Skip to content

Module 1 — Quiz

Type: Quiz · Duration: ~10 min · Status: Mandatory · Pass mark: 70% (9 of 12) Module: Module 1 — AI/ML Foundations for Security Engineers

Note for the learner: Quiz questions are drawn from the per-lesson quiz items in L1.1 – L1.5, with two scenario-based questions added at the end. If you completed the per-lesson reading and watched the videos, you should pass on the first attempt. Two attempts allowed before a retake delay.

Question 1 (multiple choice)

Which of the following attacks targets the training phase, not the inference phase?

a) Prompt injection b) Data poisoning c) Membership inference d) Adversarial evasion

Answer: b Explanation: Data poisoning manipulates the training set before the model is built. The other three target inference-time behavior of a deployed model.

Question 2 (multiple choice)

Which of these is not a flavor of machine learning as commonly classified?

a) Supervised learning b) Unsupervised learning c) Reinforcement learning d) Procedural learning

Answer: d Explanation: Procedural learning is not a standard ML category. Supervised, unsupervised, and reinforcement learning are the three commonly named flavors.

Question 3 (multiple choice)

A fintech tells you "our AI rejected the loan." In 2026, which model family is this most likely to be?

a) A large language model b) A gradient-boosted decision tree (XGBoost / LightGBM / CatBoost) c) A convolutional neural network d) A reinforcement-learning agent

Answer: b Explanation: Tabular financial data is still the home of gradient-boosted trees in 2026. Knowing the family matters because the attack surface (feature perturbation) is completely different from an LLM's (prompt injection).

Question 4 (short)

Why does a neural network need a nonlinearity (e.g., ReLU) between linear layers?

Answer (one sentence required): Stacking linear transforms only produces another linear transform; nonlinearities are what allow the network to represent non-trivial functions.

Acceptable variants: "Without nonlinearities, depth buys you nothing — the whole network collapses to a single linear function."

Question 5 (multiple choice)

You receive a model file from a third party in .bin (PyTorch pickle) format. What is the minimum-bar security concern?

a) The file might be too large to load. b) The file format is deprecated. c) Pickle deserialization can execute arbitrary code on load, so loading from an untrusted source can compromise the host. d) The model accuracy might be lower than reported.

Answer: c Explanation: Module 4 builds on this with picklescan / modelscan scanning. .safetensors is the modern safe default.

Question 6 (multiple choice)

True or false: fine-tuning a small open model is too expensive for most attackers to consider.

a) True b) False

Answer: b (False) Explanation: LoRA / QLoRA brings fine-tuning costs to a few hundred dollars per run on cloud GPUs (or hours on a laptop). Harmful fine-tuning is a real, cheap attack class.

Question 7 (short)

In the four-stage LLM pipeline (tokenization → embedding → transformer → decoding), name one attack class that targets the tokenizer specifically.

Answer: Acceptable: "glitch tokens" / "SolidGoldMagikarp class" / "token smuggling via unicode normalization" / "bypassing character-length validators using token-aware payloads."

Grading: Any answer that demonstrates the learner understands the tokenizer is itself a separately-trained artifact with its own attack surface.

Question 8 (multiple choice)

Self-attention has a structural property that lets transformers scale to long contexts. The same property is a security problem because:

a) It uses too much memory, opening DoS attacks. b) Every token can directly attend to every other token, so a single hostile token in a long document can influence the entire output — enabling indirect prompt injection. c) It is patent-encumbered. d) It only works on English-language input.

Answer: b Explanation: This is the structural reason indirect prompt injection works against RAG and agentic systems.

Question 9 (multiple choice)

You are red-teaming a chatbot at default sampling settings (temperature 1.0, top-p 0.9). After 1 attempt, your jailbreak fails. What should you do before declaring the defense effective?

a) Move on; one failed attempt means the defense works. b) Re-run N times (e.g., 10–30); sampling means a jailbreak can succeed on a low-probability draw, and one failed run does not prove defense. c) Switch backends — the result on one model is irrelevant. d) Lower the temperature to 0.

Answer: b Explanation: Module 7's eval harness explicitly addresses this. Lowering temperature to 0 (option d) gives you reproducibility for that one prompt but doesn't tell you the empirical success rate at production temperature settings.

Question 10 (multiple choice)

As the AI security engineer for an application team that uses a frontier model via API, which pipeline stages do you fully own vs. negotiate via procurement?

a) Own everything; the vendor is irrelevant. b) Own: Data, Training, Eval. Negotiate: Deployment, Monitoring, Fine-tune. c) Own: Deployment, Monitoring, Fine-tune. Negotiate: Data, Training, Eval (via the vendor). d) Negotiate everything; nothing is fully yours.

Answer: c Explanation: Application teams typically own the deployment perimeter and downstream operations; the vendor owns upstream stages, which you influence via procurement, audits, and contractual representations.

Question 11 (scenario — short)

Walk through the EchoLeak (M365 Copilot, 2025) attack chain and identify which four OWASP LLM Top 10 categories the attack touches.

Answer (any four of): - LLM01 — Prompt Injection (indirect, via crafted email) - LLM02 — Insecure Output Handling (data exfiltrates via markdown rendering) - LLM06 — Sensitive Information Disclosure (tenant data accessed) - LLM08 — Excessive Agency (Copilot uses tenant-scoped tools without intent verification) - LLM05 — Supply Chain (acceptable; depends on how the model was deployed)

Grading: Full credit for any four reasonable mappings with a one-line justification each. The pedagogical point is that real incidents chain across multiple categories.

Question 12 (scenario — short)

You are reviewing the security posture of a RAG system that uses a vendor's API model, an internal Confluence space as the corpus, and text-embedding-3-large for embeddings. The corpus is editable by anyone in the engineering org (200 people).

Identify one critical risk and one defensive control appropriate to it.

Sample answer: Risk: Indirect prompt injection via the corpus — any engineer with Confluence write access (200 people) can plant a payload that the RAG retrieves and executes. Control: Content sanitization on ingestion (strip or escape instruction-shaped content), plus restricting the corpus to a designated subset of pages curated by a smaller team, plus retrieval-time anomaly detection on chunks that contain instruction-like patterns (e.g., "ignore previous instructions", role-redirection).

Grading: Any answer that identifies the corpus-write population as the attack surface and proposes a control at ingest, retrieval, or prompt-construction time. Half credit for identifying the risk without a specific control.

Scoring

  • 12 questions, 1 point each.
  • 70% to pass (9 of 12).
  • LMS auto-grades questions 1–3, 5, 6, 8–10 (multiple choice).
  • Questions 4, 7, 11, 12 are graded by the LMS against the acceptable-variant list above, with manual review available for borderline answers.
  • Two attempts allowed; after two failures the learner is prompted to re-review L1.4 and L1.5 before retaking.