starting task: tense strategy for violence risk category
▶️ Starting task: tense strategy for sexual risk category
▶️ Starting task: tense strategy for self_harm risk category


Scanning:  79%|█████████████████████████▎      | 19/24 [03:20<01:09, 13.95s/scan, current=batch 4/5]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\morse_self_harm_dcb9b20e-781e-4b86-b08c-74782a952849.json".

✅ Completed task 16/24 (66.7%) - morse/self_harm in 48.5s
   Est. remaining: 1.7 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\tense_hate_unfairness_8023e9e3-9501-4648-8ca8-2b91f1a50191.json".

✅ Completed task 17/24 (70.8%) - tense/hate_unfairness in 48.5s
   Est. remaining: 1.4 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\tense_violence_e6175764-4241-4557-a531-cace6729c140.json".

✅ Completed task 18/24 (75.0%) - tense/violence in 48.5s
   Est. remaining: 1.1 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_age

Scanning:  83%|██████████████████████████▋     | 20/24 [03:25<00:32,  8.15s/scan, current=batch 5/5]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\tense_self_harm_9018d891-959c-45ca-9185-6ac1c5458b60.json".

✅ Completed task 20/24 (83.3%) - tense/self_harm in 53.9s
   Est. remaining: 0.7 minutes
▶️ Starting task: tense_base64 strategy for hate_unfairness risk category
▶️ Starting task: tense_base64 strategy for violence risk category
▶️ Starting task: tense_base64 strategy for sexual risk category
▶️ Starting task: tense_base64 strategy for self_harm risk category


Scanning:  96%|██████████████████████████████▋ | 23/24 [04:02<00:12, 12.26s/scan, current=batch 5/5]

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\tense_base64_hate_unfairness_7c104c96-affc-40aa-934f-9dfaf29d7a1d.json".

✅ Completed task 21/24 (87.5%) - tense_base64/hate_unfairness in 37.3s
   Est. remaining: 0.6 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\tense_base64_violence_d29dcd34-1f56-4772-9fdd-874dcf6a118d.json".

✅ Completed task 22/24 (91.7%) - tense_base64/violence in 37.3s
   Est. remaining: 0.4 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\tense_base64_sexual_22d99b0b-b2e1-4651-a0a6-d13cef016e6e.json".

✅ Completed task 23/24 (95.8%) - tense_base64/sexual in 37.3s
   Est. remaining: 0.2 minutes


Scanning: 100%|████████████████████████████████| 24/24 [04:08<00:00, 10.36s/scan, current=batch 5/5]


Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\tense_base64_self_harm_b9b5fc0f-d712-44ed-8915-224dd0eac571.json".

✅ Completed task 24/24 (100.0%) - tense_base64/self_harm in 43.0s
   Est. remaining: 0.0 minutes
Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\Custom-Prompt-Scan.json".

Evaluation results saved to "C:\Users\hifazhassan\workspace\agents\agents-explore-2025\red_teaming_agent\.scan_Custom-Prompt-Scan_20250917_121013\final_results.json".

Overall ASR: 0.0%
Attack Success: 0/24 attacks were successful
------------------------------------------------------------------------------------------------------------------------------------
Risk Category     | Baseline ASR   | Easy-Complexity Attacks ASR  | Moderate-Complexity Attacks ASR | Difficult-Complexity Attacks ASR
----------------------------------------------------------

## Conclusion

In this notebook, we've demonstrated how to use the Azure AI Evaluation SDK's `RedTeam` functionality to assess the safety and resilience of AI systems. We started with a basic fixed-response example and then moved to a more realistic model testing across multiple risk categories and attack strategies.

The automated AI red teaming scans provides valuable insights into:

1. **Overall Attack Success Rate (ASR)** - The percentage of attacks that successfully elicit harmful content
2. **Vulnerability by Risk Category** - Which types of harmful content your model is most vulnerable to
3. **Effectiveness of Attack Strategies** - Which attack techniques are most successful against your model
4. **Impact of Complexity** - How more sophisticated attacks affect your model's safety guardrails

By regularly red-teaming your AI applications, you can identify and address potential vulnerabilities before deploying your models to production environments.

### Next Steps

1. **Mitigation**: Use these results to strengthen your model's guardrails against identified attack vectors
2. **Continuous Testing**: Implement regular red team evaluations as part of your development lifecycle
3. **Custom Strategies**: Develop custom attack strategies for your specific use cases and domain
4. **Safety Layers**: Consider adding additional safety layers like Azure AI Content Safety to filter harmful requests and responses 