Get in Touch

Course Outline

Module 1 — Understanding AI Application Vulnerabilities

Lab: None — Architecture walkthrough & discussion

Developing a mental model of the attack surface for builders.

Topics:

  • LLM, RAG, and agent architectures from the developer's perspective
  • The request/response lifecycle of an AI feature
  • Prompt flow: system, developer, user, and tool messages
  • Entry points for untrusted data into (and back into) the model
  • Trust boundaries owned versus inherited by developers
  • Why AI attacks rely on semantics rather than syntax
  • Mapping OWASP LLM Top 10 to source code

Key insight: Any point where untrusted text reaches the model, or model output reaches your code, represents a boundary you own.

Module 2 — Prompt Injection for Builders

Lab: Lab 01 — 01-Prompt-Injection

The "SQL injection moment" for AI—though complete avoidance is impossible.

Topics:

  • Differences between direct and indirect prompt injection
  • Hidden instructions embedded in documents, web pages, or tool outputs
  • Jailbreaks and role-confusion techniques
  • The importance of separating instructions from data
  • Defensive prompt design (delimiters, structure, minimal authority)
  • Why prevention is partial—designing for containment instead

Hands-on exercises:

  • Attack your own chatbot
  • Bypass naive filters
  • Restructure prompts to minimize blast radius

Module 3 — Treating Model Output as Untrusted

Lab: Lab 02 — 02-Output-Handling

The vulnerability class developers often underestimate.

Topics:

  • Viewing model output as untrusted input for the rest of the application
  • Insecure output handling (LLM02): downstream XSS, SSRF, command/SQL injection risks
  • Avoiding direct eval/exec/render of raw model output
  • Utilizing structured outputs and schema validation
  • Output encoding and allowlisting strategies
  • Safe rendering practices in web/UI contexts

Hands-on exercises:

  • Identify and remediate an insecure-output-handling vulnerability
  • Enforce a JSON schema on model responses

Module 4 — RAG Security

Lab: Lab 03 — 03-RAG-Security

One of the most significant new attack surfaces—and one you build.

Topics:

  • Threats targeting vector databases and retrieval mechanisms
  • Ingestion sanitization techniques
  • Document provenance and trust scoring
  • Retrieval scoping and metadata isolation
  • Hidden instructions within retrieved content (indirect injection)
  • Data exfiltration risks via retrieval processes

Hands-on: Poison a RAG pipeline with a malicious document; implement ingestion sanitization and retrieval scoping to defend against it.

Module 5 — Agent & Tool Safety

Lab: Lab 04 — 04-Agent-Safety

The stage where vulnerabilities translate into actions.

Topics:

  • Excessive agency (LLM06) and tool abuse
  • Implementing least privilege for agents
  • Tool allowlists and argument validation
  • Approval gates and human-in-the-loop mechanisms
  • Sandboxing tool execution environments
  • Scoped, short-lived credentials for agents
  • Limiting autonomous loops and chaining behaviors

Hands-on exercises:

  • Restrict permissions on an overly permissive agent
  • Add an allowlist and approval gate to a dangerous tool

Module 6 — Secrets, Identity & Cost Management

Lab: Lab 05 — 05-Secrets-and-Cost

Operational oversights that cause the most immediate damage.

Topics:

  • API key and secret management (never embed in prompts, code, or logs)
  • Per-user authentication and authorization for AI features
  • Propagating user identity to tools and retrieval processes
  • Mitigating denial-of-wallet attacks via unbounded token/cost consumption
  • Implementing rate limits, token budgets, and timeouts
  • Logging practices that prevent secret or PII leakage

Hands-on exercises:

  • Remove secrets from prompt/code paths
  • Add per-user rate limits and a token/cost budget

Module 7 — Guardrail Libraries

Lab: Lab 06 — 06-Guardrails

Evaluating buy vs. build for input/output safety.

Topics:

  • Capabilities and limitations of guardrail frameworks
  • Input guardrails: injection, PII, and topic classifiers
  • Output guardrails: validation, filtering, and grounding checks
  • Distinguishing when to use guardrails versus deterministic checks
  • Layering guardrails with controls from previous modules
  • Managing performance, false positives, and failure modes

Hands-on exercises:

  • Implement an input/output guardrail layer for an AI feature
  • Analyze what the guardrail catches versus what it misses

Module 8 — Red-Teaming Your Own Application

Lab: Lab 07 — 07-Red-Teaming

Deploy with the assumption that an attacker has already compromised it.

Topics:

  • Constructing abuse and test suites for AI features
  • Automated prompt injection and jailbreak testing
  • Regression testing of guardrails and policies
  • Integrating AI security checks into CI pipelines
  • Managing model and dependency supply chain (provenance, pinning)
  • A pre-deployment security checklist for AI features

Hands-on exercises:

  • Write automated red-team tests for an AI feature
  • Integrate these tests into a CI check

Module 9 — Scoring AI Security: The SAIS-100 Framework

Lab: None — Scoring exercise (utilizes the Capstone app)

Transform your implementation into a repeatable score.

Topics:

  • The AI Security Hexagon: six core questions instead of "is it secure?"
  • Six scored categories: Data, Prompt, Agent, Supply Chain, Detection, Governance
  • The 100-point rubric and its weightings
  • Verdict bands and the single-category override rule
  • Understanding the Elephant Scale Secure AI Score (SAIS-100) as a branded, re-runnable framework
  • Using pre- and post-hardening scores as metrics

Hands-on exercises:

  • Score the Capstone application on the 100-point scale
  • Identify the single change that most significantly improves the score

Key insight: The three highest-weighted categories correspond to trust boundaries owned by developers—meaning the score accurately measures what this course has taught.

Capstone Project

Participants harden a deliberately vulnerable AI application from end to end.

The starter application includes:

  • An injectable prompt
  • Insecure output handling
  • An unscoped RAG pipeline
  • An over-permissioned agent
  • Secrets embedded in the prompt path
  • Absence of cost limits

Participants apply course concepts to:

  • Restructure prompts for containment
  • Validate and encode model outputs
  • Sanitize and scope retrieval processes
  • Apply least privilege and approval gates to the agent
  • Relocate secrets and add cost/rate limits
  • Add guardrails and automated red-team tests

Deliverable: A hardened application plus a short OWASP LLM Top 10 self-assessment.

Module - Lab Mapping

Labs proceed in order, mirroring the module sequence. The course comprises 9 modules and 7 labs: Module 1 is an architecture walkthrough/discussion, and Module 9 is a scoring exercise; therefore, neither has a dedicated lab folder.

  • Lab 01 - 01-Prompt-Injection: Attack your chatbot & design for containment (Module 2)
  • Lab 02 - 02-Output-Handling: Fix an insecure-output-handling bug (Module 3)
  • Lab 03 - 03-RAG-Security: Poison then defend a RAG pipeline (Module 4)
  • Lab 04 - 04-Agent-Safety: Lock down an over-permissioned agent (Module 5)
  • Lab 05 - 05-Secrets-and-Cost: Secure keys + add cost guardrails (Module 6)
  • Lab 06 - 06-Guardrails: Add an input/output guardrail layer (Module 7)
  • Lab 07 - 07-Red-Teaming: Automated red-team tests in CI (Module 8)

Module 1 (How AI Apps Break) has no lab—it runs as an architecture walkthrough and discussion. Module 9 (Scoring AI Security) has no lab folder—it runs as a scoring exercise against the Capstone app.

Requirements

  • Skill Level: Intermediate.
  • Prerequisites include proficiency in building and consuming REST APIs, experience with a scripting language (Python is used in labs), fundamental application authentication concepts, Git, and CLI usage.
  • No machine learning background is necessary—this course focuses on application security for those who build with LLMs, not train them.

Target Audience

  • Software and backend engineers developing LLM features
  • Full-stack and API developers
  • AI/ML application engineers
  • Platform engineers deploying copilots and agents
  • Tech leads and senior engineers responsible for AI features
 21 Hours

Number of participants


Price per participant

Testimonials (2)

Upcoming Courses

Related Categories