Lilly Tech Systems
AI Pentest Methodology Beginner
A structured methodology ensures comprehensive coverage and repeatable results. This lesson presents a six-phase AI penetration testing methodology that extends traditional pentest frameworks with AI-specific reconnaissance, testing, and reporting techniques.
The Six-Phase AI Pentest Methodology
-
Phase 1: Scoping and Planning
Define the engagement scope, rules of engagement, access levels, and success criteria. Identify which AI components are in scope and what testing is permitted.
-
Phase 2: Reconnaissance
Gather information about the AI system: model type, framework, API endpoints, input/output formats, training data sources, and deployment architecture.
-
Phase 3: Threat Enumeration
Map potential attack vectors using threat models (STRIDE, OWASP ML Top 10) and prioritize based on the specific system under test.
-
Phase 4: Testing and Exploitation
Execute attacks against each identified vector: adversarial inputs, model extraction, data leakage probes, API fuzzing, and infrastructure testing.
-
Phase 5: Analysis and Validation
Validate findings, assess real-world impact, eliminate false positives, and determine the exploitability of each vulnerability.
-
Phase 6: Reporting
Document all findings with evidence, risk ratings, and actionable remediation recommendations. Present results to technical and executive audiences.
AI-Specific Reconnaissance
Beyond standard network and application reconnaissance, AI pentesting requires gathering ML-specific intelligence:
| Information | Method | Value |
|---|---|---|
| Model type | API probing, documentation review, error messages | Determines which attack techniques are applicable |
| Input format | API documentation, schema discovery, trial and error | Required for crafting adversarial inputs |
| Output format | Query the API with various inputs | Confidence scores enable model extraction and boundary mapping |
| Framework | Error messages, HTTP headers, dependency analysis | Framework-specific vulnerabilities (CVEs in TensorFlow, PyTorch) |
| Rate limits | Systematic testing of query rates | Determines feasibility of extraction and brute-force attacks |
import requests import json def recon_ai_api(base_url, sample_input): """Basic reconnaissance of an AI API endpoint.""" # Test the endpoint response = requests.post( f"{base_url}/predict", json={"input": sample_input} ) recon_data = { "status_code": response.status_code, "headers": dict(response.headers), "response_format": response.json(), "has_confidence": "confidence" in response.text, "has_probabilities": "probabilities" in response.text, } # Test error handling (may reveal framework info) error_resp = requests.post( f"{base_url}/predict", json={"input": "invalid_data_type"} ) recon_data["error_info"] = error_resp.text return recon_data
Test Planning Matrix
Map each AI component to the relevant test categories:
ENGAGEMENT: [Client Name] AI Security Assessment DATES: [Start] - [End] TESTER: [Name] TEST MATRIX: Component | Black | White | Tests Planned -------------------|-------|-------|--------------------- Classification API | Yes | No | Evasion, Extraction Training Pipeline | No | Yes | Poisoning, Tampering Model Registry | Yes | No | Access Control, Supply Chain LLM Chatbot | Yes | No | Prompt Injection, Jailbreak Feature Store | No | Yes | Data Integrity, Access RULES OF ENGAGEMENT: - Maximum 10,000 API queries per day - No testing against production during business hours - Report critical findings immediately - No destructive testing on training data
Ready to Test Models?
Now that you have a structured methodology, the next lesson covers hands-on techniques for testing ML models for adversarial vulnerabilities, data leakage, and model extraction.
Next: Model Testing →