Asfela AI Security Engineering — Professional¶

Version: v0.1 (2026-05-16) Tier: Professional (~38 hrs) · Target price: $1,500 / seat Audience: Mixed cohort — security engineers learning AI, and ML/AI engineers learning security Frameworks mapped: OWASP Top 10 for LLMs · MITRE ATLAS · NIST AI RMF · EU AI Act Companion code: git@github.com:silas-asfela/ai-sec-course.git

Course promise¶

By the end of this course, a learner can:

Threat-model an AI/LLM-powered application end-to-end (data, model, infra, app, supply chain).
Attack an AI system across the full kill chain: prompt injection, data poisoning, model extraction, evasion, supply-chain compromise, agent abuse.
Defend an AI system: guardrails, eval harnesses, red-team automation, observability, secure SDLC.
Govern an AI program against NIST AI RMF and EU AI Act obligations, with documentation that holds up to audit.
Operate an AI red-team / AI security function inside an engineering org.

Deliverable on completion: certificate + capstone artifact (threat model + red-team report + remediation plan for a fictional SaaS).

Course shape¶

#	Module	Hours	Mandatory labs	Optional labs	Quiz
0	Orientation & Environment Setup	1.5	1	0	—
1	AI/ML Foundations for Security Engineers	3.5	2	1	✓
2	AI Security Foundations for ML Engineers	3.5	1 (+14 short theory)	1	✓
3	Prompt Injection & LLM Application Attacks	6	4 (+8 short theory)	2	✓
4	Data Poisoning, Backdoors & Supply Chain	4.5	3 (+9 short theory)	1	✓
5	Model Extraction, Inversion & Membership Inference	3.5	2 (+7 short theory)	1	✓
6	Adversarial Examples & Evasion	3	2 (+6 short theory)	1	✓
7	Securing the AI Pipeline (MLSecOps & Defenses)	4.5	3 (+10 short theory)	1	✓
8	AI Governance, Risk & Compliance	3	1 (+10 short theory)	0	✓
9	Capstone Project	4	1 (capstone)	0	—
10	Certification Exam	1	—	—	Final exam
	Totals	~38	20 mandatory	8 optional	8 + final

Module-by-module outline¶

Module 0 — Orientation & Environment Setup (1.5 hrs)¶

L0.1 Welcome, course map, how to use the labs (video)
L0.2 The AI security landscape in 2026: incidents, trends, regulatory pressure (video)
L0.3 Lab: Set up your environment — Python 3.11+, uv, Jupyter, Docker, API keys (OpenAI/Anthropic), Ollama for a local LLM, course repo clone

Module 1 — AI/ML Foundations for Security Engineers (3.5 hrs)¶

L1.1 ML in 30 minutes: supervised vs unsupervised vs RL; training vs inference; classical models (video)
L1.2 Neural networks & deep learning — the parts that matter for attackers/defenders (video)
L1.3 LLMs explained: tokenization, embeddings, transformers, decoding (video)
L1.4 The modern AI pipeline: data → train → eval → deploy → monitor → fine-tune (video)
L1.5 Where attacks happen at each pipeline stage (video)
L1.6 Lab: Run an LLM locally with Ollama, compare to an API model, inspect a model card
L1.7 Lab: Build a tiny RAG system from scratch (you'll attack this later)
L1.8 (Optional) Lab: Fine-tune a small model with LoRA
Quiz

Module 2 — AI Security Foundations for ML Engineers (3.5 hrs)¶

L2.1 Threat modeling for AI: STRIDE adapted, attack trees, abuse cases (video)
L2.2 The AI attack surface — model, data, infra, app, supply chain (video)
L2.3 MITRE ATLAS deep dive: tactics, techniques, real case studies (video)
L2.4 OWASP Top 10 for LLMs walk-through (video)
L2.5 NIST AI RMF + EU AI Act — just enough for engineering decisions (video)
L2.6 Lab: Build a threat model for the Module 1 RAG app (deliverable: data flow diagram + STRIDE table + ATLAS mapping)
L2.7 (Optional) Lab: Risk-tier a portfolio of fictional AI features under EU AI Act
Quiz

Module 3 — Prompt Injection & LLM Application Attacks (6 hrs)¶

Maps to: OWASP LLM01, LLM02, LLM07, LLM08 - L3.1 Direct prompt injection: taxonomy, jailbreaks vs injections (video) - L3.2 Indirect prompt injection: RAG sources, tool outputs, web pages, emails (video) - L3.3 Insecure output handling: XSS, SSRF, SQL injection via LLM output (video) - L3.4 Excessive agency: tool-using agents and the principle of least authority (video) - L3.5 System prompt extraction & secrets leakage (video) - L3.6 Lab: Break a vulnerable chatbot (direct PI, system prompt extraction) - L3.7 Lab: Poison a RAG knowledge base — indirect injection via uploaded document - L3.8 Lab: Escape a tool-using agent (over-permissioned agent → real action) - L3.9 Lab: Build defenses — input filters, output validators, structured output, dual-LLM pattern - L3.10 (Optional) Lab: Try Garak or PyRIT against your own endpoint - L3.11 (Optional) Lab: Multi-modal prompt injection (image with hidden instructions) - Quiz

Module 4 — Data Poisoning, Backdoors & Supply Chain (4.5 hrs)¶

Maps to: OWASP LLM03, LLM05 - L4.1 Training data poisoning: untargeted vs targeted (video) - L4.2 Backdoor attacks: triggers, BadNets, sleeper agents (video) - L4.3 Harmful fine-tuning & alignment removal (video) - L4.4 Model supply chain: HuggingFace, pickle deserialization, model card lies (video) - L4.5 Dependency risk: LangChain, vector DBs, embeddings providers (video) - L4.6 Lab: Poison a sentiment classifier and measure attack success - L4.7 Lab: Plant a backdoor trigger in a small model - L4.8 Lab: Scan a HuggingFace model for malicious pickles (picklescan, modelscan) - L4.9 (Optional) Lab: Generate an AI-BOM (AI Bill of Materials) for a stack - Quiz

Module 5 — Model Extraction, Inversion & Membership Inference (3.5 hrs)¶

Maps to: OWASP LLM10 + privacy - L5.1 Model extraction: stealing a model via API queries (video) - L5.2 Membership inference: did this record train the model? (video) - L5.3 Model inversion & training-data extraction from LLMs (video) - L5.4 Privacy defenses: DP-SGD, federated learning, output filtering (video) - L5.5 Lab: Extract a small classifier through an API - L5.6 Lab: Run a membership inference attack on a trained model - L5.7 (Optional) Lab: Reproduce a small slice of the "Extracting Training Data from LLMs" paper - Quiz

Module 6 — Adversarial Examples & Evasion (3 hrs)¶

L6.1 Adversarial examples — why they exist; white-box vs black-box (video)
L6.2 Image attacks (FGSM, PGD) and text attacks (TextAttack, character/word perturbations) (video)
L6.3 Evasion in production: spam, CSAM filters, fraud models (video)
L6.4 Robustness defenses: adversarial training, input preprocessing, certified defenses (video)
L6.5 Lab: FGSM on an image classifier
L6.6 Lab: TextAttack against a text classifier
L6.7 (Optional) Lab: Bypass a content moderation model
Quiz

Module 7 — Securing the AI Pipeline (MLSecOps & Defenses) (4.5 hrs)¶

L7.1 Secure development lifecycle for AI (AI-SDLC) (video)
L7.2 Model governance: registries, signing, attestation, provenance (e.g., Sigstore for models) (video)
L7.3 Runtime defenses: guardrails (Llama Guard, NeMo, Guardrails AI), structured output, content filters (video)
L7.4 Observability: prompt/response logging, PII redaction, drift & abuse detection (video)
L7.5 AI red-teaming: program design, methods, tools (Garak, PyRIT, promptfoo) (video)
L7.6 Incident response for AI — playbooks & containment (video)
L7.7 Lab: Wrap an LLM app with Llama Guard + structured output
L7.8 Lab: Run Garak against your own LLM endpoint, triage findings
L7.9 Lab: Stand up prompt/response logging with PII redaction
L7.10 (Optional) Lab: Build a continuous eval harness with promptfoo
Quiz

Module 8 — AI Governance, Risk & Compliance (3 hrs)¶

L8.1 NIST AI RMF in practice: Govern, Map, Measure, Manage (video)
L8.2 EU AI Act: risk tiers, GPAI obligations, timelines (video)
L8.3 Building an AI red-team / AI security program (video)
L8.4 Documentation: model cards, data sheets, system cards, AI-BOM (video)
L8.5 Case study teardown: a real-world AI incident (e.g., a 2024–2025 incident) (video)
L8.6 Lab: Author a model card + risk assessment for the Module 1 RAG app
Quiz

Module 9 — Capstone Project (4 hrs)¶

Scenario: You are the first AI security engineer at "Helios Health" — a fictional SaaS launching an LLM-powered medical-records assistant with tool access (read records, draft messages, search a knowledge base).

Deliverables (single submission, self-graded with rubric + reference solution): 1. Threat model (data-flow diagram, STRIDE table, ATLAS mapping) 2. Red-team report (5+ findings, severity-rated, repro steps) 3. Remediation plan (technical controls + governance controls) 4. Pre-launch checklist tied to NIST AI RMF + EU AI Act

Module 10 — Certification Exam (~1 hr)¶

50 questions: multiple choice + scenario-based
Passing: 75%
Re-take policy TBD (your call)

Cross-cutting design choices¶

Lesson template (theory / video): learning objectives → concept primer → core content → real-world example → key terms → references → 3–5 quiz questions → video script + slide outline.

Lesson template (hands-on lab): goal → prerequisites → environment → step-by-step instructions with expected output → "what just happened" debrief → extension challenges → references.

Framework mapping: every lesson has a footer tag like OWASP: LLM01, LLM02 · ATLAS: AML.T0051 · NIST AI RMF: Measure 2.7 so the cert holds up against employer checklists.

Mandatory vs optional: roughly 70/30. Mandatory carries the cert; optional is extension for ambitious learners (and lets you raise course value without raising required hours).

Open questions for Silas (need answers before Module 1 build)¶

Lab hosting. Thinkific can't host browser terminals. Pick one: (a) learners run labs locally with Docker (cheapest, friction for non-technical buyers), (b) external lab platform like Instruqt / Kasm / KodeKloud (best UX, $$$), (c) host labs on a separate site you control and link out (middle ground).
Video production model. For the theory lessons, do you want (a) full word-for-word scripts you'll record, (b) talking-point outlines + slide decks, or (c) both — script for narration and decks for visuals.
Output format. Markdown per lesson (current default) is LMS-portable and lets us version-control. Confirm — or do you want a different format (Notion, Google Docs, single MS Word per module)?
Branding. Course name (placeholder "AI Security Engineering — Professional"), cert name, target price band. These shape tone of the welcome lesson.
Build cadence. Do you want me to build one module at a time, pause for your review, then move on? Or build all theory first, then all labs? I recommend one module end-to-end (theory + labs + quiz) so you can validate the template before we scale.