The training begins by reframing LLMs as probabilistic decision engines, not deterministic software components. Participants learn why traditional security assumptions break down when applied to prompt-based systems and how trust boundaries shift from code to prompts, context, and model outputs.

Through a series of hands-on labs, participants attack and defend LLM applications using real-world techniques aligned with the OWASP Top 10 for LLM Applications. Topics include prompt injection (direct and indirect), prompt extraction and reflection attacks, jailbreaking techniques, sensitive data leakage, and Retrieval-Augmented

Generation (RAG) poisoning. Participants build vulnerable systems, exploit them, and then implement layered defenses such as prompt hardening, output validation, semantic checks, and access controls. By the end of Day 1, attendees develop a critical mindset: every input, context source, and output from an LLM must be treated as untrusted.

Day 2 shifts focus from LLMs as responders to AI agents as autonomous actors. Participants explore how modern agent frameworks enable LLMs to plan, reason, and invoke tools with real-world side effects. The course examines how autonomy introduces new failure modes, including excessive agency, unsafe tool invocation, decision manipulation, and workflow abuse.

Participants build AI agents using common agent patterns and then adopt an attacker mindset to exploit them. Through red-team style labs, they perform prompt injection attacks against agents, abuse overly permissive tools, extract secrets, and trigger unintended actions. The training then pivots to defense, covering secure agent design principles such as least privilege for tools, sandboxing and isolation, approval gates for high-risk actions, robust prompt controls, monitoring, and audit logging.

By the end of Day 2, participants understand how insecure agent design can turn AI systems into operational liabilities—and how to apply defense-in-depth strategies to prevent agents from going rogue in production environments.

• Reframing security for probabilistic, context-driven systems.
  • Why traditional AppSec models fail for LLMs
  • Deterministic code vs probabilistic reasoning
  • LLMs as decision engines, not chatbots
  • How injection evolves from syntax to semantic manipulation

• System prompts, user prompts, and context merging
• Where untrusted input enters the pipeline
• Retrieval-Augmented Generation (RAG) as external memory
• Why retrieved content is often treated as trusted input
• Tool invocation vs text generation

• SystDirect and indirect prompt injection
• Prompt extraction and reflection attacks
• Jailbreaking techniques: role-play, authority bypass, hypothetical scenarios
• Why “prompt engineering” is not a security control

• Prompt hardening and delimiters
• Output filtering and semantic validation
• Sandboxing and containment

• Sensitive data in LLM context
• Leakage via outputs and tool responses
• Data poisoning and malicious embeddings
• Compromised knowledge bases

• Input sanitization
• Output filtering and PII detection
• Access control and data classification

• Data and model poisoning
• Improper output handling
• Excessive agency (preview for Day 2)
• System prompt leakage
• Vector and embedding weaknesses
• Misinformation and hallucination risks

• Real-world LLM compromise analysis
• Key takeaway: the cognitive core is inherently untrusted

• From LLM responders to autonomous actors.

• What makes an AI system an agent
• Sense–Plan–Act loops
• Overview of agent frameworks
• Prompting vs tool invocation

• Iterative retrieval and multi-step reasoning
• Risks of agentic RAG
• Sensitive data exposure via chained actions

• Assets, trust boundaries, and abuse cases
• Excessive agency as a design failure
• Story-driven threat modeling

• Prompt injection in agents
• Tool misuse and API abuse
• Decision manipulation and infinite loops
• Reflection attacks

• Why autonomy turns bugs into incidents
• Preparing for ecosystem-level attacks