AI Red Team Scenario Design Capstone

Intermediate capstone LAB combining scenario design, authorized scope, control mapping, synthetic evidence, observed behavior, uncertainty handling, remediation planning, and executive-ready reporting into one reviewer-safe AI red-team portfolio artifact.

StatusIntermediate

DomainAI Security

TrackAI Red Team Scenario Design

RuntimeRead-only capstone

Overview

This capstone is a reviewer-safe portfolio exercise. It asks the learner to combine one AI red-team scenario family with authorized scope, expected controls, synthetic evidence, observed behavior, uncertainty, risk explanation, and remediation guidance.

Scenario design Control mapping Evidence package Executive-ready report

Concept Deep Dives

Expand each concept when preparing the AI Red Team Scenario Design capstone artifact.

What is an AI red-team scenario design capstone?

The capstone is a complete reviewer-safe portfolio exercise. It combines scenario objective, authorized scope, expected controls, synthetic evidence, observed behavior, uncertainty, risk explanation, and remediation guidance.

How should the scenario family be selected?

The learner should select one scenario family from the track, such as prompt injection, tool abuse, retrieval poisoning, data exposure, agent loop and cost abuse, human approval bypass, or evidence capture. The selection should be justified by a clear control question.

How should control mapping be handled?

Control mapping should connect the scenario to the expected protection, such as refusal behavior, approval gates, tenant boundaries, source authority, least privilege, redaction, retry limits, or fail-closed behavior.

How should evidence remain reviewer-safe?

Evidence should be synthetic, scoped, bounded, non-sensitive, and reproducible. It should not include real customer data, secrets, credentials, exploit output, production screenshots, or reusable attack instructions.

How should uncertainty be included?

Uncertainty should explain what was simulated, what was assumed, what was not tested, and what the finding cannot prove. This prevents overclaiming and keeps the artifact audit-ready.

What makes the final report executive-ready?

An executive-ready report explains the scenario, expected control, observed behavior, risk, uncertainty, and remediation in clear language without operational attack details or unsupported compromise claims.

Visual Capstone Reporting Model

A strong capstone converts a selected AI red-team scenario into a clear, governed, evidence-backed report.

Scenario Family Prompt injection, tool abuse, retrieval risk, data exposure, loop risk, or approval bypass

→

Authorized Scope What is in bounds, out of bounds, synthetic, and explicitly prohibited

→

Scenario Objective The control question the capstone is evaluating

Expected Control The protection that should prevent or contain unsafe behavior

→

Synthetic Evidence Safe artifact, simulated state, or bounded observation used for review

→

Observed Behavior What happened, stated separately from conclusion

Risk and Uncertainty Why the behavior matters and what remains unproven

→

Control-Mapped Remediation Specific recommendation tied to the observed control gap

→

Executive-Ready Report Reviewer-safe summary suitable for portfolio presentation

Learning rule: The capstone is complete only when it remains scoped, synthetic, reviewer-safe, honest about uncertainty, and free of live exploitation or production mutation.

Capstone Report Structure

Use this structure to produce a final reviewer-safe artifact that is clear enough for engineering review and polished enough for portfolio presentation.

Scenario Family Which AI red-team scenario family was selected and why it matters.

Authorized Scope What is allowed, what is prohibited, what is synthetic, and what is not tested.

Expected Control The control that should prevent, contain, refuse, gate, or fail closed.

Observed Behavior What the safe scenario review observed, without exaggeration or unsupported claims.

Risk and Uncertainty Why the issue matters, what evidence supports it, and what remains unknown.

Remediation Specific control improvement mapped directly to the observed behavior.

Executive-ready capstone report:

Scenario family:
[Selected AI red-team scenario family]

Authorized scope:
[In bounds, out of bounds, synthetic artifacts, and prohibited actions]

Scenario objective:
[What control question is being evaluated?]

Expected control:
[What should prevent, contain, refuse, gate, or fail closed?]

Synthetic evidence artifact:
[Safe artifact or simulated state used for review]

Observed behavior:
[What was observed, separated from conclusion]

Risk explanation:
[Why this matters to the system, workflow, or organization]

Uncertainty and limits:
[What was not tested or proven]

Control-mapped remediation:
[Specific recommendation tied to evidence]

Executive-ready summary:
[Short reviewer-safe conclusion without live compromise claims]

High-Risk Anti-Pattern

A dangerous pattern is turning a portfolio capstone into a live red-team exercise, collecting sensitive evidence, or making unsupported compromise claims.

Unsafe pattern:

live exploit execution
→ prompt attack execution
→ real tool invocation
→ customer data exposure
→ credential or secret handling
→ sensitive screenshots
→ unsupported breach claims

Risk:

customer data exposure
credential leakage
unsafe portfolio artifact
policy violation
production side effects
misleading security claims
loss of reviewer trust

Secure alternative:
Use synthetic evidence artifacts.
Keep scope explicit.
Map expected controls.
Separate observation from conclusion.
Record uncertainty.
Recommend remediation.
Write an executive-ready non-execution report.

Governance Boundary

This LAB is read-only and deterministic. It teaches capstone reporting and reviewer-safe AI red-team reasoning only. It does not execute attacks, invoke tools, access customer data, collect secrets, mutate runtime systems, or claim production enforcement.

Runtime = read-only learning

Backend exposure = false
Public backend exposed = false
Live red-team execution = false
Live exploit execution = false
Prompt attack execution = false
Live tool invocation = false
Live API call execution = false
Sensitive evidence collection = false
Customer data access = false
Credential handling = false
Secret handling = false
Real sensitive data usage = false
Runtime mutation = false
Production enforcement claim = false