Manage Red Teaming via Mend CLI

Overview

The Mend CLI allows users to manage AI red-teaming by configuring targets and testing them programmatically, enabling seamless integration into automation and CI/CD workflows.

The fundamental functions of Mend AI’s red-teaming solution are available:

  • Download and manage target configurations

  • Create and update AI testing targets

  • Trigger security test runs

  • Monitor test execution status

  • Retrieve and export test results

  • Full CI/CD integration support

Organizations can utilize the Mend CLI to execute each function using a designated CLI command, negating the requirement to log into the Mend AppSec Platform UI for such operations.

  • Automation-First: Eliminate manual UI interactions

  • CI/CD Integration: Native support for automated pipelines

  • Version Control: Configuration files can be tracked in Git

  • Reproducible Testing: Consistent test execution across environments

Prerequisites

Note: The use of the service indicated under this page is subject to the terms and conditions set forth under our AI Supplemental Terms-of-Service.

Mend CLI

  • Download the Mend CLI, as explained here.

  • Once the CLI is available on the relevant machine, you can start using it. To use the Mend CLI, the user is required to authenticate, as explained here.

System Requirements

  • Operating System: Linux, macOS, or Windows

  • Authentication: Valid Mend Platform credentials

  • Network: Access to Mend Red-Teaming API endpoint

Using Mend CLI for Red-Teaming

Authentication Setup

Step 1: Login to Mend Platform

mend auth login

This command will:

  1. Open your browser to Mend Platform login page

  2. Prompt you to authenticate

  3. Store authentication token locally

Step 2: Configure Organization Scope

Set your default organization, application, and project:

# Set via environment variables (recommended for CI/CD)
export MEND_ORGANIZATION="your-org-uuid"
export MEND_APPLICATION="your-app-uuid"
export MEND_PROJECT="your-project-uuid"

Or provide --scope parameters with each command using:

  • -o, --organization <uuid> - Organization UUID

  • -a, --application <uuid> - Application UUID

  • -p, --project <uuid> - Project UUID

Parameter

Description

Mend CLI Default Behavior

Command Line: -s, --scope
Environment Variable: N/A

Optional. Set the scan scope for your project by specifying the hierarchy for the Mend Application.

The supported formats are:

  • Full hierarchy: -s "ORG//APP//PROJ"

  • Partial hierarchy: -s "APP//PROJ"

  • Single hierarchy: -s "PROJ"

Examples of --scope configuration:

  • Application-Project scope with single quotes:

    mend ai redteam -s 'MyApp//MyProj'
    
  • Org-Application-Project scope with double quotes:

    mend ai redteam -s "My Org//My App//My Proj"
    

The wild card character “*” can be used for any of the hierarchy levels. The default Mend CLI behavior will be used for any “*”.

  • Product-Project scope using “*”:

mend ai redteam -s '*//MyProj'

“CLI” will be the product used or created in place of the “*”.

  • Org-Product-Project scope using “*”:

mend ai redteam -s "*//My Prod//*"

The organization currently logged into from the mend auth login command setup will be used for the first “*” and for the second “*”, the project will be created and named after either:

  • The folder specified in the --dir command.

  • If --dir is not specified, the name will be the directory where the Mend CLI ran from.

Notes:

  • Make sure to set the --scope value within either single or double quotes ('My Project' or “My Project").

  • You are able to set the Org scope to any Mend organization that the current user signed in as (via mend auth login) has access to.

  • If you set an application or project name in --scope that does not exist in the organization prior to the run, it will be created in the Mend Application after the Mend CLI completes the scan if you have the necessary permissions/role.

Within the Mend Platform, scans are tiered under an organization → application → project hierarchy.

If --scope is not set, the scan results will be sent and categorized within the Mend Platform as follows:

  • The organization currently logged into from the mend auth login command setup.

:light_bulb_on:

Tip: Use the Mend CLI mend auth info command to see what organization you are connected to.

  • An application will be created and named “CLI".

  • A project will be created and named after either:

    • The folder specified in the --dir command.

    • If --dir is not specified, the name will be the directory where the Mend CLI ran f

Step 3: Verify Authentication

mend ai redteam --help

If authenticated successfully, you'll see the Red-Teaming command options.

Red-Teaming Commands

All red-teaming commands follow the pattern:

mend ai redteam <command> [options]

Download Target Configuration

download - Download an existing target's configuration from Mend AppSec Platform to a local YAML file.

Syntax
mend ai redteam download \
  --target-name <name> \
  --file <output.yaml> \
  [-o <org-uuid>] \
  [-a <app-uuid>] \
  [-p <project-uuid>] \
  [-v]
Parameters

Note: For the full list of parameters, run mend ai redteam download --help

Parameter

Required

Description

-n, --target-name <name>

Yes*

Name of the target to download

-t, --target-id <uuid>

Yes*

UUID of the target to download

-f, --file <path>

Yes

Output file path for configuration YAML

-v, --verbose

No

Show detailed logging

-o, --organization <uuid>

No

Organization UUID (or use env var)

-a, --application <uuid>

No

Application UUID (or use env var)

-p, --project <uuid>

No

Project UUID (or use env var)

*Either --target-name OR --target-id must be provided

Example
# Download by target name
mend ai redteam download \
  --target-name "Insurance Chatbot - Production" \
  --file insurance-chatbot-config.yaml
# Download by target ID with verbose output
mend ai redteam download \
  --target-id "f21b9c82-9f52-4659-98a1-6f86ed041d0a" \
  --file config.yaml \
  --verbose
Output
Configuration saved to: insurance-chatbot-config.yaml

The downloaded file will be in YAML format and contain:

  • Target connection configuration (e.g., REST API)

  • Target settings (name, description, environment)

  • Enabled probes and their configurations

Request an Adversary Simulation Scan

run - Request an adversary simulation scan for a target. Results will be printed automatically when the scan is completed, no manual result fetching required.

Note:

  • Users are blocked from performing additional operations while the scan is in progress.

  • A scan can only be aborted via the UI.

Flow
  • Executes the scan.

  • Tracks and displays progress using a progress bar.

    • Additional commands/operations will be blocked until the scan is completed/aborted.

  • Prints scan results upon completion.

Syntax
mend ai redteam run [options]
Parameters

Parameter

Required

Description

-c, --config <path>

No

Path to configuration file (uses target's latest config if omitted)

-t, --target-id <uuid>

OR

-n, --target-name <name>

Yes

Target ID in the application

OR

Target name (creates if not found)

--no-progress-bar

No

Do not show progress bar

-v, --verbose

No

Show debug logs

-h, --help

No

Display help for command

-w, --wait <seconds>

No

How long to wait for results (0 = indefinitely) (default: "0")

Example
mend ai redteam run --scope "TestOrg//TestApp//TestProject" --target-name 'Bedrock target (claude-sonnet-3)'

Scan queued successfully!

Job ID     : ********-****-****-****-************
Target ID  : ********-****-****-****-************
Status     : QUEUED

Progress: [████████████████████████░░░░░░] 80% (48/60)

Create or Update Target

target-apply - Create a new target or update an existing target's configuration from a YAML file.

Syntax
mend ai redteam target-apply \
  --config <config.yaml> \
  --target-name <name> \
  [--secret <secret>] \
  [-o <org-uuid>] \
  [-a <app-uuid>] \
  [-p <project-uuid>] \
  [-v]
Parameters

Note: For the full list of parameters, run mend ai redteam target-apply --help

Parameter

Required

Description

-c, --config <path>

Yes

Path to configuration YAML file

-n, --target-name <name>

Yes*

Target name (creates if doesn't exist, updates if exists)

-t, --target-id <uuid>

Yes*

Target UUID (for updating existing target)

--secret <value>

No

Override API key/secret in YAML config

-v, --verbose

No

Show detailed logging

-o, --organization <uuid>

No

Organization UUID (or use env var)

-a, --application <uuid>

No

Application UUID (or use env var)

-p, --project <uuid>

No

Project UUID (or use env var)

*Either --target-name OR --target-id must be provided

Example
# Create new target or update existing by name
mend ai redteam target-apply \
  --config insurance-chatbot-config.yaml \
  --target-name "Insurance Chatbot - Production"
# Update existing target with secret override
mend ai redteam target-apply \
  --config config.yaml \
  --target-name "My API Target" \
  --secret "${API_SECRET}" \
Output
✓ Target configuration applied successfully
Target ID: f21b9c82-9f52-4659-98a1-6f86ed041d0a
Target Name: Insurance Chatbot - Production
Important Notes

Configuration Versioning: Every time target-apply is called, the latest configuration wins. Subsequent test runs will use the new settings.

Best Practice for CI/CD:

# Always apply configuration immediately before running tests
# to ensure consistency
mend ai redteam target-apply --config config.yaml --target-name "My Target"
mend ai redteam target-run --target-name "My Target"

Trigger Test Run

target-run - Trigger a security test run against an existing target using its saved configuration.

Note: A test run can only be aborted via the UI.

Syntax
mend ai redteam target-run \
  --target-name <name> \
  [-o <org-uuid>] \
  [-a <app-uuid>] \
  [-p <project-uuid>] \
  [-v]
Parameters

Note: For the full list of parameters, run mend ai redteam target-run --help

Parameter

Required

Description

-n, --target-name <name>

Yes*

Name of target to test

-t, --target-id <uuid>

Yes*

UUID of target to test

-v, --verbose

No

Show detailed logging

-o, --organization <uuid>

No

Organization UUID (or use env var)

-a, --application <uuid>

No

Application UUID (or use env var)

-p, --project <uuid>

No

Project UUID (or use env var)

*Either --target-name OR --target-id must be provided

Example
# Trigger test run by target name
mend ai redteam target-run \
  --target-name "Insurance Chatbot - Production"
# Trigger test run by target ID
mend ai redteam target-run \
  --target-id "f21b9c82-9f52-4659-98a1-6f86ed041d0a" \
  --verbose
Output
Scan queued successfully!
Job ID     : a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9
Target ID  : f21b9c82-9f52-4659-98a1-6f86ed041d0a
Status     : QUEUED

Important: Save the Job ID - you'll need it to check status and retrieve results.

Check Test Run Status

get-status - Retrieve the current status of a running or completed test run.

Syntax
mend ai redteam get-status \
  --job-id <job-uuid> \
  [--wait <time>] \
  [-o <org-uuid>] \
  [-a <app-uuid>] \
  [-p <project-uuid>] \
  [-v]
Parameters

Note: For the full list of parameters, run mend ai redteam get-status --help

Parameter

Required

Description

--job-id <uuid>

Yes

Job ID returned from target-run

--target-id / --target-name

Yes

Target identifier (ID or name)

--wait <time>

No

Wait for completion (e.g., 5m, 30s, 0 for indefinite)

-v, --verbose

No

Show detailed logging

-o, --organization <uuid>

No

Organization UUID (or use env var)

-a, --application <uuid>

No

Application UUID (or use env var)

-p, --project <uuid>

No

Project UUID (or use env var)

Status Values
  • QUEUED - Test run is queued for execution

  • RUNNING - Test run is currently executing

  • COMPLETED - Test run finished successfully

  • FAILED - Test run failed

Example
# Check status once
mend ai redteam get-status \
  --job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9"
# Wait up to 10 minutes for completion
mend ai redteam get-status \
  --job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9" \
  --wait 10m
# Wait indefinitely until completion
mend ai redteam get-status \
  --job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9" \
  --wait 0
Output
Status: RUNNING
Progress: 45% (13/30 tests completed)
Elapsed Time: 2m 34s

Or when complete:

Status: COMPLETED
Total Tests: 30
Passed: 28
Failed: 2
Duration: 5m 12s

Retrieve Test Results

get-results - Retrieve detailed test results for a completed test run.

Syntax
mend ai redteam get-results \
  --job-id <job-uuid> \
  [--format <json|csv>] \
  [--output <file>] \
  [-o <org-uuid>] \
  [-a <app-uuid>] \
  [-p <project-uuid>] \
  [-v]
Parameters

Note: For the full list of parameters, run mend ai redteam get-results --help

Parameter

Required

Description

--job-id <uuid>

Yes

Job ID from completed test run

--target-id / --target-name

Yes

Target identifier (ID or name)

--format <json|csv>

No

Output format (default: json)

--output <path>

No

Save to file instead of stdout

-v, --verbose

No

Show detailed logging

-o, --organization <uuid>

No

Organization UUID (or use env var)

-a, --application <uuid>

No

Application UUID (or use env var)

-p, --project <uuid>

No

Project UUID (or use env var)

Example
# Print results to console (JSON)
mend ai redteam get-results \
  --job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9"
# Save results to JSON file
mend ai redteam get-results \
  --job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9" \
  --output results.json
# Save results to CSV file
mend ai redteam get-results \
  --job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9" \
  --format csv \
  --output results.csv
Output (Console - JSON)
{
  "jobId": "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9",
  "targetId": "f21b9c82-9f52-4659-98a1-6f86ed041d0a",
  "status": "COMPLETED",
  "summary": {
    "totalTests": 30,
    "passed": 28,
    "failed": 2,
    "passRate": "93.3%",
    "attackSuccessRate": "6.7%"
  },
  "vulnerabilities": [
    {
      "probeId": 18,
      "probeName": "Jailbreak",
      "severity": "HIGH",
      "status": "FAILED",
      "details": "Model revealed system prompt..."
    }
  ],
  "reportUrl": "https://redteaming.mend.io/report/eval-..."
}
Output (CSV Format)
Probe ID,Probe Name,Category,Severity,Status,Attack Success
18,Jailbreak,Security,HIGH,FAILED,Yes
9,Context Leakage,Security,MEDIUM,PASSED,No
...

Refer to this page for complete target setup and testing examples.

help

help [command] - display information on a specified command.

Configuration File Format

YAML Structure

Configuration files must be in YAML format (not JSON).

Basic Structure
description: <target-description>
prompts:
  - '{{prompt}}'
targets:
  - id: http
    config:
      # Connection configuration (varies by type)
redteam:
  plugins:
    # List of security probes to enable
  strategies:
    # List of attack strategies
  purpose: |
    # Multi-line description
  numTests: <number>
  maxConcurrency: <number>

Complete Example: REST API Target

description: Production Insurance Chatbot API
prompts:
  - '{{prompt}}'
targets:
  - id: http
    config:
      url: ${API_ENDPOINT}
      method: POST
      headers:
        Content-Type: application/json
        Authorization: Bearer ${API_SECRET}
      body:
        model: gpt-4
        messages:
          - role: user
            content: '{{prompt}}'
      responsePayload: choices[0].message.content
redteam:
  plugins:
    # Security Probes
    - shell-injection       # Command injection attacks
    - sql-injection         # SQL injection attacks
    - prompt-extraction     # System prompt disclosure
    - rbac                  # Authorization bypass
    - cross-session-leak    # Data leakage between sessions
    - jailbreak            # Jailbreak attempts
    - phishing             # Phishing attacks
    # Safety Probes
    - bias                 # Bias detection
    - fake-news            # Misinformation generation
    - pii                  # PII data leakage
    - offensive-content    # Harmful content generation
  strategies:
    - basic                # Basic attack patterns
    - jailbreak           # Advanced jailbreak techniques
  purpose: |
    Application: Insurance Customer Service Chatbot
    Purpose: Security and safety testing for production API
    Environment: Production
    Compliance: SOC2, GDPR, PCI-DSS
  numTests: 50
  maxConcurrency: 20

Environment Variables in Configuration

You can use environment variables in YAML files:

targets:
  - id: http
    config:
      url: ${API_ENDPOINT}
      headers:
        Authorization: Bearer ${API_SECRET}

Set environment variables before running:

export API_ENDPOINT="https://api.example.com/chat"
export API_SECRET="your-secret-key"
mend ai redteam target-apply \
  --config config.yaml \
  --target-name "My Target"

Command-Line Overrides: Use --secret to override values:

mend ai redteam target-apply \
  --config config.yaml \
  --target-name "My Target" \
  --secret "${API_SECRET}" \

Available Security Probes

Note:

  • Probes such as Hallucination and Bias assist organizations in auditing their generative AI models for the safety and transparency requirements mandated by the EU AI Act.

  • Probes such as Shell Injection, SQL Injection and RBAC help software manufacturers fulfill their vulnerability assessment and handling obligations under the CRA.

Security Category

Probe

Description

Probe ID

shell-injection

Command injection vulnerabilities

51

sql-injection

SQL injection attacks

35

prompt-extraction

System prompt disclosure

36

jailbreak

Jailbreak and bypass attempts

18

rbac

Authorization bypass testing

39

cross-session-leak

Data leakage between sessions

9

phishing

Phishing attack simulation

34

Safety Category

Probe

Description

Probe ID

bias

Bias and discrimination detection

7

fake-news

Misinformation generation

17

pii

PII data leakage testing

45

offensive-content

Harmful content generation

10

hate-speech

Hate speech detection

46

Hallucination & Trustworthiness

Probe

Description

Probe ID

url-check

URL manipulation testing

16

qna

Question-answer accuracy

40

Business Alignment

Probe

Description

Probe ID

competitor-check

Competitor promotion detection

8

intentional-misuse

Off-topic/misuse detection

12

Connection Types

REST API
targets:
  - id: http
    config:
      url: https://api.example.com/endpoint
      method: POST
      headers:
        Content-Type: application/json
        Authorization: Bearer ${TOKEN}
      body:
        prompt: '{{prompt}}'
      responsePayload: response.text
OpenAI Compatible API
targets:
  - id: openai
    config:
      url: https://api.openai.com/v1/chat/completions
      apiKey: ${OPENAI_API_KEY}
      model: gpt-4
      responsePayload: choices[0].message.content

Troubleshooting

Common Issues and Solutions

Issue 1: Authentication Failed

Error:

Error: Authentication failed

Solution:

# Re-authenticate
mend auth login
# Verify authentication
mend auth status
Issue 2: Target Not Found

Error:

Error: Failed to find target: Target not found

Solution:

# List all targets to verify name
mend ai redteam download --help
# Check organization/application/project scope
export MEND_ORGANIZATION="correct-org-uuid"
export MEND_APPLICATION="correct-app-uuid"
export MEND_PROJECT="correct-project-uuid"
Issue 3: Configuration File Format Error

Error:

Error: Failed to parse configuration file

Solution:

  • Verify file is in YAML format (not JSON)

  • Check YAML syntax using online validator

  • Ensure proper indentation (use spaces, not tabs)

# Validate YAML syntax
yamllint config.yaml
Issue 4: Environment Variable Not Substituted

Error:

Error: Invalid URL: ${API_ENDPOINT}

Solution:

# Ensure environment variable is set
export API_ENDPOINT="https://api.example.com"
# Verify it's set
echo $API_ENDPOINT
# Run command in same shell session
mend ai redteam target-apply --config config.yaml --target-name "My Target"
Issue 5: Test Run Timeout

Error:

Error: The operation timed out

Solution:

  • Check if the feature is enabled for your organization

  • Verify the target configuration is correct

  • Contact Mend support if the issue persists

Issue 6: Invalid Job ID

Error:

Error: Job not found

Solution:

  • Verify Job ID was copied correctly

  • Check organization/application/project scope matches where test was run

  • Job IDs expire after a certain period

Appendix

A. Complete Command Quick Reference

# Download target configuration
mend ai redteam download --target-name <name> --file <output.yaml>
# Create/update target
mend ai redteam target-apply --config <config.yaml> --target-name <name>
# Trigger test run
mend ai redteam target-run --target-name <name>
# Check test status
mend ai redteam get-status --job-id <uuid> [--wait <time>]
# Get test results
mend ai redteam get-results --job-id <uuid> [--output <file>]

B. Environment Variables

Variable

Description

Example

MEND_ORGANIZATION

Organization UUID

73dbd92e-dcd4-40e9-b1cb-868b6ce589e6

MEND_APPLICATION

Application UUID

ai

MEND_PROJECT

Project UUID

fddb67ae-24ea-4860-8a5a-491b4e9be20c

API_ENDPOINT

Custom API endpoint

https://api.example.com/chat

API_SECRET

API authentication secret

Bearer sk-...

C. Return Codes

Code

Meaning

0

Success

1

General error

2

Authentication error

3

Not found (target/job)

4

Invalid configuration

5

Timeout