Overview
The Mend CLI allows users to manage AI red-teaming by configuring targets and testing them programmatically, enabling seamless integration into automation and CI/CD workflows.
The fundamental functions of Mend AI’s red-teaming solution are available:
-
Download and manage target configurations
-
Create and update AI testing targets
-
Trigger security test runs
-
Monitor test execution status
-
Retrieve and export test results
-
Full CI/CD integration support
Organizations can utilize the Mend CLI to execute each function using a designated CLI command, negating the requirement to log into the Mend AppSec Platform UI for such operations.
-
Automation-First: Eliminate manual UI interactions
-
CI/CD Integration: Native support for automated pipelines
-
Version Control: Configuration files can be tracked in Git
-
Reproducible Testing: Consistent test execution across environments
Prerequisites
Note: The use of the service indicated under this page is subject to the terms and conditions set forth under our AI Supplemental Terms-of-Service.
Mend CLI
-
Download the Mend CLI, as explained here.
-
Once the CLI is available on the relevant machine, you can start using it. To use the Mend CLI, the user is required to authenticate, as explained here.
System Requirements
-
Operating System: Linux, macOS, or Windows
-
Authentication: Valid Mend Platform credentials
-
Network: Access to Mend Red-Teaming API endpoint
Using Mend CLI for Red-Teaming
Authentication Setup
Step 1: Login to Mend Platform
mend auth login
This command will:
-
Open your browser to Mend Platform login page
-
Prompt you to authenticate
-
Store authentication token locally
Step 2: Configure Organization Scope
Set your default organization, application, and project:
# Set via environment variables (recommended for CI/CD)
export MEND_ORGANIZATION="your-org-uuid"
export MEND_APPLICATION="your-app-uuid"
export MEND_PROJECT="your-project-uuid"
Or provide --scope parameters with each command using:
-
-o, --organization <uuid>- Organization UUID -
-a, --application <uuid>- Application UUID -
-p, --project <uuid>- Project UUID
|
Parameter |
Description |
Mend CLI Default Behavior |
|
Command Line: |
Optional. Set the scan scope for your project by specifying the hierarchy for the Mend Application. The supported formats are:
Examples of
The wild card character “*” can be used for any of the hierarchy levels. The default Mend CLI behavior will be used for any “*”.
“CLI” will be the product used or created in place of the “*”.
The organization currently logged into from the
Notes:
|
Within the Mend Platform, scans are tiered under an organization → application → project hierarchy. If
Tip: Use the Mend CLI
|
Step 3: Verify Authentication
mend ai redteam --help
If authenticated successfully, you'll see the Red-Teaming command options.
Red-Teaming Commands
All red-teaming commands follow the pattern:
mend ai redteam <command> [options]
Download Target Configuration
download - Download an existing target's configuration from Mend AppSec Platform to a local YAML file.
Syntax
mend ai redteam download \
--target-name <name> \
--file <output.yaml> \
[-o <org-uuid>] \
[-a <app-uuid>] \
[-p <project-uuid>] \
[-v]
Parameters
Note: For the full list of parameters, run mend ai redteam download --help
|
Parameter |
Required |
Description |
|---|---|---|
|
|
Yes* |
Name of the target to download |
|
|
Yes* |
UUID of the target to download |
|
|
Yes |
Output file path for configuration YAML |
|
|
No |
Show detailed logging |
|
|
No |
Organization UUID (or use env var) |
|
|
No |
Application UUID (or use env var) |
|
|
No |
Project UUID (or use env var) |
*Either --target-name OR --target-id must be provided
Example
# Download by target name
mend ai redteam download \
--target-name "Insurance Chatbot - Production" \
--file insurance-chatbot-config.yaml
# Download by target ID with verbose output
mend ai redteam download \
--target-id "f21b9c82-9f52-4659-98a1-6f86ed041d0a" \
--file config.yaml \
--verbose
Output
Configuration saved to: insurance-chatbot-config.yaml
The downloaded file will be in YAML format and contain:
-
Target connection configuration (e.g., REST API)
-
Target settings (name, description, environment)
-
Enabled probes and their configurations
Request an Adversary Simulation Scan
run - Request an adversary simulation scan for a target. Results will be printed automatically when the scan is completed, no manual result fetching required.
Note:
-
Users are blocked from performing additional operations while the scan is in progress.
-
A scan can only be aborted via the UI.
Flow
-
Executes the scan.
-
Tracks and displays progress using a progress bar.
-
Additional commands/operations will be blocked until the scan is completed/aborted.
-
-
Prints scan results upon completion.
Syntax
mend ai redteam run [options]
Parameters
|
Parameter |
Required |
Description |
|---|---|---|
|
|
No |
Path to configuration file (uses target's latest config if omitted) |
|
OR
|
Yes |
Target ID in the application OR Target name (creates if not found) |
|
|
No |
Do not show progress bar |
|
|
No |
Show debug logs |
|
|
No |
Display help for command |
|
|
No |
How long to wait for results (0 = indefinitely) (default: "0") |
Example
mend ai redteam run --scope "TestOrg//TestApp//TestProject" --target-name 'Bedrock target (claude-sonnet-3)'
Scan queued successfully!
Job ID : ********-****-****-****-************
Target ID : ********-****-****-****-************
Status : QUEUED
Progress: [████████████████████████░░░░░░] 80% (48/60)
Create or Update Target
target-apply - Create a new target or update an existing target's configuration from a YAML file.
Syntax
mend ai redteam target-apply \
--config <config.yaml> \
--target-name <name> \
[--secret <secret>] \
[-o <org-uuid>] \
[-a <app-uuid>] \
[-p <project-uuid>] \
[-v]
Parameters
Note: For the full list of parameters, run mend ai redteam target-apply --help
|
Parameter |
Required |
Description |
|---|---|---|
|
|
Yes |
Path to configuration YAML file |
|
|
Yes* |
Target name (creates if doesn't exist, updates if exists) |
|
|
Yes* |
Target UUID (for updating existing target) |
|
|
No |
Override API key/secret in YAML config |
|
|
No |
Show detailed logging |
|
|
No |
Organization UUID (or use env var) |
|
|
No |
Application UUID (or use env var) |
|
|
No |
Project UUID (or use env var) |
*Either --target-name OR --target-id must be provided
Example
# Create new target or update existing by name
mend ai redteam target-apply \
--config insurance-chatbot-config.yaml \
--target-name "Insurance Chatbot - Production"
# Update existing target with secret override
mend ai redteam target-apply \
--config config.yaml \
--target-name "My API Target" \
--secret "${API_SECRET}" \
Output
✓ Target configuration applied successfully
Target ID: f21b9c82-9f52-4659-98a1-6f86ed041d0a
Target Name: Insurance Chatbot - Production
Important Notes
Configuration Versioning: Every time target-apply is called, the latest configuration wins. Subsequent test runs will use the new settings.
Best Practice for CI/CD:
# Always apply configuration immediately before running tests
# to ensure consistency
mend ai redteam target-apply --config config.yaml --target-name "My Target"
mend ai redteam target-run --target-name "My Target"
Trigger Test Run
target-run - Trigger a security test run against an existing target using its saved configuration.
Note: A test run can only be aborted via the UI.
Syntax
mend ai redteam target-run \
--target-name <name> \
[-o <org-uuid>] \
[-a <app-uuid>] \
[-p <project-uuid>] \
[-v]
Parameters
Note: For the full list of parameters, run mend ai redteam target-run --help
|
Parameter |
Required |
Description |
|---|---|---|
|
|
Yes* |
Name of target to test |
|
|
Yes* |
UUID of target to test |
|
|
No |
Show detailed logging |
|
|
No |
Organization UUID (or use env var) |
|
|
No |
Application UUID (or use env var) |
|
|
No |
Project UUID (or use env var) |
*Either --target-name OR --target-id must be provided
Example
# Trigger test run by target name
mend ai redteam target-run \
--target-name "Insurance Chatbot - Production"
# Trigger test run by target ID
mend ai redteam target-run \
--target-id "f21b9c82-9f52-4659-98a1-6f86ed041d0a" \
--verbose
Output
Scan queued successfully!
Job ID : a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9
Target ID : f21b9c82-9f52-4659-98a1-6f86ed041d0a
Status : QUEUED
Important: Save the Job ID - you'll need it to check status and retrieve results.
Check Test Run Status
get-status - Retrieve the current status of a running or completed test run.
Syntax
mend ai redteam get-status \
--job-id <job-uuid> \
[--wait <time>] \
[-o <org-uuid>] \
[-a <app-uuid>] \
[-p <project-uuid>] \
[-v]
Parameters
Note: For the full list of parameters, run mend ai redteam get-status --help
|
Parameter |
Required |
Description |
|---|---|---|
|
|
Yes |
Job ID returned from |
|
|
Yes |
Target identifier (ID or name) |
|
|
No |
Wait for completion (e.g., |
|
|
No |
Show detailed logging |
|
|
No |
Organization UUID (or use env var) |
|
|
No |
Application UUID (or use env var) |
|
|
No |
Project UUID (or use env var) |
Status Values
-
QUEUED- Test run is queued for execution -
RUNNING- Test run is currently executing -
COMPLETED- Test run finished successfully -
FAILED- Test run failed
Example
# Check status once
mend ai redteam get-status \
--job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9"
# Wait up to 10 minutes for completion
mend ai redteam get-status \
--job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9" \
--wait 10m
# Wait indefinitely until completion
mend ai redteam get-status \
--job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9" \
--wait 0
Output
Status: RUNNING
Progress: 45% (13/30 tests completed)
Elapsed Time: 2m 34s
Or when complete:
Status: COMPLETED
Total Tests: 30
Passed: 28
Failed: 2
Duration: 5m 12s
Retrieve Test Results
get-results - Retrieve detailed test results for a completed test run.
Syntax
mend ai redteam get-results \
--job-id <job-uuid> \
[--format <json|csv>] \
[--output <file>] \
[-o <org-uuid>] \
[-a <app-uuid>] \
[-p <project-uuid>] \
[-v]
Parameters
Note: For the full list of parameters, run mend ai redteam get-results --help
|
Parameter |
Required |
Description |
|---|---|---|
|
|
Yes |
Job ID from completed test run |
|
|
Yes |
Target identifier (ID or name) |
|
|
No |
Output format (default: json) |
|
|
No |
Save to file instead of stdout |
|
|
No |
Show detailed logging |
|
|
No |
Organization UUID (or use env var) |
|
|
No |
Application UUID (or use env var) |
|
|
No |
Project UUID (or use env var) |
Example
# Print results to console (JSON)
mend ai redteam get-results \
--job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9"
# Save results to JSON file
mend ai redteam get-results \
--job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9" \
--output results.json
# Save results to CSV file
mend ai redteam get-results \
--job-id "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9" \
--format csv \
--output results.csv
Output (Console - JSON)
{
"jobId": "a59fd3c7-c4e0-434d-a021-6d5eb9bf39a9",
"targetId": "f21b9c82-9f52-4659-98a1-6f86ed041d0a",
"status": "COMPLETED",
"summary": {
"totalTests": 30,
"passed": 28,
"failed": 2,
"passRate": "93.3%",
"attackSuccessRate": "6.7%"
},
"vulnerabilities": [
{
"probeId": 18,
"probeName": "Jailbreak",
"severity": "HIGH",
"status": "FAILED",
"details": "Model revealed system prompt..."
}
],
"reportUrl": "https://redteaming.mend.io/report/eval-..."
}
Output (CSV Format)
Probe ID,Probe Name,Category,Severity,Status,Attack Success
18,Jailbreak,Security,HIGH,FAILED,Yes
9,Context Leakage,Security,MEDIUM,PASSED,No
...
Refer to this page for complete target setup and testing examples.
help
help [command] - display information on a specified command.
Configuration File Format
YAML Structure
Configuration files must be in YAML format (not JSON).
Basic Structure
description: <target-description>
prompts:
- '{{prompt}}'
targets:
- id: http
config:
# Connection configuration (varies by type)
redteam:
plugins:
# List of security probes to enable
strategies:
# List of attack strategies
purpose: |
# Multi-line description
numTests: <number>
maxConcurrency: <number>
Complete Example: REST API Target
description: Production Insurance Chatbot API
prompts:
- '{{prompt}}'
targets:
- id: http
config:
url: ${API_ENDPOINT}
method: POST
headers:
Content-Type: application/json
Authorization: Bearer ${API_SECRET}
body:
model: gpt-4
messages:
- role: user
content: '{{prompt}}'
responsePayload: choices[0].message.content
redteam:
plugins:
# Security Probes
- shell-injection # Command injection attacks
- sql-injection # SQL injection attacks
- prompt-extraction # System prompt disclosure
- rbac # Authorization bypass
- cross-session-leak # Data leakage between sessions
- jailbreak # Jailbreak attempts
- phishing # Phishing attacks
# Safety Probes
- bias # Bias detection
- fake-news # Misinformation generation
- pii # PII data leakage
- offensive-content # Harmful content generation
strategies:
- basic # Basic attack patterns
- jailbreak # Advanced jailbreak techniques
purpose: |
Application: Insurance Customer Service Chatbot
Purpose: Security and safety testing for production API
Environment: Production
Compliance: SOC2, GDPR, PCI-DSS
numTests: 50
maxConcurrency: 20
Environment Variables in Configuration
You can use environment variables in YAML files:
targets:
- id: http
config:
url: ${API_ENDPOINT}
headers:
Authorization: Bearer ${API_SECRET}
Set environment variables before running:
export API_ENDPOINT="https://api.example.com/chat"
export API_SECRET="your-secret-key"
mend ai redteam target-apply \
--config config.yaml \
--target-name "My Target"
Command-Line Overrides: Use --secret to override values:
mend ai redteam target-apply \
--config config.yaml \
--target-name "My Target" \
--secret "${API_SECRET}" \
Available Security Probes
Note:
-
Probes such as Hallucination and Bias assist organizations in auditing their generative AI models for the safety and transparency requirements mandated by the EU AI Act.
-
Probes such as Shell Injection, SQL Injection and RBAC help software manufacturers fulfill their vulnerability assessment and handling obligations under the CRA.
Security Category
|
Probe |
Description |
Probe ID |
|---|---|---|
|
|
Command injection vulnerabilities |
51 |
|
|
SQL injection attacks |
35 |
|
|
System prompt disclosure |
36 |
|
|
Jailbreak and bypass attempts |
18 |
|
|
Authorization bypass testing |
39 |
|
|
Data leakage between sessions |
9 |
|
|
Phishing attack simulation |
34 |
Safety Category
|
Probe |
Description |
Probe ID |
|---|---|---|
|
|
Bias and discrimination detection |
7 |
|
|
Misinformation generation |
17 |
|
|
PII data leakage testing |
45 |
|
|
Harmful content generation |
10 |
|
|
Hate speech detection |
46 |
Hallucination & Trustworthiness
|
Probe |
Description |
Probe ID |
|---|---|---|
|
|
URL manipulation testing |
16 |
|
|
Question-answer accuracy |
40 |
Business Alignment
|
Probe |
Description |
Probe ID |
|---|---|---|
|
|
Competitor promotion detection |
8 |
|
|
Off-topic/misuse detection |
12 |
Connection Types
REST API
targets:
- id: http
config:
url: https://api.example.com/endpoint
method: POST
headers:
Content-Type: application/json
Authorization: Bearer ${TOKEN}
body:
prompt: '{{prompt}}'
responsePayload: response.text
OpenAI Compatible API
targets:
- id: openai
config:
url: https://api.openai.com/v1/chat/completions
apiKey: ${OPENAI_API_KEY}
model: gpt-4
responsePayload: choices[0].message.content
Troubleshooting
Common Issues and Solutions
Issue 1: Authentication Failed
Error:
Error: Authentication failed
Solution:
# Re-authenticate
mend auth login
# Verify authentication
mend auth status
Issue 2: Target Not Found
Error:
Error: Failed to find target: Target not found
Solution:
# List all targets to verify name
mend ai redteam download --help
# Check organization/application/project scope
export MEND_ORGANIZATION="correct-org-uuid"
export MEND_APPLICATION="correct-app-uuid"
export MEND_PROJECT="correct-project-uuid"
Issue 3: Configuration File Format Error
Error:
Error: Failed to parse configuration file
Solution:
-
Verify file is in YAML format (not JSON)
-
Check YAML syntax using online validator
-
Ensure proper indentation (use spaces, not tabs)
# Validate YAML syntax
yamllint config.yaml
Issue 4: Environment Variable Not Substituted
Error:
Error: Invalid URL: ${API_ENDPOINT}
Solution:
# Ensure environment variable is set
export API_ENDPOINT="https://api.example.com"
# Verify it's set
echo $API_ENDPOINT
# Run command in same shell session
mend ai redteam target-apply --config config.yaml --target-name "My Target"
Issue 5: Test Run Timeout
Error:
Error: The operation timed out
Solution:
-
Check if the feature is enabled for your organization
-
Verify the target configuration is correct
-
Contact Mend support if the issue persists
Issue 6: Invalid Job ID
Error:
Error: Job not found
Solution:
-
Verify Job ID was copied correctly
-
Check organization/application/project scope matches where test was run
-
Job IDs expire after a certain period
Appendix
A. Complete Command Quick Reference
# Download target configuration
mend ai redteam download --target-name <name> --file <output.yaml>
# Create/update target
mend ai redteam target-apply --config <config.yaml> --target-name <name>
# Trigger test run
mend ai redteam target-run --target-name <name>
# Check test status
mend ai redteam get-status --job-id <uuid> [--wait <time>]
# Get test results
mend ai redteam get-results --job-id <uuid> [--output <file>]
B. Environment Variables
|
Variable |
Description |
Example |
|---|---|---|
|
|
Organization UUID |
|
|
|
Application UUID |
|
|
|
Project UUID |
|
|
|
Custom API endpoint |
|
|
|
API authentication secret |
|
C. Return Codes
|
Code |
Meaning |
|---|---|
|
0 |
Success |
|
1 |
General error |
|
2 |
Authentication error |
|
3 |
Not found (target/job) |
|
4 |
Invalid configuration |
|
5 |
Timeout |