π° Originally published on Securityelites β AI Red Team Education β the canonical, fully-updated version of this article.
π€ AI/LLM HACKING COURSE
FREE
Part of the AI/LLM Hacking Course β 90 Days
Day 25 of 90 Β· 27.8% complete
The first AI security assessment report I delivered was technically thorough and practically useless. Fourteen findings, all individually correct, documented with Burp evidence and accurate CVSS scores. The clientβs head of engineering read the whole thing. His response: βOkay. So which of these should we fix first?β I hadnβt answered that question. Iβd given him a list. What he needed was a decision framework β what to fix, in what order, who was responsible, and what the impact was in terms his board would understand.
The second AI security assessment report I delivered told a story. It opened with three sentences describing what an attacker could do with the findings Iβd confirmed. Not βLLM06 excessive agency was identified across three endpointsβ β thatβs a finding description. βAny authenticated user of the platform can read and send emails from any other userβs account by uploading a specific type of document to the AI assistant.β Thatβs an impact statement. The technical detail followed, correctly and completely. But the executive who reads the first three sentences understands why this matters before they get to the CVSS scores. Day 25 covers the complete report writing methodology β from raw evidence to board-ready documentation.
π― What Youβll Master in Day 25 β AI Security Assessment Report Writing
Apply AI-specific CVSS scoring considerations for injection, RAG, agent, and auth findings
Structure chain findings that span multiple OWASP LLM categories at the correct combined severity
Build the minimum evidence package for each AI vulnerability class
Write executive summaries that communicate AI security risk without technical jargon
Produce remediation roadmaps ordered by priority, effort, and dependency
Generate a complete AI security report from the Days 20β24 engagement output
β±οΈ Day 25 Β· 3 exercises Β· Think Like Hacker + Kali Terminal + Browser ### β Prerequisites - Days 20β24 β Day 25 takes the engagement output from the five preceding days as its input; the report is built from that output - Basic CVSS 3.1 knowledge β understanding the six base metrics and how to calculate a base score from them - Python with jinja2 installed β Exercise 2 builds an automated report generator from evidence JSON files ### π AI Security Assessment Report Writing β Day 25 Contents 1. Finding Classification and Deduplication 2. AI-Specific CVSS Scoring Considerations 3. The Standard AI Finding Format 4. Documenting Chain Findings 5. Writing the Executive Summary 6. The Remediation Roadmap Days 20 through 24 produced the raw material: an endpoint inventory, authentication findings, injection results, RAG analysis, agent assessment output, and fingerprinting data. Day 25 turns that material into a professional report. Day 26 begins Phase 4 of the course β AI supply chain security in depth, covering model provenance, training data integrity, and the deployment pipeline attacks that Day 7 introduced at the OWASP overview level.
Finding Classification and Deduplication
Before writing a single finding, organise the raw evidence into the classification structure. Two common mistakes: reporting the same vulnerability on five endpoints as five separate Critical findings when itβs one systemic issue with five instances, and reporting chain components as individual findings when the chain severity is what matters for prioritisation.
The deduplication rule: if the same root cause produces the same vulnerability across multiple endpoints, report it as one finding with a βAffected Endpointsβ list rather than five separate findings. Separate findings for the same issue inflate finding counts, dilute the severity picture, and make remediation tracking harder. The client fixes the root cause once. The report should reflect that structure.
The chain identification rule: if finding A makes finding B more severe β if they share an attack path β consider whether they should be a chain finding. Authentication bypass + injection + agent tool access is a chain, not three separate findings. Reporting it as three findings understates the combined severity and misrepresents the prioritisation.
AI-Specific CVSS Scoring Considerations
Standard CVSS 3.1 applies to AI findings with some considerations specific to the AI attack surface. The most significant: Scope and Persistence.
Scope (S:U vs S:C) in AI findings: Scope is Changed when the impact crosses beyond the vulnerable componentβs security boundary. For agent tool hijacking β where the attack crosses from the conversation into an external email system, file system, or API β Scope is Changed regardless of whether the agent is operating with user-level or elevated permissions. For RAG injection affecting all users β where the impact crosses from the attackerβs session into other usersβ sessions β Scope is Changed. For pure conversation injection without external system impact, Scope is Unchanged. Getting this right significantly affects the base score.
AI-SPECIFIC CVSS SCORING GUIDECopy
LLM01 Prompt Injection β direct, text output only
AV:N AC:L PR:L UI:N S:U C:L I:L A:N = 5.4 Medium
Note: S:U because impact stays within conversation context
LLM07 System Prompt Extraction β credentials found
AV:N AC:L PR:L UI:N S:U C:H I:N A:N = 6.5 Medium
Escalate to Critical if extracted credential gives DB/API access
π Read the complete guide on Securityelites β AI Red Team Education
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites β AI Red Team Education β
This article was originally written and published by the Securityelites β AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites β AI Red Team Education.

Top comments (0)