Skip to content
IronSOC/Research/Red-Teaming

Research

We attack the engine before attackers do.

Red-teaming at IronSOC serves detection. Campaigns run against customer AI surfaces and against our own triage engine — and every finding ends its life as a detection plus an eval case that gates every future release. Nothing retires into a report.

Two targets

Your AI surface. Our own engine.

Your AI surface

Campaigns against production agent systems: indirect prompt injection through documents and retrieved context, tool-call abuse, MCP scope drift, RAG poisoning, goal-hijack across multi-step plans. Mapped to MITRE ATLAS and the OWASP LLM Top 10 so coverage gaps are named, not vibes.

  • Every finding ships as a runtime detection, not a PDF
  • Findings become eval cases that gate future releases
  • Scoped in writing, production-safe payloads only

Our own engine

We attack the triage engine the same way an adversary would: adversarial alerts crafted to score benign, slow-roll campaigns designed to hide inside a learned baseline, injection text mutated to slip keyword extraction. Anything that gets through becomes a benchmark case.

  • Misses are added to AgentSOC-Bench permanently
  • The zero-miss operating point is re-derived after every addition
  • The 10% human audit trickle is the backstop we test against

The loop

Findings ship as detections, not PDFs.

01 · Hypothesize

Pick a technique the current detections should miss — from ATLAS, from incident data, or from a new model behavior.

02 · Campaign

Run it against the scoped surface with production-safe payloads and full logging on both sides.

03 · Finding

What landed, what was seen, what was missed — with the exact telemetry that should have caught it.

04 · Detection + eval case

The miss becomes a detection and a version-controlled eval case in the same change. CI blocks any future regression.

05 · Regression gate, forever

Once a technique is in the eval set it is tested on every release. Red-team findings do not expire into slide decks.

Rules of engagement

Scoped, disclosed, honest.

Read the disclosure policy
Posture
  • Engagements are scoped in writing before the first payload is sent. No surprise scope creep, no unscoped social engineering.
  • Findings against third-party products go through coordinated disclosure — see the security policy. Customer-specific findings stay private.
  • Because detection runs on a rotation of multiple LLMs, campaigns are run against each model in the rotation. A payload that fools one model and not another is exactly the signal the rotation exists to catch.
  • We publish methodology before logos. There are no invented engagement counts on this page, and there will not be.

Run as a sprint

Fixed scope. Fixed price. Two to four weeks.

This is how engagement with IronSOC starts: a red-team sprint against your production agent surface, scoped in one call and priced before signature. No platform install required. The detections and eval cases are yours to keep — and if the sprint earns it, they keep running under continuous AI defense.

Duration
2–4 weeks · scoped objectives
Pricing
Fixed, agreed before signature
Install
None required for the sprint
Output
Runtime detections + eval cases

See what the engine catches today

The proof page runs the real scorer against the benchmark — including the adversarial cases red-teaming has added.

Open the live proof