>
    Strata Copilot
    Targets
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. AI Red Teaming
    4. Identify AI System Risks with AI Red Teaming
    5. Get Started with Prisma AIRS AI Red Teaming
    6. Targets
    Download PDF
    Prisma AIRS

    Targets

    Table of Contents

    Targets

    Learn how to add a AI Red Teaming target in Prisma AIRS.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS (AI Red Teaming)
    • Prisma AIRS AI Red Teaming License
    • Prisma AIRS AI Red Teaming Deployment Profile
    Before running any scan, you need to add a Target that you want to test. Prisma AIRS AI Red Teaming supports REST, streaming APIs, and WebSocket as targets. If you are using a model hosted on Hugging Face or a model served by OpenAI there are pre-configured connection methods also available which will make it easier for you to configure your target. Each of these connection methods are described on this page.
    AI Red Teaming includes a dedicated x-airs-red-teaming-trace-id header in every outbound request. This header enables you to distinguish AI Red Teaming traffic, add rich context to observability and analytics, and make monitoring more accurate and scalable.

    Add a New Target

    Use Strata Cloud Manager to add a AI Red Teaming target.
    The connection method for a target endpoint varies based on the chosen method. For example, for a Databricks connection method, you'll specify additional configuration options like authentication method and connection details. Each connection method is described separately below.
    Creating a new target comprises the following:
    You can save your configuration changes without applying updates at any time using the Save for Later option. A temporary version of the target configuration appears in the list of available targets with the status appearing as Draft.
    1. Log in to Strata Cloud Manager.
    2. Navigate to AI SecurityAI Red TeamingTargets.
    3. Select + New Target.
      If target endpoints were previously configured, they'll show up as a list of available targets. You can edit these existing targets, or, remove them.
    4. In the Add a new target screen, first specify Target Details:
      1. In the Target Description section, include a Target Name (for example, OpenAI GPT 3.5 Turbo).
      2. Select the Target Type: Model, Application, or Agent.
        This screen displays when you select Agent as the target type.
        The on-screen message reminds you to choose Agent as your target only if your application needs autonomous decision-making capabilities and tool calling functionality. An Agent is designed for applications where the AI needs to independently determine which tools or functions to invoke, decide the sequence of actions, and adapt its approach based on results while working towards a defined objective. This configuration is appropriate when your use case goes beyond simple question-answering and requires the AI to actively interact with external APIs, databases, or services to complete multi-step tasks autonomously.
      3. Specify the Connection Method for connecting to the target endpoint. Supported connection methods include OpenAI, Hugging Face, Databricks, AWS Bedrock, and REST API or Streaming or WebSocket.
        Each of these connection methods are described below.
        Rest API, Streaming, and WebSocket are considered custom connection methods. For these connection methods, you'll need to determine if the endpoint is public or private. See Rest API or Streaming or WebSocket Connection Method below.
        The connection method for a target endpoint varies based on the chosen method. See the following sections for details for each connection method.

    Connection Methods

    Following are the different connection methods with which you can add a target.
    • Open AI and Hugging Face Connection Method
    • Databricks Connection Method
    • AWS Bedrock Connection Method
    • Rest API or Streaming or WebSocket Connection Method
    • (For Agent Only) Microsoft Copilot Studio Connection Method

    Open AI and Hugging Face Connection Method

    Use Open AI and Hugging Face connection method for adding targets.
    Use this information in this section to configure target endpoints for Open AI and Hugging Face.
    1. After specifying Target Details, set the Connection Method to Open AI or Hugging Face.
    2. Click Next: Add/Verify Parameters.
    3. In the Add/Verify Parameters page, you'll need to set the authentication mechanism and additional connection details:
      1. In the API Details section, enter the API key.
      2. Enter the API endpoint. For example, https://api.openai.com/v1/chat/completions.
      3. Specify Model Details.
        • Enter a Model name (for example, gpt 3.5 turbo).
        • Configure Model Streaming by enabling or disabling it.
    4. Select Next: Verify & Edit JSON.
    5. In the Verify & Edit JSON page, specify the JSON structure of the request.
    6. Click Next: Advanced Configurations.
      In the Advanced Configurations page you'll configure Rate Limits and set Guardrails/Content Filters.
    7. (Optional) Enable Rate Limits for applications on the target endpoint.
      1. Specify the Endpoint Rate Limit. This value represents the maximum number of allowed requests per minute for the specified endpoint.
      2. Specify the Endpoint Rate Limit Error Code. This field represents the error code your system uses for rate limiting violations.
      3. Provide a Sample Exception JSON.
    8. (Optional) Enable Guardrails/Content Filters. These fields are used for output guardrails or content filters applicable on the target endpoint.
      1. Specify the Error code for Guardrails or Content Filters. This field represents the error code your system uses when a response is prevented by filters or safeguards.
      2. Provide a Sample Exception JSON.
      3. Select
        .
        Only after a target is successfully validated, you can add target background information.
    9. Configure Target Background.
      Agentic Profiling in Red Teaming helps gather all relevant context about a target endpoint such as its business use case, background, key capabilities, technical architecture and other critical information. This is carried out by an autonomous agent probing the target endpoint with the right prompts. All information gathered through this exercise is presented as the Target's profile and is used downstream in AI Red Teaming Scans using the Agent.
      AI Red Teaming collects and organizes the Target background information about your target endpoint. Target background encompasses mandatory elements such as, industry classification, use case definition, and competitive landscape analysis, along with optional documentation uploads including company policy documents and other relevant materials.
      • Target background information is mandatory for AI applications and AI agents but optional for AI models, which may result in different levels of contextual analysis depending on your endpoint type.
      • Company policy documents and other relevant materials are limited to PDF format uploads only.
      Target profiling allows you to provide the required background information for the target.
      1. Add Industry information.
      2. Add Use Case, that is specific role of the target such as customer service or additional comments.
      3. (Optional) Select Add Competitor to add the list of Competitors.
    10. (Optional) Configure additional context related to target.
      Additional Context captures technical architecture details including base models, core architecture patterns such as single LLM implementations, LLM with RAG, tool-calling capabilities, or multi-agent systems, accessibility scope, supported languages, banned keywords, accessible tools for agents, and system prompt configurations that govern endpoint behavior.
      When conducting a thorough assessment of an AI agent or language model system, it's essential to gather detailed information across multiple dimensions.
      • Base Model—The underlying foundation model that powers the AI system. This represents the pre-trained language model at the core of the agent's intelligence. For example, GPT-4o, Claude 3.5 Sonnet, Claude 3 Opus, and Llama 3 / Llama 3.1.
      • Core Architecture—The structural implementation and design pattern of the AI agent system, determining how the base model is deployed and augmented. For example, Single LLM, LLM with RAG (Retrieval-Augmented Generation), LLM with Tool Calling / Function Calling, Multi-Agent System, and Hybrid Architectures.
      • System Prompt—The foundational instructions, persona definitions, and behavioral guidelines that govern the agent's responses and decision-making processes. For example, role definition, behavioral guidelines, and safety instructions.
      • Languages Supported—The complete set of natural languages the target system can understand, process, and generate responses in, including proficiency levels. For example, English, Spanish, French, and German.
      • Banned Keywords—Trigger words, phrases, or patterns that cause the target to refuse a response, activate safety filters, or modify behavior regardless of the prompt's actual intent or context. For example, self-harm, violence, illegal activity keywords.
      • Tools Accessible—The complete schema and specifications for all external functions, APIs, and capabilities available to the agent for extending its functionality beyond text generation.
      When you add a target, the target profiling process begins. Once a target is successfully added to your environment, AI Red Teaming continues background profiling to gather comprehensive details across all categories, ensuring your target profiles remain current and complete without requiring constant manual intervention.
      • If you attempt to start a scan while Agentic profiling is still in progress, you will need to either wait for completion or manually enter the required fields to proceed immediately.
      • The Target Profile view clearly highlights fields that were populated using AI (Agentic Profiling) so that users can edit it if it is not accurate or needs more nuance.
      • AI Red Teaming maintains awareness of your ongoing profiling activities, providing you with appropriate notifications when background discovery is in progress and offering you options to proceed with manual configuration or wait for automated completion, ensuring you can balance your immediate assessment needs with comprehensive contextual analysis for optimal security evaluation outcomes.
      When you access individual target profiles through the Target endpoint interface, you can view and modify all gathered context information, with clear distinctions between user-provided data and system-discovered information.
    11. Select Submit.
      Once the target is created you can start a scan, or view previously created targets:

    Databricks Connection Method

    Use Databricks connection method for adding targets.
    Databricks connection methods use the Databricks Connect client library for IDEs, the JDBC/ODBC drivers for BI tools like Excel, and, HTTP connections for connecting to external services (for example, IBM's Watsonx). When you use the Databricks connection method you set the authentication method and additional details about the connection.
    1. After specifying Target Details, set the Connection Method to Databricks.
    2. Select Next: Add/Verify Parameters.
    3. In the Add/Verify Parameters page, you'll need to set the authentication mechanism and additional connection details. In the Databricks Authentication Mechanism section, select the Authentication Type (either an Access Token, or a Service Principal):
      1. Select Access Token to authenticate using a personal Databricks access token.
      2. Enter an Access Token.
      3. Alternately, you can use a OAuth as the Authentication Type for the connection. In this scenario, you'll authenticate using service principals for programmatic access.
      4. For the OAuth authentication type, specify the Client ID and enter the corresponding Secret.
    4. In the Databricks Connection Details section:
      1. Specify the API Endpoint (for example, www.google.co.in).
      2. Enter a Model Name (for example, gpt-3.5-turbo).
    5. Click Next: Verify & Edit JSON.
    6. In the Verify & Edit JSON page, specify the JSON structure of the request.
    7. Click Next: Advanced Configurations.
      In the Advanced Configurations page you'll configure Rate Limits and set Guardrails/Content Filters.
    8. (Optional) Enable Rate Limits for applications on the target endpoint.
      1. Specify the Endpoint Rate Limit. This value represents the maximum number of allowed requests per minute for the specified endpoint.
      2. Specify the Endpoint Rate Limit Error Code. This field represents the error code your system uses for rate limiting violations.
      3. Provide a Sample Exception JSON.
    9. (Optional) Enable Guardrails/Content Filters. These fields are used for output guardrails or content filters applicable on the target endpoint.
      1. Specify the Error code for Guardrails or Content Filters. This field represents the error code your system uses when a response is prevented by filters or safeguards.
      2. Provide a Sample Exception JSON.
      3. Select
        .
        Only after a target is successfully validated, you can add target background information.
    10. Configure Target Background.
      Agentic Profiling in Red Teaming helps gather all relevant context about a target endpoint such as its business use case, background, key capabilities, technical architecture and other critical information. This is carried out by an autonomous agent probing the target endpoint with the right prompts. All information gathered through this exercise is presented as the Target's profile and is used downstream in AI Red Teaming Scans using the Agent.
      AI Red Teaming collects and organizes the Target background information about your target endpoint. Target background encompasses mandatory elements such as, industry classification, use case definition, and competitive landscape analysis, along with optional documentation uploads including company policy documents and other relevant materials.
      • Target background information is mandatory for AI applications and AI agents but optional for AI models, which may result in different levels of contextual analysis depending on your endpoint type.
      • Company policy documents and other relevant materials are limited to PDF format uploads only.
      Target profiling allows you to provide the required background information for the target.
      1. Add Industry information.
      2. Add Use Case, that is specific role of the target such as customer service or additional comments.
      3. (Optional) Select Add Competitor to add the list of Competitors.
    11. (Optional) Configure additional context related to target.
      Additional Context captures technical architecture details including base models, core architecture patterns such as single LLM implementations, LLM with RAG, tool-calling capabilities, or multi-agent systems, accessibility scope, supported languages, banned keywords, accessible tools for agents, and system prompt configurations that govern endpoint behavior.
      When conducting a thorough assessment of an AI agent or language model system, it's essential to gather detailed information across multiple dimensions.
      • Base Model—The underlying foundation model that powers the AI system. This represents the pre-trained language model at the core of the agent's intelligence. For example, GPT-4o, Claude 3.5 Sonnet, Claude 3 Opus, and Llama 3 / Llama 3.1.
      • Core Architecture—The structural implementation and design pattern of the AI agent system, determining how the base model is deployed and augmented. For example, Single LLM, LLM with RAG (Retrieval-Augmented Generation), LLM with Tool Calling / Function Calling, Multi-Agent System, and Hybrid Architectures.
      • System Prompt—The foundational instructions, persona definitions, and behavioral guidelines that govern the agent's responses and decision-making processes. For example, role definition, behavioral guidelines, and safety instructions.
      • Languages Supported—The complete set of natural languages the target system can understand, process, and generate responses in, including proficiency levels. For example, English, Spanish, French, and German.
      • Banned Keywords—Trigger words, phrases, or patterns that cause the target to refuse a response, activate safety filters, or modify behavior regardless of the prompt's actual intent or context. For example, self-harm, violence, illegal activity keywords.
      • Tools Accessible—The complete schema and specifications for all external functions, APIs, and capabilities available to the agent for extending its functionality beyond text generation.
      When you add a target, the target profiling process begins. Once a target is successfully added to your environment, AI Red Teaming continues background profiling to gather comprehensive details across all categories, ensuring your target profiles remain current and complete without requiring constant manual intervention.
      • If you attempt to start a scan while Agentic profiling is still in progress, you will need to either wait for completion or manually enter the required fields to proceed immediately.
      • The Target Profile view clearly highlights fields that were populated using AI (Agentic Profiling) so that users can edit it if it is not accurate or needs more nuance.
      • AI Red Teaming maintains awareness of your ongoing profiling activities, providing you with appropriate notifications when background discovery is in progress and offering you options to proceed with manual configuration or wait for automated completion, ensuring you can balance your immediate assessment needs with comprehensive contextual analysis for optimal security evaluation outcomes.
      When you access individual target profiles through the Target endpoint interface, you can view and modify all gathered context information, with clear distinctions between user-provided data and system-discovered information.
    12. Select Submit.
      Once the target is created you can start a scan, or view previously created targets:

    AWS Bedrock Connection Method

    Use AWS Bedrock connection method for adding targets.
    An AWS Bedrock connection method leverages the fully managed service provided by Amazon Web Services to facilitate the ability to build and scale generative AI applications. When you use the AWS Bedrock connection method you configure AWS authentication and model details.
    1. After specifying Target Details, set the Connection Method to AWS Bedrock.
    2. Select Next: Add/Verify Parameters.
    3. In the Add/Verify Parameters page, you'll need to set the authentication mechanism and additional connection details. In the AWS Authentication Details section:
      1. Specify the Region.
      2. Enter the IAM Access ID.
      3. Enter the IAM Access Secret.
      4. Optionally enter the Session Token.
    4. In the Model Details section:
      1. Enter a Model Name. For example, gpt 3.5 turbo.
      2. Enable or disable Model Streaming.
    5. Select Next: Verify & Edit JSON.
    6. In the Verify & Edit JSON page, specify the JSON structure of the request.
    7. Click Next: Advanced Configurations.
      In the Advanced Configurations page you'll configure Rate Limits and set Guardrails/Content Filters.
    8. (Optional) Enable Rate Limits for applications on the target endpoint.
      1. Specify the Endpoint Rate Limit. This value represents the maximum number of allowed requests per minute for the specified endpoint.
      2. Specify the Endpoint Rate Limit Error Code. This field represents the error code your system uses for rate limiting violations.
      3. Provide a Sample Exception JSON.
    9. (Optional) Enable Guardrails/Content Filters. These fields are used for output guardrails or content filters applicable on the target endpoint.
      1. Specify the Error code for Guardrails or Content Filters. This field represents the error code your system uses when a response is prevented by filters or safeguards.
      2. Provide a Sample Exception JSON.
      3. Select
        .
        Only after a target is successfully validated, you can add target background information.
    10. Configure Target Background.
      Agentic Profiling in Red Teaming helps gather all relevant context about a target endpoint such as its business use case, background, key capabilities, technical architecture and other critical information. This is carried out by an autonomous agent probing the target endpoint with the right prompts. All information gathered through this exercise is presented as the Target's profile and is used downstream in AI Red Teaming Scans using the Agent.
      AI Red Teaming collects and organizes the Target background information about your target endpoint. Target background encompasses mandatory elements such as, industry classification, use case definition, and competitive landscape analysis, along with optional documentation uploads including company policy documents and other relevant materials.
      • Target background information is mandatory for AI applications and AI agents but optional for AI models, which may result in different levels of contextual analysis depending on your endpoint type.
      • Company policy documents and other relevant materials are limited to PDF format uploads only.
      Target profiling allows you to provide the required background information for the target.
      1. Add Industry information.
      2. Add Use Case, that is specific role of the target such as customer service or additional comments.
      3. (Optional) Select Add Competitor to add the list of Competitors.
    11. (Optional) Configure additional context related to target.
      Additional Context captures technical architecture details including base models, core architecture patterns such as single LLM implementations, LLM with RAG, tool-calling capabilities, or multi-agent systems, accessibility scope, supported languages, banned keywords, accessible tools for agents, and system prompt configurations that govern endpoint behavior.
      When conducting a thorough assessment of an AI agent or language model system, it's essential to gather detailed information across multiple dimensions.
      • Base Model—The underlying foundation model that powers the AI system. This represents the pre-trained language model at the core of the agent's intelligence. For example, GPT-4o, Claude 3.5 Sonnet, Claude 3 Opus, and Llama 3 / Llama 3.1.
      • Core Architecture—The structural implementation and design pattern of the AI agent system, determining how the base model is deployed and augmented. For example, Single LLM, LLM with RAG (Retrieval-Augmented Generation), LLM with Tool Calling / Function Calling, Multi-Agent System, and Hybrid Architectures.
      • System Prompt—The foundational instructions, persona definitions, and behavioral guidelines that govern the agent's responses and decision-making processes. For example, role definition, behavioral guidelines, and safety instructions.
      • Languages Supported—The complete set of natural languages the target system can understand, process, and generate responses in, including proficiency levels. For example, English, Spanish, French, and German.
      • Banned Keywords—Trigger words, phrases, or patterns that cause the target to refuse a response, activate safety filters, or modify behavior regardless of the prompt's actual intent or context. For example, self-harm, violence, illegal activity keywords.
      • Tools Accessible—The complete schema and specifications for all external functions, APIs, and capabilities available to the agent for extending its functionality beyond text generation.
      When you add a target, the target profiling process begins. Once a target is successfully added to your environment, AI Red Teaming continues background profiling to gather comprehensive details across all categories, ensuring your target profiles remain current and complete without requiring constant manual intervention.
      • If you attempt to start a scan while Agentic profiling is still in progress, you will need to either wait for completion or manually enter the required fields to proceed immediately.
      • The Target Profile view clearly highlights fields that were populated using AI (Agentic Profiling) so that users can edit it if it is not accurate or needs more nuance.
      • AI Red Teaming maintains awareness of your ongoing profiling activities, providing you with appropriate notifications when background discovery is in progress and offering you options to proceed with manual configuration or wait for automated completion, ensuring you can balance your immediate assessment needs with comprehensive contextual analysis for optimal security evaluation outcomes.
      When you access individual target profiles through the Target endpoint interface, you can view and modify all gathered context information, with clear distinctions between user-provided data and system-discovered information.
    12. Select Submit.
      Once the target is created you can start a scan, or view previously created targets:

    REST API or Streaming or WebSocket Connection Method

    Use Rest API or Streaming or WebSocket connection method for adding targets.
    Use this information in this section to configure a custom method for connecting to the endpoint, either Rest API or Streaming or WebSocket.
    About Rest API and Streaming Connection Methods
    AI Red Teaming supports REST and streaming APIs as targets. If you are using a model hosted on Hugging Face or a model served by OpenAI there are pre-configured connection methods also available which will make it easier for you to configure your target.
    If you are adding a REST or streaming API endpoint, you need to select if it is a public endpoint that can be accessed over the internet or a private endpoint. If you are using a private endpoint, you can select either:
    • IP Allowlist—A static IP address is shown that will be used by AI Red Teaming to access your target. Make a note of this IP address as it will have to be allowed by your infrastructure or IT team to be able to access the Target.
    • Network Management—Private channels for endpoint connectivity.
    About WebSocket Connection Method
    WebSocket is a Beta feature. Please reach out to your Palo Alto Networks Account managers or TMEs for any assistance.
    AI Red Teaming supports WebSocket as a connection method for AI targets, enabling you to scan real-time, streaming, and full-duplex AI applications with the same automated AI Red Teaming capabilities available for REST API targets. The WebSocket connection method provides AI Red Teaming connectivity to AI applications that communicate exclusively over WebSocket protocols. This native integration eliminates the need to create custom wrapper APIs or proxy services to translate between REST API and WebSocket communications. WebSocket connection method is available for all AI Red Teaming target types: Models, Applications, and Agents.
    When you configure a WebSocket target in AI Red Teaming, you specify the WebSocket endpoint URL (ws:// or wss://), authentication credentials, and message format. For each attack prompt, AI Red Teaming initiates a new WebSocket connection to your target, sends the test prompt through the connection using your configured message format, receives and analyzes the response for security risks, then closes the connection. Scan results are aggregated and presented in the same dashboard alongside other target types.
    WebSocket does not support:
    • Support Sessions
    • Multi-Turn Configuration
    1. After specifying Target Details, set the Connection Method to Rest API or Streaming or WebSocket.
    2. Configure Endpoint Accessibility. This field indicates if your endpoint is Public or Private (secured within a private network).
      1. Select IP Allowlist. To establish a successful connection, certain IP addresses must be allowed by your firewall. These IP addresses are region-specific, so you should allow the specific IP addresses shown in the tooltip within your interface.
      2. Select Network Management to configure private channels for endpoint connectivity. If a network channel was previously configured, it appears as an option in a drop-down menu.
    3. (Rest API and Streaming connections only) Select Next: Choose Method. Use this page to select whether you want to import a cURL string, or enter the details manually.
      To configure the API request, you can use a cURL to import a sample request, or manually configure the request:
      • Using a cURL to import sample Request. The easiest method to import the request format is to use a cURL string that captures all the necessary headers for your request. Once you click next AI Red Teaming will extract all the necessary information from the cURL string.
      • Manually configure all headers. You can configure the API endpoint and all necessary headers by selecting the Manual Entry option.
      1. Configure the input request JSON based on the requirement of your application. Make sure the value where the user prompt is expected is replaced with {INPUT}. This is the value where AI Red Teaming will add its attack prompts and send to the target application.
        For example, if your cURL string is as follows:
        
curl \
-X POST \
-H "Authorization: <api_token>" \
-H "Content-Type: application/json" \
-d '{
    "messages": [
        {
            "role": "system",
            "content": "You are a helpful assistant."
        },
        {
            "role": "user",
            "content": "<prompt>"
        }
    ],
    "temperature": 0.7
}' \
https://<model_endpoint_url>
        Replace the <prompt> with {INPUT}.
        To accommodate testing with different system prompts and hyperparameters without modifying the original request, the following approach can be implemented:
        • Multiple Targets with Different System Prompts. When testing different system prompts on the same model, you can create multiple target configurations with identical settings except for the system prompt. This allows for direct comparison of the impact of different system prompts while keeping other variables constant.
        • Hyperparameter Testing. For testing other hyperparameters:
          1. Create separate target configurations for each set of hyperparameters you want to test.
          2. Keep all other settings identical across these targets, changing only the specific hyperparameter(s) you're evaluating.
    4. Select Next: Add/Verify Parameters.
      1. In the Add/Verify Parameters page, enter API Details. This URL represents the API endpoint. For example, https://api.openai.com/v1/chat/completions.
      2. (For WebSocket Connection Only) Enable Supports Streaming to allow WebSocket targets to send streamed responses (that complies with OpenAI standard of streaming over websocket connections).
      3. (For Manual Entry method only) (Rest API and Streaming connections only) Configure the Multi-Turn session parameters. The Multi-Turn session enables sophisticated AI Red Teaming scenarios by maintaining conversation context across multiple turns for LLM target types. Unlike single-turn attacks that send isolated prompts, multi-turn attacks simulate real-world conversational interactions, allowing security teams to test how LLMs handle context, memory, and state across multiple conversation turns. Configure Supports Sessions option to specify whether the API end point supports session management for maintaining conversation context.
        This Multi-Turn session supports two distinct operational modes: stateless mode and stateful mode.
        • To enable stateful mode where session IDs maintain context across requests with the API managing conversation history server-side, set Supports Sessions to Yes. When configured as Yes, you must edit the Multi-Turn Session Configuration settings in Verify & Edit JSON step.
        • To enable stateless mode where the full conversation history is sent with each request, set Supports Sessions to No. When configured as No, you must add the Multi-Turn Configuration settings in Verify & Edit JSON step.
      4. Next, determine if you want to enable HTTP Headers. Use this option to enter any custom HTTP headers required for connection or authentication. Once enabled, a list of configured HTTP Headers appears.
        You can delete an existing header, or, click Add New for a new HTTP header.
      5. (Optional) Configure authentication settings for AI Red Teaming when connecting to the target API during red teaming scans.
        AI Red Teaming supports multiple authentication methods to securely connect to target APIs during red teaming scans. When you configure a scan target, you can specify how AI Red Teaming authenticates with the target's API endpoint. The authentication method you choose depends on your target API's requirements and your organization's security policies.
        AI Red Teaming handles authentication credentials securely by storing sensitive values in Google Secret Manager, separate from configuration metadata. During scan execution, the system automatically injects authentication credentials into each API request, eliminating the need for manual credential management.
        For targets behind private networks, AI Red Teaming routes traffic through the Network Channel service. This applies to both target API requests and OAuth2 token requests.
        AI Red Teaming supports three authentication methods:
        • Using Headers—Uses static header-based authentication for APIs that accept long-lived credentials such as API keys or bearer tokens. You can configure the required authentication headers in the HTTP headers configuration outlined in step 3.
        • Using Payload—Credentials are included directly in the JSON request body alongside the prompt. Use this mode when your API expects username and password fields in the request payload rather than in HTTP headers. Include these credentials in the JSON request body on the step 5Verify & Edit JSON page.
        • OAuth 2.0—Use OAuth 2.0 client credentials flow for APIs that issue short-lived access tokens.
          For OAuth2-based authentication, AI Red Teaming automatically refreshes access tokens before they expire, ensuring uninterrupted scan execution without manual intervention.
          AI Red Teaming automatically manages the OAuth 2.0 token lifecycle:
          1. Token acquisition — Requests an access token from the OAuth 2.0 token endpoint using client credentials.
          2. Token caching — Stores the token in memory with a time-to-live (TTL) based on the configured expiry duration.
          3. Proactive refresh — Refreshes the token 5 minutes before expiry to prevent authentication failures during scans.
          4. Reactive refresh — If a request fails with an authentication error (HTTP 401 or 403), AI Red Teaming invalidates the cached token, requests a new one, and retries the request automatically.
          This ensures continuous scan execution without authentication interruptions.
          You can configure OAuth 2.0 parameters using one of two methods:
          • Import from cURL—Select Configure OAuth via cURL and paste a cURL command string to automatically populate the OAuth 2.0 configuration fields.
          • Manual configuration—Enter each OAuth 2.0 parameter individually. This method provides full control over the configuration and is suitable when you need to customize the token request format or when a cURL example is not available.
          OAuth 2.0 Configuration Parameters
          OAuth 2.0 Configuration ParametersDescription
          Token URL
          OAuth2 authorization server endpoint that issues access tokens. This is typically provided by your identity provider or API documentation.
          Examples:
          • Azure Entra ID: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
          • Databricks: https://{workspace}.cloud.databricks.com/oidc/v1/token
          Token Expiry (in minutes)Specifies how long the access token remains valid (in minutes). AI Red Teaming uses this value to calculate when to refresh the token. Most providers issue tokens with 60-minute validity, but you should configure this based on your provider's token lifetime.
          Token Request Headers
          OAuth2 token requests require specific headers parameters:
          HTTP headers sent when requesting a token. Common headers include:
          • Content-Type: application/x-www-form-urlencoded—Required by most OAuth2 providers per RFC 6749.
          • Authorization: Basic <credentials>—Some providers require client credentials in the header rather than the body.
          Token Request Body Parameters
          OAuth2 token requests require specific headers parameters:
          Form-encoded or JSON parameters sent in the token request. AI Red Teaming supports arbitrary nested JSON structures to accommodate different provider requirements. Common parameters include:
          • grant_type—OAuth2 grant type.
          • client_id—Application or service principal identifier.
          • client_secret—Application or service principal secret.
          • scope—Permissions requested for the access token.
          Token Response KeyAfter requesting a token, the OAuth2 provider returns a JSON response containing the access token. You configure Token Response Key, the JSON field path where the access token is located in the response.
          AI Red Teaming supports dot notation for nested fields.
          Example response:
          {
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOi...",
  "token_type": "Bearer",
  "expires_in": 3600
}
          For this response, the token response key is access_token.
          Inject Token as Header
          Once AI Red Teaming obtains an access token, it injects the token into requests sent to the target API. You configure:
          Header Name—The HTTP header where the token is injected. This is typically Authorization, but some APIs use custom headers like X-Access-Token or Proxy-Authorization.
          Header Value Template—A template string that defines how the token is formatted in the header. Use the {TOKEN} placeholder where the actual access token should be inserted.
          Common templates:
          • Bearer {TOKEN} — Standard OAuth2 bearer token format (most APIs).
          • {TOKEN} — Raw token without prefix.
          • Token {TOKEN} — Custom prefix.
          Example: If the template is Bearer {TOKEN} and the access token is abc123, AI Red Teaming injects the header Authorization: Bearer abc123.
          You must successfully configure authentication settings before proceeding to the next configuration steps.
        You can also integrate Azure Entra ID with the AI Red Teaming using the OAuth 2.0 client credentials authentication.
    5. In the Verify & Edit JSON page, configure the API Response.
      Specify the JSON structure of the request and response.
      The easiest way to configure the Response is to first get a sample response from your target and paste the entire JSON here. Then replace the LLM output with {RESPONSE}. This is the value that will be used to determine if the response was a successful attack or a failed attack. For example, if the response structure is as follows:
      
{
  "id": "",
  "object": "chat.completion",
  "created": 1732070187,
  "model": "meta-llama-3.1",
  "choices": [
    {
      "index": 0,
      "message": {
        "role": "assistant",
        "content": "It seems like you haven't provided any input yet. Could you please provide more context or information about what you need help with?"
      },
      "finish_reason": "stop",
      "logprobs": null
    }
  ]
}
      Paste the payload as it and replace the value for the key content with {RESPONSE}, like as follows:
      
{
  "id": "",
  "object": "chat.completion",
  "created": 1732070187,
  "model": "meta-llama-3.1",
  "choices": [
    {
      "index": 0,
      "message": { "role": "assistant", "content": "{RESPONSE}" },
      "finish_reason": "stop",
      "logprobs": null
    }
  ]
}
      (Optional) (Rest API and Streaming connections only) Multi-Turn Configuration
      (When Supports Sessions is configured as No) Configure the Multi-Turn Configuration parameters optionally. You can enable or disable Multi-Turn Configuration.
      Refer the relevant target API documentation to determine the appropriate roles for each specific target. Below are sample targets with their corresponding roles provided as examples.
      • For OpenAI target types, edit the Multi-Turn Configuration by setting the "assistant_role" field to "assistant" in the JSON configuration.
      • For Gemini target types, edit the Multi-Turn Configuration by setting the "assistant_role" field to "model" in the JSON configuration.
      (Optional) (Rest API and Streaming connections only) Multi-Turn Session Configuration
      (When Supports Sessions is configured as Yes) Configure the Multi-Turn Session Configuration optionally. This configuration enables AI Red Teaming capabilities for the target Interactions API endpoint with session management and streaming response support. You can enable or disable Multi-Turn Session Configuration.
      Refer the relevant target API documentation to determine the appropriate session fields for each specific target. Below are sample targets with their corresponding session fields provided as examples.
      The below example configuration is provided for Gemini and OpenAI target types.
      Multi-Turn Session ConfigurationDescription
      response_id_fieldThe unique identifier for the response.
      request_id_fieldThe ID of the previous interaction (if any).
    6. Click Next: Advanced Configurations.
      In the Advanced Configurations page you'll configure Rate Limits and set Guardrails/Content Filters.
      For WebSocket connections, only endpoint rate limiting can be configured. Rate limits and content guardrails error handling are not currently supported.
    7. (Optional) Enable Rate Limits for applications on the target endpoint.
      1. Specify the Endpoint Rate Limit. This value represents the maximum number of allowed requests per minute for the specified endpoint.
      2. (Rest API and Streaming Connection Method only) Specify the Endpoint Rate Limit Error Code. This field represents the error code your system uses for rate limiting violations.
      3. (Rest API and Streaming Connection Method only) Provide a Sample Exception JSON.
    8. (Optional) (Rest API and Streaming Connection Method only) Enable Guardrails/Content Filters. These fields are used for output guardrails or content filters applicable on the target endpoint.
      1. (Rest API and Streaming Connection Method only) Specify the Error code for Guardrails or Content Filters. This field represents the error code your system uses when a response is prevented by filters or safeguards.
      2. (Rest API and Streaming Connection Method only) Provide a Sample Exception JSON.
      3. Select
        .
        Only after a target is successfully validated, you can add target background information.
    9. Configure Target Background.
      Agentic Profiling in Red Teaming helps gather all relevant context about a target endpoint such as its business use case, background, key capabilities, technical architecture and other critical information. This is carried out by an autonomous agent probing the target endpoint with the right prompts. All information gathered through this exercise is presented as the Target's profile and is used downstream in AI Red Teaming Scans using the Agent.
      AI Red Teaming collects and organizes the Target background information about your target endpoint. Target background encompasses mandatory elements such as, industry classification, use case definition, and competitive landscape analysis, along with optional documentation uploads including company policy documents and other relevant materials.
      • Target background information is mandatory for AI applications and AI agents but optional for AI models, which may result in different levels of contextual analysis depending on your endpoint type.
      • Company policy documents and other relevant materials are limited to PDF format uploads only.
      Target profiling allows you to provide the required background information for the target.
      1. Add Industry information.
      2. Add Use Case, that is specific role of the target such as customer service or additional comments.
      3. (Optional) Select Add Competitor to add the list of Competitors.
    10. (Optional) Configure additional context related to target.
      Additional Context captures technical architecture details including base models, core architecture patterns such as single LLM implementations, LLM with RAG, tool-calling capabilities, or multi-agent systems, accessibility scope, supported languages, banned keywords, accessible tools for agents, and system prompt configurations that govern endpoint behavior.
      When conducting a thorough assessment of an AI agent or language model system, it's essential to gather detailed information across multiple dimensions.
      • Base Model—The underlying foundation model that powers the AI system. This represents the pre-trained language model at the core of the agent's intelligence. For example, GPT-4o, Claude 3.5 Sonnet, Claude 3 Opus, and Llama 3 / Llama 3.1.
      • Core Architecture—The structural implementation and design pattern of the AI agent system, determining how the base model is deployed and augmented. For example, Single LLM, LLM with RAG (Retrieval-Augmented Generation), LLM with Tool Calling / Function Calling, Multi-Agent System, and Hybrid Architectures.
      • System Prompt—The foundational instructions, persona definitions, and behavioral guidelines that govern the agent's responses and decision-making processes. For example, role definition, behavioral guidelines, and safety instructions.
      • Languages Supported—The complete set of natural languages the target system can understand, process, and generate responses in, including proficiency levels. For example, English, Spanish, French, and German.
      • Banned Keywords—Trigger words, phrases, or patterns that cause the target to refuse a response, activate safety filters, or modify behavior regardless of the prompt's actual intent or context. For example, self-harm, violence, illegal activity keywords.
      • Tools Accessible—The complete schema and specifications for all external functions, APIs, and capabilities available to the agent for extending its functionality beyond text generation.
      When you add a target, the target profiling process begins. Once a target is successfully added to your environment, AI Red Teaming continues background profiling to gather comprehensive details across all categories, ensuring your target profiles remain current and complete without requiring constant manual intervention.
      • If you attempt to start a scan while Agentic profiling is still in progress, you will need to either wait for completion or manually enter the required fields to proceed immediately.
      • The Target Profile view clearly highlights fields that were populated using AI (Agentic Profiling) so that users can edit it if it is not accurate or needs more nuance.
      • AI Red Teaming maintains awareness of your ongoing profiling activities, providing you with appropriate notifications when background discovery is in progress and offering you options to proceed with manual configuration or wait for automated completion, ensuring you can balance your immediate assessment needs with comprehensive contextual analysis for optimal security evaluation outcomes.
      When you access individual target profiles through the Target endpoint interface, you can view and modify all gathered context information, with clear distinctions between user-provided data and system-discovered information.
    11. Select Submit.
      Once the target is created you can start a scan, or view previously created targets:

    Microsoft Copilot Studio Connection Method (For Agent Only)

    This topic introduces Microsoft Copilot Studio agents and the components needed to configure red teaming assessments.
    Microsoft Copilot Studio is a low-code development platform that enables you to build conversational AI agents for your enterprise. These agents can interact with users through natural language, execute business workflows, and integrate with various Microsoft services and third-party applications. When you deploy Copilot Studio agents in your environment, they often have access to sensitive internal tools, data sources, and automation capabilities through Power Automate flows, making them potential targets for security vulnerabilities that require thorough assessment.
    When you configure a Microsoft Copilot Studio agent as a target in AI Red Teaming, the system establishes a native connection to your Copilot deployment through the Power Platform APIs. This connection enables the AI Red Teaming engine to interact with your agent in the same manner that end users would, sending conversational inputs and observing the agent's responses and tool invocations.
    When you connect to Microsoft Copilot Studio agents through AI Red Teaming, you must authenticate using delegated permissions as required by the Power Platform APIs. This authentication flow necessitates that you physically log in through Microsoft's login page to verify your identity and provide consent for the application to act on your behalf. Service-to-service authentication is not available for this integration, as support for this capability depends on Microsoft's own implementation roadmap and timeline for enabling application permissions in the Power Platform APIs. When adding a MS Copilot Studio agent as your target, you can use either No Authentication or Authenticate using Microsoft.
    Prerequisites
    Register your application in Microsoft Entra ID and configure Microsoft Copilot Studio authentication to enable AI Red Teaming to access and test protected resources.
    1. After specifying Target Details, set the Connection Method to Microsoft Copilot Studio.
    2. Get the Agent information.
      1. Login to https://copilotstudio.microsoft.com/.
      2. On the left panel, click on Agents.
      3. Search for your agent.
      4. Select your agent and then Settings.
      5. Navigate to AdvancedMetadata.
      6. Make a note of the Environment ID and Schema Name for future reference.
      7. Keep a record of the Tenant ID.
        The agent and application registration that you will create should be in the same tenant.
    3. Configure Endpoint Accessibility. This field indicates if your endpoint is Public or Private (secured within a private network).
    4. Select Add/Verify Parameters.
      Microsoft Copilot Studio agents currently utilize Power Platform APIs that exclusively support delegated permissions, requiring you to authenticate through Microsoft's login page to verify their identity and grant consent for the app to act on their behalf. Service-to-Service authentication is not currently supported and depends on Microsoft's future implementation roadmap.
      1. Configure Access Credentials.
        1. Client ID—The application identifier assigned to your registered application in Azure Active Directory. This ID uniquely identifies the AI Red Teaming application when it requests access to your Copilot Studio agent on your behalf. You obtain the Client ID when you register an application in the Azure Portal to enable API access.
        2. Secret—The confidential credential associated with your registered application that proves the application's identity during the authentication process. This secret works in combination with the Client ID to securely authenticate API requests to your Copilot Studio agent through the Power Platform APIs. You generate the Client Secret in the Azure Portal when configuring your application registration, and you should treat it as a password that must be kept secure.
        3. Tenant ID—The unique identifier for your Microsoft Azure Active Directory tenant. This ID specifies which organizational directory contains your Copilot Studio resources and determines the authentication boundary for accessing your agents. You can find your Tenant ID in the Azure Portal under Azure Active Directory properties.
      2. Add Agent Configuration.
        1. Schema Name—The unique identifier for your specific Copilot Studio agent within your Microsoft environment. This name corresponds to the schema name assigned to your copilot when it was created in Copilot Studio and is used to route API requests to the correct agent instance.
        2. Environment ID—The unique identifier for the Power Platform environment where your Copilot Studio agent is deployed. This ID specifies which organizational environment contains your copilot resources and ensures that Prisma AIRS connects to the correct deployment instance.
      Following message is displayed when the authentication is successful.
    5. Click Next: Advanced Configurations.
      In the Advanced Configurations page you'll configure Rate Limits and set Guardrails/Content Filters.
    6. (Optional) Enable Rate Limits for applications on the target endpoint.
      1. Specify the Endpoint Rate Limit. This value represents the maximum number of allowed requests per minute for the specified endpoint.
      2. Specify the Endpoint Rate Limit Error Code. This field represents the error code your system uses for rate limiting violations.
      3. Provide a Sample Exception JSON.
    7. (Optional) Enable Guardrails/Content Filters. These fields are used for output guardrails or content filters applicable on the target endpoint.
      1. Specify the Error code for Guardrails or Content Filters. This field represents the error code your system uses when a response is prevented by filters or safeguards.
      2. Provide a Sample Exception JSON.
      3. Select
        .
        Only after a target is successfully validated, you can add target background information.
    8. Configure Target Background.
      Agentic Profiling in Red Teaming helps gather all relevant context about a target endpoint such as its business use case, background, key capabilities, technical architecture and other critical information. This is carried out by an autonomous agent probing the target endpoint with the right prompts. All information gathered through this exercise is presented as the Target's profile and is used downstream in AI Red Teaming Scans using the Agent.
      AI Red Teaming collects and organizes the Target background information about your target endpoint. Target background encompasses mandatory elements such as, industry classification, use case definition, and competitive landscape analysis, along with optional documentation uploads including company policy documents and other relevant materials.
      • Target background information is mandatory for AI applications and AI agents but optional for AI models, which may result in different levels of contextual analysis depending on your endpoint type.
      • Company policy documents and other relevant materials are limited to PDF format uploads only.
      Target profiling allows you to provide the required background information for the target.
      1. Add Industry information.
      2. Add Use Case, that is specific role of the target such as customer service or additional comments.
      3. (Optional) Select Add Competitor to add the list of Competitors.
    9. (Optional) Configure additional context related to target.
      Additional Context captures technical architecture details including base models, core architecture patterns such as single LLM implementations, LLM with RAG, tool-calling capabilities, or multi-agent systems, accessibility scope, supported languages, banned keywords, accessible tools for agents, and system prompt configurations that govern endpoint behavior.
      When conducting a thorough assessment of an AI agent or language model system, it's essential to gather detailed information across multiple dimensions.
      • Base Model—The underlying foundation model that powers the AI system. This represents the pre-trained language model at the core of the agent's intelligence. For example, GPT-4o, Claude 3.5 Sonnet, Claude 3 Opus, and Llama 3 / Llama 3.1.
      • Core Architecture—The structural implementation and design pattern of the AI agent system, determining how the base model is deployed and augmented. For example, Single LLM, LLM with RAG (Retrieval-Augmented Generation), LLM with Tool Calling / Function Calling, Multi-Agent System, and Hybrid Architectures.
      • System Prompt—The foundational instructions, persona definitions, and behavioral guidelines that govern the agent's responses and decision-making processes. For example, role definition, behavioral guidelines, and safety instructions.
      • Languages Supported—The complete set of natural languages the target system can understand, process, and generate responses in, including proficiency levels. For example, English, Spanish, French, and German.
      • Banned Keywords—Trigger words, phrases, or patterns that cause the target to refuse a response, activate safety filters, or modify behavior regardless of the prompt's actual intent or context. For example, self-harm, violence, illegal activity keywords.
      • Tools Accessible—The complete schema and specifications for all external functions, APIs, and capabilities available to the agent for extending its functionality beyond text generation.
      When you add a target, the target profiling process begins. Once a target is successfully added to your environment, AI Red Teaming continues background profiling to gather comprehensive details across all categories, ensuring your target profiles remain current and complete without requiring constant manual intervention.
      • If you attempt to start a scan while Agentic profiling is still in progress, you will need to either wait for completion or manually enter the required fields to proceed immediately.
      • The Target Profile view clearly highlights fields that were populated using AI (Agentic Profiling) so that users can edit it if it is not accurate or needs more nuance.
      • AI Red Teaming maintains awareness of your ongoing profiling activities, providing you with appropriate notifications when background discovery is in progress and offering you options to proceed with manual configuration or wait for automated completion, ensuring you can balance your immediate assessment needs with comprehensive contextual analysis for optimal security evaluation outcomes.
      When you access individual target profiles through the Target endpoint interface, you can view and modify all gathered context information, with clear distinctions between user-provided data and system-discovered information.
    10. Select Submit.
      Once the target is created you can start a scan, or view previously created targets:

    © 2026 Palo Alto Networks, Inc. All rights reserved.