Skip to content

Module 2 — AI Security Foundations for ML Engineers

Duration: ~3.5 hrs · Status: Mandatory Lessons: 18 total — 14 theory (each ≤ 5 min video) · 2 labs (1 mandatory · 1 optional) · quiz · summary Framework coverage: introduces every framework that later modules reference — OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, EU AI Act

Module outcomes

By the end of this module, the learner can: 1. Threat-model an AI/LLM system using STRIDE-adapted-for-AI and attack-tree techniques, producing a written threat model artifact. 2. Map the AI attack surface across five planes — model, data, infrastructure, application, supply chain — and place specific attacks at the right plane. 3. Use MITRE ATLAS to look up adversary techniques by tactic, read ATLAS case studies, and reference techniques by ID in their own findings. 4. Recall the OWASP Top 10 for LLM Applications and recognize at least one concrete attack example for each entry. 5. State the four NIST AI RMF functions, recognize the EU AI Act risk tiers, and identify which obligations apply to a given AI system.

Lesson list

Threat modeling for AI (~9 min total)

  • L2.1.1 — Threat modeling fundamentals reviewed (Theory, ~4 min, mandatory)
  • L2.1.2 — STRIDE adapted for AI systems (Theory, ~5 min, mandatory)

The AI attack surface (~14 min total)

  • L2.2.1 — Mapping the AI attack surface — the five planes (Theory, ~4 min, mandatory)
  • L2.2.2 — Model & data planes in depth (Theory, ~5 min, mandatory)
  • L2.2.3 — Application, agent & supply-chain planes in depth (Theory, ~5 min, mandatory)

MITRE ATLAS deep dive (~14 min total)

  • L2.3.1 — What ATLAS is and how it relates to ATT&CK (Theory, ~4 min, mandatory)
  • L2.3.2 — ATLAS tactics — the kill-chain for AI (Theory, ~5 min, mandatory)
  • L2.3.3 — Reading ATLAS techniques and case studies (Theory, ~5 min, mandatory)

OWASP Top 10 for LLM Applications (~18 min total)

  • L2.4.1 — OWASP LLM Top 10 — overview and how it differs from web-app Top 10 (Theory, ~4 min, mandatory)
  • L2.4.2 — LLM01–LLM03: prompt injection, insecure output, training data poisoning (Theory, ~5 min, mandatory)
  • L2.4.3 — LLM04–LLM07: DoS, supply chain, sensitive info, system prompt leak (Theory, ~5 min, mandatory)
  • L2.4.4 — LLM08–LLM10: excessive agency, overreliance, model theft (Theory, ~4 min, mandatory)

NIST AI RMF + EU AI Act (~14 min total)

  • L2.5.1 — NIST AI RMF — what it is and when you reach for it (Theory, ~4 min, mandatory)
  • L2.5.2 — NIST AI RMF — Govern, Map, Measure, Manage (Theory, ~5 min, mandatory)
  • L2.5.3 — EU AI Act — risk tiers and obligations (Theory, ~5 min, mandatory)

Labs

  • L2.6(Lab) Threat-model the Module 1 RAG app (~60 min, mandatory)
  • L2.7(Lab, optional) Risk-tier a portfolio of fictional AI features under the EU AI Act (~30 min, optional)

Wrap-up

  • Quiz — 12 questions, 70% to pass (~10 min, mandatory)
  • Summary — bridge to Module 3 (~3 min, mandatory)

Why this module exists

Module 1 gave the learner the AI substrate. Module 2 layers the security framing on top. By design, this module is the conceptual bridge between "I now understand what an LLM is" and "I can now go attack one in Module 3." The mandatory lab (L2.6) is the deliverable that proves both: a written threat model of the RAG app the learner built in L1.7, in a format that holds up to a senior reviewer.

This is also the module where every framework the rest of the course references — OWASP, ATLAS, NIST, EU AI Act — gets its first deep contact. Every lesson from here through Module 8 will tag back to one of them.

What's next

Module 3 — Prompt Injection & LLM Application Attacks. We turn the threat model you wrote in L2.6 into a red-team plan, then execute it against the RAG app. Four mandatory labs in M3, two optional. This is the biggest module in the course.