Course Code: VCA-AI-101 Track position: Part-III AI & Agentic Security Track, Module 1 of 3 Prerequisites: VCA-SEC-101 (Security Fundamentals) or equivalent; familiarity with HTTP, JSON, basic Python (SEC-101 Python track or equivalent). Burp Suite Community install assumed. Belt: 3/5 Practitioner Duration: ~10 weeks (~110 hr: ~20 lec / ~40 lab / ~50 indep) Credential: VCA-AI-101 Certificate of Completion
Mission
AI-101 gives the security practitioner a working mental model of LLMs as attack surface, builds the vocabulary to read OWASP LLM and ASI advisories fluently, and delivers hands-on lab contact with every major attack class before AI-201 deepens them. A student who finishes AI-101 can triage an OWASP LLM Top 10 finding in a bug report, reproduce a real LangChain CVE end-to-end, run garak + PyRIT against a local model, and write a defender-grade threat model for an open-source agentic application.
The security spine is the OWASP LLM Top 10 (2025 list) and the OWASP ASI (Agentic-System) Top 10 (2026 list). Every module is anchored to at least one entry from each list.
The lab substrate is Pyodide in-browser Python where possible (proven live by the §11.9 workbench REPL) plus a cloud-GPU pathway (Google Colab / Kaggle Kernels / HuggingFace Spaces) for heavier fine-tune and model-load work.
Foundational Anchors
Primary pair:
| Anchor | Track role | Availability |
|---|---|---|
| Andrej Karpathy, Neural Networks: Zero to Hero (YouTube + GitHub, 2022-2024) | Build-it-yourself companion; micrograd (Module 1 opt-in) + makemore (Module 3) + nanoGPT (Module 9 forward-ref); proves the transformer internals that make Module 2-9 attack reasoning non-hand-wavy | Free; github.com/karpathy/nn-zero-to-hero |
| Melanie Mitchell, Artificial Intelligence: A Guide for Thinking Humans (FSG, 2019) | Narrative anchor: calibrated skepticism, historical arcs, bias + fairness intro; Chapters 1-6 weaved across Modules 1-5 | Library-acquire or paperback |
Forward-pointer (AI-301 weight):
| Anchor | When introduced |
|---|---|
| Brian Christian, The Alignment Problem: Machine Learning and Human Values (Norton, 2020) | Module 10 capstone discussion; full weight lands in AI-301 |
Petzold note: Petzold CODE is the CSA-track anchor; it does not appear in AI-101.
Module Map
| Module | OWASP LLM Top 10 (2025) + ASI Top 10 (2026) anchor | Lecture | Lab | Indep |
|---|---|---|---|---|
| 1 | Course intro + LLM black-box mental model | 2 hr | 2 hr | 4 hr |
| 2 | LLM01:2025 Prompt Injection / ASI01:2026 Agent Goal Hijack | 2 hr | 4 hr | 5 hr |
| 3 | LLM02:2025 Sensitive Information Disclosure / ASI06:2026 Memory Poisoning | 2 hr | 4 hr | 5 hr |
| 4 | LLM03:2025 Supply Chain / ASI04:2026 Agentic Supply Chain | 2 hr | 3 hr | 5 hr |
| 5 | LLM04:2025 Data & Model Poisoning + LLM05:2025 Improper Output Handling | 2 hr | 4 hr | 5 hr |
| 6 | LLM06:2025 Excessive Agency / ASI02:2026 Tool Misuse | 2 hr | 4 hr | 5 hr |
| 7 | LLM07:2025 System Prompt Leakage + LLM08:2025 Vector & Embedding Weaknesses | 2 hr | 3 hr | 5 hr |
| 7.5 | Automated AI red-team tooling: garak / PyRIT / Lakera Guard | 1 hr | 3 hr | 3 hr |
| 8 | CVE-2025-65106: LangChain Jinja2 SSTI -- signature lab | 2 hr | 4 hr | 5 hr |
| 9 | LLM09:2025 Misinformation + LLM10:2025 Unbounded Consumption + EchoLeak | 2 hr | 4 hr | 5 hr |
| 10 | Capstone: Defender-style AI-system threat model (LangChain agent) | 1 hr | 5 hr | 8 hr |
| Total | 20 hr | 40 hr | 50 hr = 110 hr |
Lab Index
| Lab | Module | Title | Substrate | Points |
|---|---|---|---|---|
| 1 | 1 | SDK Workbench: First 10 Prompts + Cost Discipline | Pyodide in-browser | 5 |
| 2 | 2 | Direct + Indirect Prompt Injection | Pyodide + local Ollama | 10 |
| 3 | 3 | Training Data Leak + PII Canary Detection | Pyodide in-browser | 10 |
| 4 | 4 | Supply Chain Audit: HuggingFace Model Card + Pickle Risk | Pyodide + HF API | 8 |
| 5 | 5 | Poisoned Fine-Tune Detection + Reflected XSS via LLM Output | Colab / Kaggle | 10 |
| 6 | 6 | Excessive Agency: Function-Calling Exploit | Pyodide in-browser | 10 |
| 7 | 7 | System Prompt Extraction + RAG Poisoning Primer | Pyodide in-browser | 8 |
| 7.5 | 7.5 | garak Probe Run + PyRIT Crescendo + Gandalf Challenge | Local + HF Spaces | 8 |
| 8 | 8 | CVE-2025-65106 Reproduction: LangChain SSTI | Pyodide in-browser | 12 |
| 9 | 9 | Token-Spam DoS + EchoLeak Case Study Discussion | Pyodide + written | 10 |
| 10 | 10 | Capstone: Threat Model Report | Written + Pyodide | 20 |
| Total | 111 pts |
OWASP LLM Top 10 (2025) Reference
| # | Entry | AI-101 Module |
|---|---|---|
| LLM01:2025 | Prompt Injection | 2 |
| LLM02:2025 | Sensitive Information Disclosure | 3 |
| LLM03:2025 | Supply Chain | 4 |
| LLM04:2025 | Data and Model Poisoning | 5 |
| LLM05:2025 | Improper Output Handling | 5 |
| LLM06:2025 | Excessive Agency | 6 |
| LLM07:2025 | System Prompt Leakage | 7 |
| LLM08:2025 | Vector and Embedding Weaknesses | 7 |
| LLM09:2025 | Misinformation | 9 |
| LLM10:2025 | Unbounded Consumption | 9 |
ASI Top 10 (2026) Reference
| # | Entry | AI-101 Coverage |
|---|---|---|
| ASI01:2026 | Agent Goal Hijack | Module 2 (cross-reference) |
| ASI02:2026 | Tool Misuse and Exploitation | Module 6 |
| ASI03:2026 | Identity and Privilege Abuse | Module 6 (intro); AI-201 deep dive |
| ASI04:2026 | Agentic Supply Chain Vulnerabilities | Module 4 |
| ASI05:2026 | Unsafe Termination / Runtime Failures | Module 6 |
| ASI06:2026 | Memory and Context Poisoning | Module 3 + 7 |
| ASI07:2026 | Goal Drift and Emergent Behavior | Module 9 |
| ASI08:2026 | Cascading Failures in Multi-Agent Chains | Module 7 |
| ASI09:2026 | Human-Agent Trust Exploitation | Module 9 |
| ASI10:2026 | Rogue Agents and Behavioral Drift | Module 9 |
Tool Journal -- AI-101 Originations
The Toolchain Diary entries generated by this course:
| Tool | Category | First met |
|---|---|---|
| Pyodide | In-browser Python runtime | Lab 1 |
| OpenAI Python SDK | LLM API client | Lab 1 |
| Anthropic Python SDK | LLM API client | Lab 1 |
| tiktoken | Token counting + cost estimation | Lab 1 |
| Ollama | Local model serving | Lab 2 |
| LangChain | Agent orchestration framework | Lab 2 |
HuggingFace transformers |
Model loading + inference | Lab 4 |
safetensors |
Safe model serialization format | Lab 4 |
| Burp Suite (AI intercept workflow) | HTTP proxy for LLM API intercept | Lab 4 |
| garak | LLM vulnerability scanner (NVIDIA) | Lab 7.5 |
| Microsoft PyRIT | AI red-team automation framework | Lab 7.5 |
| Lakera Guard | Runtime prompt-injection defense | Lab 7.5 |
pickle (and why not to trust it) |
Unsafe deserialization reference | Lab 4 |
| Colab / Kaggle Kernels | Cloud-GPU Python environment | Lab 5 |
| LangChain PromptTemplate (patched) | Template injection CVE study | Lab 8 |
| NVIDIA RAMPART / Clarity | Agentic safety CI/CD tools | Module 7.5 lecture |
Assessment
| Component | Points | % |
|---|---|---|
| Labs (11 labs; Lab 10 = capstone) | 111 | ~52% |
| Written assignments (threat-model, EchoLeak 1-pager, OWASP mapping) | 60 | ~28% |
| Participation + Toolchain Diary entries (8 required) | 20 | ~9% |
| Module quizzes (10 auto-graded; 5 pts each) | 50 | ~23% |
| Raw total | 241 |
Letter-grade thresholds: A >= 90%, B >= 80%, C >= 70%, F < 70%. Note: graded to 100% basis; see INSTRUCTOR-GUIDE.md for scaling.
Weighted assessment (per vca-ai-101.html public page):
- Attack-defense reasoning (labs + quizzes): 40%
- Written communication (written assignments + Diary): 30%
- CVE-disclosure awareness (CVE-specific lab write-ups + threat model): 30%
Learning Outcomes
- Remember. State all 10 entries of the OWASP LLM Top 10 (2025) and the parallel ASI Top 10 (2026) without reference.
- Understand. Explain why prompt injection occupies the #1 slot and why Excessive Agency is structurally different from the classic OWASP Top 10 web-app risk list.
- Apply. Reproduce a direct and an indirect prompt injection attack in a local agentic chatbot environment and document root cause.
- Apply. Run garak and PyRIT against a local model and interpret their output reports.
- Analyze. Read CVE-2025-65106 advisory, reproduce the SSTI PoC, map root cause to OWASP LLM03/LLM04, and evaluate the patch.
- Evaluate. Write a structured threat model for an open-source LangChain agent, mapping each risk to its OWASP entry, exploitability, and proposed mitigation.
- Evaluate. Describe the EchoLeak exploit chain (indirect prompt injection + IDOR + exfiltration) and the structural mitigations that stopped it.
- Create. Identify the correct evaluation framework for comparing LLMs across a multi-model trial (D8 ollama-trial methodology: 9 models, 47 sessions, 3-tier scoring) and apply it to a small-scale comparison exercise.
Prerequisites Readiness Check
See SETUP.md for the full readiness checklist. Minimum:
- Python 3.10+ installed
- At least one API key (OpenAI or Anthropic)
- Burp Suite Community installed
- Ollama installed (for Lab 2)
- Access to Google Colab or Kaggle (for Lab 5)