We announced CARTO — the Certified AI Red-Team Operator programme — as the first credential specifically designed for AI adversarial testing. The curriculum is written. The six modules are built. The assessment framework is in development.

Now we need people to break it.

What We Are Looking For

We are recruiting 10 beta testers for the CARTO Fundamentals programme. This is the founding cohort — the people who will work through every module, surface every gap, and tell us what works and what does not before we open general enrolment.

We want a diverse group:

  • Security professionals looking to pivot into AI safety
  • AI/ML engineers who want to understand how their systems fail adversarially
  • Compliance officers preparing for EU AI Act enforcement (August 2, 2026)
  • Researchers who want structured methodology instead of ad hoc testing
  • Risk managers assessing AI deployment liability

You do not need prior AI red-teaming experience. That is the point — CARTO is designed to take competent professionals from adjacent fields and give them the specific knowledge and methodology they need.

What Beta Testers Get

Full Course Access

All six modules of CARTO Fundamentals, totalling 20+ hours of content:

  1. The AI Safety Landscape (2 hours) — Threat landscape, 33 attack families, four eras of jailbreak evolution, regulatory context (EU AI Act, NIST AI RMF, OWASP LLM Top 10, Australian frameworks)

  2. FLIP Grading Methodology (3 hours) — The core technical skill. Four-verdict grading (COMPLIANCE, PARTIAL, HALLUCINATION_REFUSAL, REFUSAL), automated pipelines, and why binary pass/fail misses 34% of dangerous responses

  3. Attack Execution (3 hours) — Attack family selection, scenario construction, multi-turn escalation, format-lock and reasoning-exhaustion techniques. Pattern-level throughout — no operational payloads

  4. Defence Assessment (3 hours) — Four-level defence benchmark, defence non-composability (why stacking defences does not multiply protection), the empirical finding that model selection matters more than prompt engineering

  5. Reporting (3 hours) — Assessment report structure, MITRE ATLAS and OWASP mapping, Model Safety Scorecard computation, EU AI Act compliance evidence packaging

  6. Ethics and Responsible Disclosure (3 hours) — AARDF graduated disclosure, D-Score dual-use risk assessment, the Grader Paradox, professional conduct standards

Influence on Exam Design

Beta testers review the assessment rubrics and practical exam structure. Your feedback directly shapes what CARTO Practitioner (the proctored 48-hour practical assessment) will require. If something in the curriculum does not translate to real-world practice, we want to know before general enrolment.

Founding Cohort Designation

Every beta tester who completes the programme receives the “Founding Cohort” designation on their CARTO credential. This is a permanent distinction — it identifies you as one of the first people certified in a field that did not have a credential before.

Pricing

Beta CohortStandard (Post-Beta)
CARTO Fundamentals$100 USD$200 USD
Access periodLifetime2 years
Founding Cohort designationYesNo
Exam design inputYesNo
Direct access to curriculum authorsYesLimited

The $100 founding rate is not a discount on an inferior product. It is the full curriculum at half price in exchange for your detailed feedback. We need to know what is clear, what is confusing, what is missing, and what does not match the reality of your work.

What Makes CARTO Different

CARTO is not built on theory, conference talks, or “best practices” assembled from blog posts. It is built on a specific research corpus:

  • 201 models tested across 15 providers, from 1.2B to 1.1 trillion parameters
  • 133,000+ adversarial evaluation results graded by LLM-based classifiers with documented reliability metrics
  • 33 attack families with measured Attack Success Rates, including 6 novel families not documented elsewhere
  • 240+ research reports analysing how AI systems fail, with sample sizes and confidence intervals
  • A grading methodology audit showing that keyword-based classifiers have a 79.9% over-report rate — most automated “jailbreak detected” signals are false positives

When Module 3 teaches format-lock attacks, it references the specific finding that format-lock achieves 97.5-100% ASR across every model tested, from 4B to 1.1T parameters. When Module 4 covers defence non-composability, it cites the empirical data showing that stacking three defences provides less than the sum of their individual effects. Every claim has a report number behind it.

How to Apply

Send an email to adrian@failurefirst.org with the subject line “CARTO Beta”.

Include:

  1. Your current role and organisation (or independent)
  2. Your relevant background (security, AI/ML, compliance, research, risk management)
  3. What you hope to get from the certification
  4. How much time per week you can commit (we estimate 4-6 hours/week over 5 weeks)

We will review applications and notify selected testers within one week. The cohort is limited to 10 spots to ensure we can provide meaningful support and collect detailed feedback from each participant.

Timeline

MilestoneDate
Applications openNow
Beta cohort selectedWithin 1 week of 10 applications
Module access beginsImmediately upon selection
Feedback period5 weeks from access
General enrolment opensQ3 2026

Questions

Do I need coding experience? Module 2 (FLIP Grading) involves running Python scripts for automated grading. Basic command-line comfort is helpful. You do not need to write code from scratch.

Can I use this for EU AI Act compliance? Module 5 covers EU AI Act conformity assessment evidence packaging. CARTO-certified professionals will be equipped to conduct the adversarial robustness testing required under Article 9 for high-risk AI systems.

Is there a refund if I drop out? At $100, we are pricing for commitment rather than refundability. If circumstances prevent completion, your access remains active — you can finish at your own pace.

What happens after Fundamentals? CARTO Practitioner (the advanced tier) includes a 48-hour practical assessment. Beta testers who complete Fundamentals will have priority access and discounted pricing for the Practitioner programme when it launches.

CARTO is developed by the Failure-First project, an independent AI safety research programme. No model provider has editorial control over the curriculum.