Engineering Series · Course 4 of 6
// Break your own systems before someone else does.

AI Security Engineering.
10,000 trials. 12 attack dimensions. Mapped.

The exploitation surface of AI agents, mapped, measured, and defended. Based on CM's published research: 10,000 trials, 37 conditions, 12 attack dimensions. 9 fully defensible. 1 that isn't. You need to know which.

21
lessons
5
modules
5–6
weeks self-paced
Get on the waitlist
€197 one-time · lifetime access
Lifetime access · Self-paced · Built on arXiv 2604.04561 · Full code repo (Apache 2.0)
The gap

Your agent has an attack surface.
You just haven't mapped it yet.

Every AI agent you deploy has an exploitation surface. A set of dimensions along which an adversary (or an accident) can cause it to behave in ways you didn't intend. Most teams don't think about this. They deploy agents, test the happy path, and hope for the best.

Hope is not a security posture.

9 of 12 attack dimensions produced zero exploitation with proper defenses. That is the reassuring part. But goal reframing, getting the agent to pursue a different objective than intended, succeeded 32-40% of the time across multiple configurations. That is the terrifying part. And almost nobody is testing for it.

"AI systems introduce attack surfaces that traditional security doesn't cover."
The exploitation surface · arXiv 2604.04561

10,000 trials. 12 attack dimensions. The map.

Every defense in this course has been tested against these exploitation trials. Not theoretical. Measured and verified across 37 experimental conditions and multiple model configurations.

EXPLOITATION SURFACE · 12 DIMENSIONS 10,000 trials
Direct prompt injection0%DEFENDED
Indirect prompt injection0%DEFENDED
Data exfiltration0%DEFENDED
Token smuggling0%DEFENDED
Role confusion0%DEFENDED
Privilege escalation0%DEFENDED
Memory poisoning0%DEFENDED
Context window overflow0%DEFENDED
Tool abuse0%DEFENDED
Output manipulation2-5%MOSTLY
Chain-of-thought hijacking3-8%MOSTLY
Goal reframing32-40%ACTIVE
9 dimensions: zero exploitation. 1 dimension (goal reframing): 32-40% on Claude Sonnet 4. GPT-x.1: categorically immune. The course explains why.
The method

21 lessons. 5 modules.
From attack surface to hardened defenses.

Each module covers a phase of the security engineering process: understand the threat model, reproduce the attacks, build the defenses, red-team your own system.

Module 1 · Primer 00
"New threats for new systems."

The AI Attack Surface

Why traditional AppSec doesn't protect AI systems. The new threat model: probabilistic attacks on probabilistic systems. OWASP Top 10 for LLM Applications. MITRE ATLAS attack taxonomy. The Three V's revisited through a security lens.

4 lessons
Module 2 · Research 01
"The exploitation surface."

Prompt Injection & Goal Reframing

Direct prompt injection (overriding system instructions). Indirect prompt injection (Greshake et al.: attacks hidden in retrieved data). Goal reframing as the under-explored attack class: puzzle framing at 32-40%, CTF framing at 32-34%, easter-egg concealment behavior. Model-specific immunity patterns: why GPT-x.1 is categorically immune.

Lab: Reproduce 3 exploitation scenarios in a Docker sandbox
5 lessons
Module 3 02
"Policy enforcement, not prayer."

Building Guardrails

guardrails architecture and API. Input guardrails: scanning for injection patterns. Output guardrails: PII detection, policy compliance, content filtering. The policy engine: rules enforced programmatically, not hoped-for in the prompt. Combining guardrails with the E3 governance gate.

Lab: Implement input + output guardrails. Test against Module 2 attacks.
4 lessons
Module 4 03
"Containment by design."

Permissions & Sandboxing

agent-auth: least privilege for AI. Just-in-time access (temporary permissions that expire). Infrastructure isolation: Docker, gVisor, Firecracker for AI workloads. Network egress allowlists. Blast-radius containment: if one agent is compromised, the damage is bounded.

Lab: Harden the E3 system (RBAC, JIT permissions, sandbox)
4 lessons
Module 5 · Capstone 04
"Break it, fix it, prove it."

Red-Teaming & Hardened Capstone

Red-teaming methodology for AI systems. Building a red-team protocol: scope, scenarios, scoring, reporting. Take the E3 capstone, red-team it against all 12 dimensions, fix what fails, re-test. The result: a security certification report with before/after exploitation metrics.

4 lessons + capstone
The capstone arc · across the series

One project. Six courses. Six layers.

In E4 your E3 capstone gets security-hardened. The same project carries forward through E5 and E6 into a deployed Enterprise AI Operating System.

E1 · Done
Foundation
Versioned prompts. Multi-model. MCP. GRAIL eval. Logging.
E2 · Done
+ Trust
Self-consistency. TrustGate. Reliability guarantees. Drift detection.
E3 · Done
+ Governance
7 services. Platform Protocol. ~15 APIs.
E4 · Now
+ Security
Guardrails. Agent Auth. Sandboxing. Red-team tested.
E5
+ Context
Multi-source. RAG. Context Router. RBAC.
E6
Full Platform
All 4 layers. Org Agents. Intelligence. Desktop Shell.
Prerequisites & tech stack

What you need. What you'll use.

Prerequisites

E1 and E3 completed (E2 recommended but not required), or equivalent experience building accountable AI agents with governance middleware. Comfortable with Python, Docker, and basic security concepts.

Tech stack

Python 3.12, Docker and gVisor for sandboxing, open-source guardrails and agent-auth repos (Apache 2.0). The arXiv paper (2604.04561) annotated and walked through scenario-by-scenario.

Honestly

This is for you if:

You deploy AI agents in production and need to secure them
You're responsible for the security posture of AI systems
You need to red-team your own systems before an adversary does
You've completed E1-E3 or have equivalent production AI experience
You want research-backed defenses, not checklist security

Don't take this if:

You haven't built an AI agent yet. Do E1-E3 first.
You want general cybersecurity. This is AI-specific.
You're looking for a compliance checklist. This is engineering, not paperwork.
Pricing

One price. Lifetime access.

€197
One-time payment. Lifetime access. All future updates included.
  • 21 lessons across 5 modules (video, written, runnable code)
  • Red-teaming framework with full trial automation
  • Input and output guardrails (production-ready)
  • Goal-reframing detection and security audit template
  • Annotated arXiv 2604.04561 walkthrough and full code repo (Apache 2.0)
3 months in the Engine Room. Where alumni and operators go to get unstuck.
Get on the waitlist
Lifetime access. All future updates included.

Want all six courses?

See the Engineering Series bundle →
FAQ

Before you ask.

The questions we hear most. If yours isn't here, email [email protected].

Is this offensive (red team) or defensive (blue team) — or both?
Both, and in that order. Modules 1–2 map the attack surface (offense). Modules 3–4 build the defense. Module 5 is the red-team-the-defense capstone. You can't defend what you haven't attacked.
Do I need a pentest / cybersecurity background?
Helpful but not required. The attack-surface taxonomy is built from CM's published research (10,000 trials, 12 attack dimensions) — no prior security background assumed. If you have one, you'll go faster.
What's the 'one undefendable attack' the course mentions?
Of the 12 attack dimensions mapped, 9 are fully defensible with the techniques in the course. 1 is not — meaning no current defense reduces it to acceptable risk. The course names it and tells you the operational mitigation (it's not a code fix). Module 1 covers this.
Do I need E3 (Building Accountable AI Agents) first?
Strongly recommended. The guardrails and permissions architecture from E3 is the foundation E4 attacks and hardens. Skipping E3 is possible if you already have an agent platform — but you'll be filling in context.
Tools and stack?
Python, Docker, an LLM API key, and the open-source red-teaming kit that ships with the course (Apache 2.0). No commercial security tools required.
Time commitment?
20–28 hours across 5 modules. The red-teaming capstone is the most demanding — plan a full weekend to run a real attack series.
Can my company pay for this?
Yes, especially for security and platform teams. Invoices issued. Email [email protected] subject 'Reimbursement.'
What's the refund policy?
€197 courses are non-refundable. The Engineering Series bundle (€797) offers a 14-day conditional refund.

Break your own systems
before someone else does.

10,000 trials. 12 attack dimensions. 37 conditions. The map your security posture needs. €197. Lifetime access.

Get on the waitlist
See the full series: The Engineering Series