Course Outline
Module 1 — AI Systems for Security Engineers
Lab: Lab 01 — 01-Introduction
Understanding the architecture.
Topics:
- LLMs vs normal apps
- AI inference pipelines
- Prompt flow
- RAG architecture
- embeddings/vector databases
- agentic workflows
- tool calling
- AI gateways
- copilots
- MCP and agent protocols
- where WAF visibility exists
- where WAF visibility disappears
Key insight: Traditional WAFs often lose visibility once the prompt reaches the model.
Module 2 — OWASP GenAI Top 10
Lab: none — interactive recap/discussion
Core AI attack categories.
Topics:
- Prompt Injection
- Insecure Output Handling
- Training Data Poisoning
- Model DoS
- Supply Chain Vulnerabilities
- Sensitive Information Disclosure
- Excessive Agency
- Vector/Embedding Weaknesses
- Misinformation
- Unbounded Consumption
Include:
- Differences from classic OWASP
- Mapping to defensive controls (WAF, gateway, app-layer)
- Where each control helps
- Where each control fails
Module 3 — Prompt Injection Detection
Lab: Lab 02 — 02-Prompt-Injection
The “SQL injection moment” for AI.
Topics:
- Direct prompt injection
- Indirect prompt injection
- Hidden instructions
- Document-based attacks
- HTML/Markdown injection
- Jailbreak patterns
- Context override attacks
- Role confusion attacks
Detection strategies:
- Keyword heuristics
- Semantic classification
- Prompt linting
- Instruction boundary enforcement
- Allow/deny policies
- AI-aware regex patterns
Hands-on labs:
- Attack a chatbot
- Bypass naive filters
- Build layered detection
Module 4 — AI-Aware WAF Rules
Lab: Lab 03 — 03-WAF-Basics
How WAF rules evolve for AI systems.
- Topics:
- Protecting LLM endpoints
- Inference API protection
- Token-aware rate limiting
- Prompt size inspection
- AI-specific signatures
- Conversation anomaly detection
- Multi-turn abuse patterns
- Model enumeration attempts
- Inference scraping
- Denial-of-wallet protection
Examples:
- Protecting /v1/chat/completions
- Defending streaming APIs
- Blocking recursive agent calls
Module 5 — Securing RAG Pipelines
Lab: Lab 04 — 04-RAG-Security
One of the biggest new attack surfaces.
Topics:
- Vector DB threats
- Embedding poisoning
- Malicious PDFs/docs
- Retrieval manipulation
- Semantic poisoning
- Hidden instructions in documents
- Cross-document contamination
- Data exfiltration via retrieval
Defenses:
- Ingestion sanitization
- Trust scoring
- Metadata isolation
- Document provenance
- Retrieval policies
- Segmentation
Case study: “Upload a poisoned PDF and take over the AI assistant.”
Module 6 — Agentic AI Security
Lab: Lab 05 — 05-Agent-Security
Where things become dangerous.
Topics:
- Excessive agency
- Tool abuse
- API chaining
- Autonomous loops
- Permission escalation
- Memory poisoning
- Indirect tool execution
- Agent impersonation
- Credential leakage
- Multi-agent attacks
Defenses:
- Least privilege for agents
- Approval gates
- Runtime policy engines
- Sandboxing
- Scoped credentials
- Tool whitelisting
- Human-in-the-loop
This section is typically of highest interest to managers, as the risk becomes operational and business-impacting.
Module 7 — API Security for AI
Lab: Lab 06 — 06-Denial-of-Wallet
AI systems are highly API-dependent.
Topics:
- API gateways
- GraphQL AI risks
- MCP/API abuse
- JWT protection
- AI plugin security
- Agent authentication
- Delegated authorization
- Secret management
- Signed prompts
- API inventory for AI
Tie into: OWASP API Security Top 10
Module 8 — Detection Engineering & SOC Integration
Lab: Lab 07 — 07-Detection
Operational defense.
Topics:
- AI telemetry
- Prompt logging
- Token analytics
- Anomaly detection
- Semantic SIEM pipelines
- AI attack indicators
- Threat hunting for LLM abuse
- AI runtime observability
Examples:
- Detecting jailbreak campaigns
- Spotting automated agent abuse
- Identifying model scraping
Module 9 — Cloud WAFs and AI Security
Lab: none — interactive recap/discussion
Vendor-specific implementations.
Topics:
- AWS WAF for AI APIs
- Azure WAF
- Cloudflare AI Gateway
- API gateways
- Envoy AI filtering
- Kong AI Gateway
- NGINX AI security patterns
Comparison:
- Traditional WAF vs AI gateway vs app-layer guardrail
- Proxy-based vs semantic filtering
Module 10 — Building a Layered AI Defense
Lab: Lab 08 — 08-Layered-Defense
Important philosophical conclusion:
No single layer can secure AI (a WAF least of all, when acting alone).
Students build a layered model:
- WAF
- API gateway
- AI gateway
- Guardrails
- Runtime monitoring
- Identity/authorization
- Sandbox
- Human approval
- Observability
- Incident response
This aligns strongly with the “multi-layer security” model.
Module ↔ Lab map
Labs run in lab order, which follows module order.
The course has 10 modules but 8 labs: Modules 2 and 9 are interactive recap/discussion sessions and have no associated lab.
Each lab is tagged with its corresponding module throughout this outline.
- Lab 01 (Module 1)
- Folder: 01-Introduction
- Title: Explore an AI system — what's on the wire
- Lab 02 (Module 3)
- Folder: 02-Prompt-Injection
- Title: Attack a chatbot & bypass naive filtering
- Lab 03 (Module 4)
- Folder: 03-WAF-Basics
- Title: Build AI-aware WAF rules
- Lab 04 (Module 5)
- Folder: 04-RAG-Security
- Title: Poison a RAG pipeline
- Lab 05 (Module 6)
- Folder: 05-Agent-Security
- Title: Secure an autonomous agent
- Lab 06 (Module 7)
- Folder: 06-Denial-of-Wallet
- Title: Detect denial-of-wallet attacks
- Lab 07 (Module 8)
- Folder: 07-Detection
- Title: Monitor AI abuse patterns in logs
- Lab 08 (Module 10)
- Folder: 08-Layered-Defense
- Title: Build a layered AI defense architecture
Capstone
Students defend a simulated enterprise AI assistant.
Attackers attempt:
- Prompt injection
- Tool abuse
- Credential theft
- Retrieval poisoning
- Excessive API consumption
- Agent escalation
Teams build:
- WAF rules
- AI gateway policies
- Runtime detection
- Guardrails
- Incident response
Requirements
- Participants should have a foundational understanding of HTTP/API security, proxies and reverse proxies, authentication mechanisms, the OWASP Top 10, REST APIs, and basic cloud networking.
Audience
- Security engineers & AppSec professionals
- SOC analysts & detection engineers
- API security engineers
- Cloud / API / platform security specialists
- DevSecOps engineers
- Security architects
- WAF / network security specialists
- AI platform engineers
Testimonials (2)
I really enjoyed learning about AI attacks and the tools out there to begin practicing and actively using for security testing. I took a lot of knowledge away which I didn't have at the beginning and the course met what I hoped it would be. My favorite part shown from the training was Comet Browser and was amazed at what it could do. Definitely something will be looking into more. Overall it was a great course and enjoyed learning all OWASP GenAI Top 10.
Patrick Collins - Optum
Course - OWASP GenAI Security
The profesional knolage and the way how he presented it before us