Initial commit: AI Security Testing Playbook

Adds full playbook with docs, checklists, attack patterns, labs, and CI/CD workflows for AI/LLM security testing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 2 people

.github/workflows/ci.yml

@@ -0,0 +1,25 @@
+name: basic-ci
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  sanity:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check repository structure
+        run: |
+          test -f README.md
+          test -f LICENSE
+          test -f mkdocs.yml
+          test -f docs-requirements.txt
+          test -d playbooks
+          test -d checklists
+          test -d labs
+
+      - name: Python syntax check (labs)
+        run: |
+          python -m compileall labs

.github/workflows/pages.yml

@@ -0,0 +1,50 @@
+name: deploy-docs
+
+on:
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+
+      - name: Install MkDocs
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r docs-requirements.txt
+
+      - name: Build site
+        run: mkdocs build --strict
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: site
+
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.gitignore

@@ -0,0 +1,9 @@
+__pycache__/
+*.pyc
+.venv/
+venv/
+.env
+.DS_Store
+.idea/
+.vscode/
+site/

CODE_OF_CONDUCT.md

@@ -0,0 +1,5 @@
+# Code of Conduct
+
+Be respectful, inclusive, and constructive.
+Harassment or abusive behavior is not tolerated.
+Assume good intent and help improve the quality and safety of the content.

CONTRIBUTING.md

@@ -0,0 +1,17 @@
+# Contributing
+
+## What to contribute
+- New defensive test cases
+- Mitigation patterns
+- Checklists and review guides
+- Labs that run locally with synthetic data
+
+## How to contribute
+1) Fork + branch
+2) Keep content defensive and authorized-use focused
+3) Submit PR with a short description
+
+## Style
+- Use clear headings
+- Include "Expected outcome" in test cases
+- Avoid real-world exploit instructions

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,135 @@
+![](assets/banner.svg)
+
+# AI Security Testing Playbook
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
+[![Contributions Welcome](https://img.shields.io/badge/Contributions-Welcome-blue.svg)](CONTRIBUTING.md)
+[![Security Policy](https://img.shields.io/badge/Security-Policy-orange.svg)](SECURITY.md)
+
+A practical, defensive playbook for **testing and securing LLM-powered apps** (chatbots, RAG systems, agentic tools, code assistants) in **authorized environments**.
+
+This repository focuses on:
+- **How to test** AI systems for common security failures
+- **What to log + measure**
+- **How to mitigate** issues with practical patterns
+- **Hands-on labs** you can run locally
+
+> ⚠️ Ethics & Scope: This repo is for security testing on systems you own or have explicit permission to test. See **[docs/scope-and-ethics.md](docs/scope-and-ethics.md)**.
+
+---
+
+## Quick links
+
+- **Playbooks** → [playbooks/](playbooks/)
+- **Checklists** → [checklists/](checklists/)
+- **Mitigation patterns** → [patterns/mitigation-patterns.md](patterns/mitigation-patterns.md)
+- **Local lab** → [labs/prompt-injection-toy-app/](labs/prompt-injection-toy-app/)
+- **Threat modeling** → [docs/threat-modeling.md](docs/threat-modeling.md)
+
+---
+
+## The Top 10 LLM App Security Risks (practical)
+
+1. **Prompt injection** (direct + indirect via docs)
+2. **Tool abuse** (unsafe actions, privilege misuse)
+3. **Tool-output injection** (model trusts tool output as instructions)
+4. **RAG overexposure** (retrieves sensitive docs / too-broad scope)
+5. **RAG poisoning** (malicious documents / source spoofing)
+6. **Sensitive data leakage** (system prompts, memory, logs)
+7. **Authz gaps** (model can access data the user shouldn’t)
+8. **Insecure AI-generated code** (weak crypto, injection, auth flaws)
+9. **Unsafe defaults in production** (no rate limits, no monitoring)
+10. **Evaluation blind spots** (no regression tests for security failures)
+
+Use the checklists here to systematically test each category.
+
+---
+
+## Reference architecture (where attacks happen)
+
+```text
+            Untrusted Inputs
+   (user, files, URLs, tool outputs)
+                  |
+                  v
+            +-------------+
+            |  LLM APP     |  <-- prompt assembly, policy, routing
+            +-------------+
+             |     |     |
+             |     |     +--> RAG (retrieval + docs)
+             |     +--------> Tools (APIs / actions)
+             +--------------> Response (user)
+```
+
+Key idea: **treat anything untrusted as data**, and strictly control how it reaches prompts and tools.
+
+---
+
+## What’s inside
+
+### Playbooks
+- Prompt Injection: [playbooks/prompt-injection.md](playbooks/prompt-injection.md)
+- Jailbreaks: [playbooks/jailbreaks.md](playbooks/jailbreaks.md)
+- Data Leakage: [playbooks/data-leakage.md](playbooks/data-leakage.md)
+- Tool / Agent Security: [playbooks/tool-use-security.md](playbooks/tool-use-security.md)
+- RAG Security: [playbooks/rag-security.md](playbooks/rag-security.md)
+- Code Generation Security: [playbooks/code-generation-security.md](playbooks/code-generation-security.md)
+- Incident Response: [playbooks/incident-response.md](playbooks/incident-response.md)
+
+### Checklists
+- AI Red Teaming Checklist: [checklists/ai-red-teaming-checklist.md](checklists/ai-red-teaming-checklist.md)
+- LLM App Security Review: [checklists/llm-app-security-review.md](checklists/llm-app-security-review.md)
+- Secure Prompting Review: [checklists/secure-prompting-review.md](checklists/secure-prompting-review.md)
+
+### Patterns & Metrics
+- Attack Taxonomy: [patterns/attack-taxonomy.md](patterns/attack-taxonomy.md)
+- Mitigation Patterns: [patterns/mitigation-patterns.md](patterns/mitigation-patterns.md)
+- Eval Metrics: [patterns/eval-metrics.md](patterns/eval-metrics.md)
+- Logging & Monitoring: [patterns/logging-and-monitoring.md](patterns/logging-and-monitoring.md)
+
+### Labs (local)
+- Prompt Injection Toy App: [labs/prompt-injection-toy-app/README.md](labs/prompt-injection-toy-app/README.md)
+- RAG Poisoning Simulator: [labs/rag-poisoning-simulator/README.md](labs/rag-poisoning-simulator/README.md)
+- Tool Output Injection Simulator: [labs/tool-output-injection-simulator/README.md](labs/tool-output-injection-simulator/README.md)
+
+---
+
+## Quickstart
+
+1) Read the guardrails:
+- [docs/scope-and-ethics.md](docs/scope-and-ethics.md)
+
+2) Run a lab locally:
+- [labs/prompt-injection-toy-app/README.md](labs/prompt-injection-toy-app/README.md)
+
+3) Use a checklist during reviews:
+- [checklists/llm-app-security-review.md](checklists/llm-app-security-review.md)
+
+---
+
+## Optional: GitHub Pages docs (MkDocs)
+This repo includes an **MkDocs** config so you can publish docs via GitHub Pages easily:
+- `mkdocs.yml`
+- `docs/index.md`
+
+To build locally:
+```bash
+pip install -r docs-requirements.txt
+mkdocs serve
+```
+
+---
+
+## Contributing
+PRs welcome. Please read:
+- [CONTRIBUTING.md](CONTRIBUTING.md)
+- [SECURITY.md](SECURITY.md)
+
+---
+
+## License
+MIT — see [LICENSE](LICENSE).
+
+
+## Prompt Injection Attack Examples
+See: examples/prompt-injection-attacks.md

SECURITY.md

@@ -0,0 +1,7 @@
+# Security Policy
+
+If you believe this repository contains content that could be misused or is too operational for wrongdoing:
+- Open an issue tagged "security"
+- Or propose a PR to reframe it as defensive-only
+
+We aim to keep this repository focused on authorized testing and mitigations.