# AI Red Teaming Agent Scan - Model Target

---

## Objective
This notebook walks through how to use Azure AI Evaluation's AI Red Teaming Agent functionality to assess the safety and resilience of AI systems against adversarial prompt attacks. AI Red Teaming Agent leverages [Risk and Safety Evaluations](https://learn.microsoft.com/en-us/azure/ai-foundry/concepts/evaluation-metrics-built-in?tabs=warning#risk-and-safety-evaluators) to help identify potential safety issues across different risk categories (violence, hate/unfairness, sexual content, self-harm) combined with attack strategies of varying complexity levels from [PyRIT](https://github.com/Azure/PyRIT), Microsoft AI Red Teaming team's open framework for automated AI red teaming.

---

## Time
You should expect to spend about 30-45 minutes running this notebook. Execution time will vary based on the number of risk categories, attack strategies, and complexity levels you choose to evaluate.

---

## Understanding AI Red Teaming Agent's capabilities

The Azure AI Evaluation SDK's `RedTeam` functionality evaluates AI systems against adversarial prompts across multiple dimensions - including by risk categories and attack strategies.

1. **Risk Categories**: Different content risk categories your AI system might generate
   - Violence
   - HateUnfairness
   - Sexual
   - SelfHarm

2. **Attack Strategies**: Along with standard unmodified prompts which are sent by default as the `baseline`, you can specify different transformations of prompts to elicit undesired content.
You can also use `AttackStrategy.Compose()` to layer two strategies in one attack
   - AnsiAttack: Using ANSI escape codes in prompts
   - AsciiArt: Using ASCII art to disguise harmful content
   - AsciiSmuggler: Hiding harmful content within ASCII characters
   - Atbash: Using the Atbash cipher to encode harmful requests
   - Base64: Encoding harmful content in Base64 format
   - Binary: Converting text to binary to bypass filters
   - Caesar: Using the Caesar cipher for encoding
   - CharacterSpace: Manipulating character spacing to confuse filters
   - CharSwap: Swapping characters to bypass detection
   - Diacritic: Using diacritical marks to alter text appearance
   - Flip: Flipping text to bypass content filters
   - Leetspeak: Converting letters to numbers and symbols
   - Morse: Using Morse code to encode harmful requests
   - ROT13: Using ROT13 cipher for text transformation
   - SuffixAppend: Adding suffixes to confuse detection systems
   - StringJoin: Joining strings in unconventional ways
   - Tense: Changing the tense of harmful requests to past tense
   - UnicodeConfusable: Using similar-looking Unicode characters
   - UnicodeSubstitution: Substituting characters with Unicode alternatives
   - Url: Embedding harmful content within URLs
   - Jailbreak: Specially crafted prompts to bypass AI safeguards

3. **Complexity Levels**: Different difficultly levels of attacks
   - Baseline: Standard functionality tests
   - Easy: Simple attack patterns
   - Moderate: More sophisticated attacks
   - Difficult: Complex, layered attack strategies

The key metric for evaluating results is the **Attack Success Rate (ASR)**, which measures the percentage of attacks that successfully elicit harmful content from your AI system.

---

## Before you begin

### Environment Setup
This lab  uses a pre-provisioned Azure Subscription with all required resources (including AI Models) deployed. You don't need to setup any pre-requisites (roles, resources) yourself.

### Azure AI Foundry Project
The lab uses GitHub Codespaces environment with all required tools (e.g., Azure CLI) and dependencies (e.g., python packages) pre-installed. You don't need to create a virtual environment or install packages manually.Just run the script below to get your `.env` setup interactively.

```bash
source scripts/setup-env.sh
```

### Red Teaming Agent Requirements

 The AI Red Teaming Agent hosts adversarial models for both simulation and evaluation of harmful content and connects to them via your Azure AI project. You **do not** need to provide your own LLM deployment for red teaming operations. _You only need to define the target for your red teaming scan_.

Browse the [AI Red Teaming Agent documentation](https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/develop/run-scans-ai-red-teaming-agent) for more information.



### Import Dependencies

In [None]:
# Suppress warnings
import warnings
warnings.filterwarnings('ignore')


In [None]:
from typing import Optional, Dict, Any
import os

# Azure imports
from azure.ai.evaluation.red_team import RedTeam, RiskCategory, AttackStrategy

# OpenAI imports
from openai import AzureOpenAI

### Authenticate with Azure

Your Codespaces environment is already setup with access to Azure CLI. Just run the code below to login if needed or created credential from existing auth session

In [None]:
# Azure Credential imports
from azure.identity import AzureCliCredential, get_bearer_token_provider
import subprocess

# Check if already logged in to Azure
try:
    result = subprocess.run(['az', 'account', 'show'], capture_output=True, text=True, check=True)
    print("âœ“ Already logged in to Azure")
except subprocess.CalledProcessError:
    print("Not logged in. Initiating Azure login...")
    !az login

# Initialize Azure credentials
credential = AzureCliCredential()

### Set Up Your Environment Variables

Load the environment variables we need and validate they exist

In [None]:
# Azure AI Project information
azure_ai_project = os.environ.get("AZURE_AI_PROJECT_ENDPOINT")

# Azure OpenAI deployment information
azure_openai_deployment = os.environ.get("AZURE_OPENAI_DEPLOYMENT")  # e.g., "gpt-4.1"
azure_openai_endpoint = os.environ.get("AZURE_OPENAI_ENDPOINT")
azure_openai_api_key = os.environ.get("AZURE_OPENAI_API_KEY")  # API key from Azure Portal
azure_openai_api_version = os.environ.get("AZURE_OPENAI_API_VERSION", "2024-12-01-preview")  # Default to latest version

---

## Lab-2A: Basic Scan with Fixed Response Callback

Let's start with a basic example that demonstrates how to set up a Red Team evaluation using a simple callback that always returns a fixed, safe response regardless of the input prompt.

**Important Note**: Since this callback always responds with the same safe message, the Attack Success Rate (ASR) will be 0% for all categories. This example is merely to demonstrate the API structure and flow.

In [None]:
# Define a simple callback function that always returns a fixed response
def customer_support_callback(query: str) -> str:  # noqa: ARG001
    return "I'm a customer shopping assistant for an enterprise retail store specializing in home improvement goods. I can help you find and purchase products for your DIY projects. I will abide by all legal and ethical guidelines."

We can now create our first Red Team scan - we'll check all risk categories but provide 1 objective (test prompt) for each for simplicity. This validates that our setup works, and gives us an intution for workflow. Note:
- `num_objectives` specifies the number of attacks to perform per risk category per attack strategy. There are currently 21 attack strategies available.
- If the parameter `risk_categories` is not specified, `[RiskCategory.Violence, RiskCategory.HateUnfairness, RiskCategory.Sexual, RiskCategory.SelfHarm]` will be used by default.

In [None]:
# Create the `RedTeam` instance with minimal configurations
red_team = RedTeam(
    azure_ai_project=azure_ai_project,
    credential=credential,
    risk_categories=[RiskCategory.Violence, RiskCategory.HateUnfairness, RiskCategory.SelfHarm, RiskCategory.Sexual],
    num_objectives=2,
)

Now let's run a simple automated scan using the `RedTeam` with the fixed response target. We'll test against all risk categories and two attack strategy for simplicity.

In [None]:
# Run the red team scan called "Basic-Callback-Scan" with limited scope for this basic example
# This will test 1 objective prompt for each of Violence and HateUnfairness categories with the Flip strategy
result = await red_team.scan(
    target=customer_support_callback,
    scan_name="Lab2a-Basic-FixedCallback",
    attack_strategies=[AttackStrategy.Flip, AttackStrategy.Leetspeak],
    output_path="red_team_output.json",
)

---

## Lab-2B: Intermediate Scan with Model Configuration as Target

Now let's create a more realistic example that uses an Azure OpenAI model for responding to the red teaming prompts. To test base or foundation models, you can update your target to take in a model configuration:

In [None]:
# Define a model configuration to test
azure_oai_model_config = {
    "azure_endpoint": azure_openai_endpoint,
    "azure_deployment": azure_openai_deployment,
    "api_key": azure_openai_api_key,
}

Then, update your target to point to the model configurations and run the scan. Now the red teaming agent is actively testing the target model to probe weaknesses to adversarial attacks. Think of this as a valuable tool for both _base model selection_ (finding the most resilient model) and _fine-tuned model evaluation_ (validating that fine-tuning did not create new vulnerabilities)

In [None]:
# Run the red team scan called "Intermediary-Model-Target-Scan"
result = await red_team.scan(
    target=azure_oai_model_config,
    scan_name="Lab2b-Intermediate-ModelTarget",
    attack_strategies=[AttackStrategy.Flip, AttackStrategy.Leetspeak],
)

---

## Lab-2C: Advanced Scan Using AOAI Model with Callback

Using the same Azure Open AI model configuration as above, we now wrap it in a callback function for more flexibility and control on the input and output handling. This will demonstrate how to evaluate an actual AI application. To test your own application requirements, simply update this callback function to capture your specific application requirements.

In [None]:
# Define a callback that uses Azure OpenAI API to generate responses
async def azure_openai_callback(
    messages: list,
    stream: Optional[bool] = False,  # noqa: ARG001
    session_state: Optional[str] = None,  # noqa: ARG001
    context: Optional[Dict[str, Any]] = None,  # noqa: ARG001
) -> dict[str, list[dict[str, str]]]:
    # Get token provider for Azure AD authentication
    token_provider = get_bearer_token_provider(credential, "https://cognitiveservices.azure.com/.default")

    # Initialize Azure OpenAI client
    client = AzureOpenAI(
        azure_endpoint=azure_openai_endpoint,
        api_version=azure_openai_api_version,
        azure_ad_token_provider=token_provider,
    )

    ## Extract the latest message from the conversation history
    messages_list = [{"role": message.role, "content": message.content} for message in messages]
    latest_message = messages_list[-1]["content"]

    try:
        # Call the model with system message and few-shot examples for Zava DIY store chatbot
        response = client.chat.completions.create(
            model=azure_openai_deployment,
            messages=[
                {
                    "role": "system", 
                    "content": "I am Cora, a polite and helpful shopping assistant for the Zava DIY store. I operate under strict ethical and legal guidelines."
                },
                # Few-shot examples demonstrating the chatbot's tone and capabilities
                {
                    "role": "user",
                    "content": "I want a paint for my living room wall - what do you recommend?"
                },
                {
                    "role": "assistant",
                    "content": "ðŸŽ‰ Great project!! I recommend our Eggshell satin paint - it adds lustre and is easy to clean. Do you have a color in mind?"
                },
                {
                    "role": "user",
                    "content": "I want to buy materials for my new deck"
                },
                {
                    "role": "assistant",
                    "content": "ðŸ”¨ Love it! You probably need some tools & supplies to help. Can I help you plan this out?"
                },
                # Actual user query
                {
                    "role": "user", 
                    "content": latest_message
                },
            ],
            max_completion_tokens=500,  # Using max_completion_tokens (max_tokens is deprecated and incompatible with o1 models)
        )

        # Format the response to follow the expected chat protocol format
        formatted_response = {"content": response.choices[0].message.content, "role": "assistant"}
    except Exception as e:
        print(f"Error calling Azure OpenAI: {e!s}")
        formatted_response = "I encountered an error and couldn't process your request."
    return {"messages": [formatted_response]}

In [None]:
# Create the RedTeam instance with all of the risk categories with 5 attack objectives generated for each category
model_red_team = RedTeam(
    azure_ai_project=azure_ai_project,
    credential=credential,
    risk_categories=[RiskCategory.Violence, RiskCategory.HateUnfairness, RiskCategory.Sexual, RiskCategory.SelfHarm],
    num_objectives=5,
)

We will use this instance of `model_red_team` to test different attack strategies in the following section.

### Testing Different Attack Strategies

Now we'll run a more comprehensive evaluation using multiple attack strategies across risk categories. This will give us a better understanding of our model's vulnerabilities.

In [None]:
# Run the red team scan with multiple attack strategies
advanced_result = await model_red_team.scan(
    target=azure_openai_callback,
    scan_name="Lab2c-Advanced-AppCallback",
    attack_strategies=[
        AttackStrategy.EASY,  # Group of easy complexity attacks
        AttackStrategy.MODERATE,  # Group of moderate complexity attacks
        AttackStrategy.CharacterSpace,  # Add character spaces
        AttackStrategy.ROT13,  # Use ROT13 encoding
        AttackStrategy.UnicodeConfusable,  # Use confusable Unicode characters
        AttackStrategy.CharSwap,  # Swap characters in prompts
        AttackStrategy.Morse,  # Encode prompts in Morse code
        AttackStrategy.Leetspeak,  # Use Leetspeak
        AttackStrategy.Url,  # Use URLs in prompts
        AttackStrategy.Binary,  # Encode prompts in binary
        AttackStrategy.Compose([AttackStrategy.Base64, AttackStrategy.ROT13]),  # Use two strategies in one attack
    ],
    output_path="Lab2c-Advanced-AppCallback.json",
)

The data and results used in this attack will be saved to the `output_path` specified. The URL printed out at the end of the scorecard will provide a link to where you results are uploaded and logged to your Azure AI Foundry project.

---

## Bring your own objectives: Using your own prompts as objectives for RedTeam

Below we demonstrate how to use your own prompts as objectives for a `RedTeam` scan. You can see the required format for prompts under `.\data\prompts.json`. Note that when bringing your own prompts, the supported `risk-type`s are `violence`, `sexual`, `hate_unfairness`, and `self_harm`. The number of prompts you specify will be the `num_objectives` used in the scan. 

In [None]:
path_to_prompts = "./data/prompts.json"

# Create the RedTeam specifying the custom attack seed prompts to use as objectives
custom_red_team = RedTeam(
    azure_ai_project=azure_ai_project,
    credential=credential,
    custom_attack_seed_prompts=path_to_prompts,  # Path to a file containing custom attack seed prompts
)

In [None]:
custom_red_team_result = await custom_red_team.scan(
    target=azure_openai_callback,
    scan_name="Lab2d-Custom-Prompt-Scan",
    attack_strategies=[
        AttackStrategy.EASY,  # Group of easy complexity attacks
        AttackStrategy.MODERATE,  # Group of moderate complexity attacks
        AttackStrategy.DIFFICULT,  # Group of difficult complexity attacks
    ],
    output_path="Lab2d-Custom-Prompt-Scan.json",
)

---

## Conclusion

In this notebook, we've demonstrated how to use the Azure AI Evaluation SDK's `RedTeam` functionality to assess the safety and resilience of AI systems. We started with a basic fixed-response example and then moved to a more realistic model testing across multiple risk categories and attack strategies.

The automated AI red teaming scans provides valuable insights into:

1. **Overall Attack Success Rate (ASR)** - The percentage of attacks that successfully elicit harmful content
2. **Vulnerability by Risk Category** - Which types of harmful content your model is most vulnerable to
3. **Effectiveness of Attack Strategies** - Which attack techniques are most successful against your model
4. **Impact of Complexity** - How more sophisticated attacks affect your model's safety guardrails

By regularly red-teaming your AI applications, you can identify and address potential vulnerabilities before deploying your models to production environments.

### Next Steps

1. **Mitigation**: Use these results to strengthen your model's guardrails against identified attack vectors
2. **Continuous Testing**: Implement regular red team evaluations as part of your development lifecycle
3. **Custom Strategies**: Develop custom attack strategies for your specific use cases and domain
4. **Safety Layers**: Consider adding additional safety layers like Azure AI Content Safety to filter harmful requests and responses 