DecipherU · Course 5

AI Security Engineering

The cybersecurity course for engineers defending production AI systems.

AI Security Engineering is a 16-module cybersecurity course for security engineers building and hardening LLM applications in production. The course synthesizes MITRE ATLAS, OWASP LLM Top 10, NIST AI 100-2 adversarial ML taxonomy, Anthropic Constitutional AI and RSP, OpenAI Preparedness Framework, and the adversarial ML research canon (Goodfellow, Madry, Carlini, Greshake). Approximately 65 to 80 hours of structured study plus a 30 to 50 hour AI red team engagement reviewed by Julian Calvo, Ed.D., M.S.

Course trailer

Founder-recorded preview ships before first-cohort kickoff.

Course author

Julian Calvo, Ed.D., M.S.

Founder of DecipherU. Combined background in education research, software engineering, and applied AI infrastructure, focused on the cybersecurity-AI convergence segment. Reviews every capstone with a security co-reviewer who has frontier-lab background where available.

What you will learn

After the course you can design, attack, and defend production AI systems with the rigor expected at frontier labs and AI-first companies.

Threat-model an LLM application end to end
Apply STRIDE adapted for AI, map threats to MITRE ATLAS tactics and techniques, and cross-reference the OWASP LLM Top 10. Produce a threat model an engineering team can act on.
Detect and mitigate every prompt injection variant
Direct injection, indirect injection, multi-modal injection, and multi-step agent injection. Build detection pipelines and mitigation layers referenced in OWASP LLM01 and the Greshake et al. indirect injection canon.
Implement adversarial-example attacks and defenses
Code FGSM, PGD, and C&W attacks against production classifiers following Goodfellow et al. and Madry et al. Implement adversarial training and certified robustness defenses with measured robustness guarantees.
Build production AI security infrastructure
Design and deploy the full stack: input validation gateway, output classifier (Llama Guard, ShieldGemma), NeMo Guardrails integration, audit log, and kill switch. Infrastructure that survives a security review.
Run an AI red team campaign with severity ratings
Scope, plan, execute, and report a full AI red team engagement. CVSS-style severity rating adapted for AI failure modes. Reproducer prompts, evidence, and prioritized remediation recommendations.
Defend against AI-enabled attacks
Detect and counter deepfake business email compromise, AI-assisted spear phishing, polymorphic AI-generated malware, and AI-driven reconnaissance. Build detection heuristics that work at enterprise scale.
Operationalize the production AI security observability stack
SLAs for AI security monitoring, incident response at frontier-lab scale, vendor security assessment for AI vendors, and model drift detection as a security signal.
Pass a frontier-lab AI security engineering interview loop
Threat modeling exercises, ML fundamentals questions (adversarial robustness, model extraction, training data attacks), system design for AI security, and behavioral dimensions. Practiced with the AI interview simulator in Module 15.

Curriculum

Sixteen modules cover the full discipline: AI security engineering fundamentals, threat modeling, prompt injection, jailbreaks, adversarial examples, training data attacks, model extraction, AI security infrastructure, agent security, AI red teaming, safety mechanisms, defending AI-enabled attacks, regulated industry AI security, production AI security at scale, and frontier lab interview preparation. Module 16 is a complete AI red team engagement capstone reviewed by the founder and a security co-reviewer.

01Module 1 — AI security engineering as a discipline4 lessons

Lesson 1.1 — The AI security engineering landscapeFree preview30 min
Lesson 1.2 — What's different about securing AI systemsFree preview30 min
Lesson 1.3 — The AI security engineering role at frontier labs vs enterprise28 min
Lesson 1.4 — Career paths and opportunities25 min

02Module 2 — AI threat modeling6 lessons

Lesson 2.1 — Why AI systems need their own threat model45 min
Lesson 2.2 — STRIDE adapted for AI: ML-specific threat categories50 min
Lesson 2.3 — MITRE ATLAS: tactics, techniques, and case studies50 min
Lesson 2.4 — OWASP LLM Top 10 as a threat catalog45 min
Lesson 2.5 — NIST AI RMF and the adversarial ML taxonomy45 min
Lesson 2.6 — Building and communicating the threat model55 min

03Module 3 — Prompt injection: the foundational vulnerability4 lessons

Lesson 3.1 — Prompt injection: taxonomy and structural causes45 min
Lesson 3.2 — Direct prompt injection attacks50 min
Lesson 3.3 — Indirect prompt injection attacks50 min
Lesson 3.4 — Multi-modal and multi-agent prompt injection45 min

04Module 4 — Jailbreaks and refusal training5 lessons

Lesson 4.1 — What jailbreaks are and why they work40 min
Lesson 4.2 — Jailbreak taxonomy: manual, automated, and transferable attacks45 min
Lesson 4.3 — How refusal training works: RLHF and Constitutional AI50 min
Lesson 4.4 — Why refusal training fails: the Wei et al. analysis40 min
Lesson 4.5 — Building and evaluating a refusal training pipeline55 min

05Module 5 — Adversarial examples and evasion attacks6 lessons

Lesson 5.1 — The adversarial example phenomenon: Szegedy, Goodfellow, and the linearization hypothesis45 min
Lesson 5.2 — FGSM and its variants: the gradient sign attack family45 min
Lesson 5.3 — PGD: Madry et al. and the saddle-point formulation50 min
Lesson 5.4 — Carlini-Wagner and evaluating defenses under strong attack45 min
Lesson 5.5 — Transferability: black-box attacks and cross-model exploitation45 min
Lesson 5.6 — Defenses: adversarial training, certified robustness, and avoiding obfuscated gradients55 min

06Module 6 — Training data attacks5 lessons

Lesson 6.1 — Poisoning attacks: theory, taxonomy, and history52 min
Lesson 6.2 — Backdoor attacks and trigger injection48 min
Lesson 6.3 — Poisoning web-scale training pipelines44 min
Lesson 6.4 — Extracting training data from deployed models40 min
Lesson 6.5 — Defenses: data auditing, differential privacy, deduplication, and provenance46 min

07Module 7 — Model extraction and IP protection4 lessons

Lesson 7.1 — Model extraction attacks: mechanics and threat model42 min
Lesson 7.2 — High-fidelity extraction and the adversary's toolkit40 min
Lesson 7.3 — Watermarking, fingerprinting, and proof of extraction38 min
Lesson 7.4 — Defenses, legal frameworks, and confidential computing40 min

08Module 8 — Building AI security infrastructure6 lessons

Lesson 8.1 — The AI security infrastructure stack40 min
Lesson 8.2 — Input validation and prompt classifiers55 min
Lesson 8.3 — Output validation and content filtering50 min
Lesson 8.4 — Audit logging for AI systems45 min
Lesson 8.5 — Kill switches and circuit breakers40 min
Lesson 8.6 — Operational monitoring and alerting45 min

09Module 9 — Securing AI agents6 lessons

Lesson 9.1 — The agent security problem45 min
Lesson 9.2 — Sandboxing and execution isolation55 min
Lesson 9.3 — Capability scoping and least privilege50 min
Lesson 9.4 — Prompt injection in agentic contexts55 min
Lesson 9.5 — Action confirmation and human-in-the-loop45 min
Lesson 9.6 — Agent behavior monitoring and kill switches50 min

10Module 10 — AI red teaming6 lessons

Lesson 10.1 — What AI red teaming is and is not45 min
Lesson 10.2 — Scoping, rules of engagement, and threat modeling for AI red team50 min
Lesson 10.3 — Manual red teaming techniques: prompt injection, jailbreaks, and multi-turn attacks55 min
Lesson 10.4 — Automated red teaming: Garak, LLM-vs-LLM, and custom harnesses55 min
Lesson 10.5 — Cybersecurity attack chains: data exfiltration, SSRF, and agent hijacking60 min
Lesson 10.6 — Findings documentation, CVSS-style severity scoring, and remediation planning50 min

11Module 11 — AI safety mechanisms5 lessons

Lesson 11.1 — Why safety mechanisms exist and how they fail40 min
Lesson 11.2 — Input classifiers: Llama Guard, ShieldGemma, and custom classifiers55 min
Lesson 11.3 — Output classifiers and content filtering pipelines50 min
Lesson 11.4 — Refusal training: Constitutional AI, RLHF, and validation55 min
Lesson 11.5 — Kill switches, circuit breakers, and Responsible Scaling Policies50 min

12Module 12 — Defending against AI-enabled attacks5 lessons

Lesson 12.1 — AI-generated phishing: detection and defense50 min
Lesson 12.2 — Deepfake-led social engineering and BEC50 min
Lesson 12.3 — AI-assisted polymorphic malware45 min
Lesson 12.4 — Defensive AI: using AI to fight AI-enabled attacks45 min
Lesson 12.5 — Measuring and improving your AI-attack defense posture40 min

13Module 13 — AI security for regulated industries5 lessons

Lesson 13.1 — The regulated AI security landscape40 min
Lesson 13.2 — AI security in healthcare: HIPAA, FDA, and patient safety50 min
Lesson 13.3 — AI security in financial services: SR 11-7, NYDFS, and model risk50 min
Lesson 13.4 — AI security in education and employment: FERPA, EEOC, and NYC Local Law 14445 min
Lesson 13.5 — Multi-jurisdictional compliance: EU AI Act, ISO/IEC 42001, and building a cross-sector control set50 min

14Module 14 — Production AI security at scale5 lessons

Lesson 14.1 — Capacity controls and rate limiting for LLM products at scale48 min
Lesson 14.2 — Continuous eval pipelines in production52 min
Lesson 14.3 — Kill-switch architecture and graceful degradation46 min
Lesson 14.4 — Observability, telemetry, and anomaly detection at scale50 min
Lesson 14.5 — SRE patterns for AI security incidents44 min

15Module 15 — Frontier lab security engineering interviews4 lessons

Lesson 15.1 — How frontier labs hire for security engineering40 min
Lesson 15.2 — Threat-modeling interviews: ATLAS vocabulary and live problem-solving46 min
Lesson 15.3 — Hands-on red-teaming interviews and live attack design48 min
Lesson 15.4 — Systems design and behavioral interviews for frontier labs46 min

16Module 16 — Capstone: AI red team engagement1 lessons

Capstone Rubric — AI red team engagement15 min

Methodology synthesis

The course maps every concept to its source so practitioners know where a technique comes from, not just what it is. Eight frameworks and research threads, made explicit.

Methodology	What it contributes
MITRE ATLAS	Adversarial threat landscape for AI systems. Tactics, techniques, and real-world AI attack case studies. The mapping backbone for AI threat models in this course.
OWASP LLM Top 10 + ML Security Top 10	LLM01 through LLM10 (prompt injection, training data poisoning, model theft, excessive agency, and more) plus the ML Security Top 10 for classical ML systems. The practitioner's attack catalog.
NIST AI 100-2 (Adversarial ML Taxonomy)	Vassilev et al. taxonomy of adversarial ML attacks: evasion, poisoning, privacy, and abuse. The academic-to-practitioner bridge the course builds on.
Anthropic Constitutional AI + RSP	How Constitutional AI works as a safety mechanism, what the Responsible Scaling Policy commits to, and what security engineers implement in practice at Anthropic-style frontier labs.
OpenAI Preparedness Framework	How OpenAI structures safety evaluations, red teaming before deployment, and catastrophic risk assessment. The governance layer security engineers operate inside at frontier labs.
Adversarial ML research (Goodfellow, Madry, Carlini)	FGSM (Goodfellow et al.), PGD and adversarial training (Madry et al.), C&W attacks and certified robustness (Carlini et al.). The mathematical foundations with hands-on implementation.
Prompt injection canon (Greshake, Willison, Goodside)	Greshake et al. on indirect prompt injection, Simon Willison's systematic catalog of injection patterns, Riley Goodside's adversarial prompt research. The practitioner literature that frames Module 3.
Production AI security stack	Llama Guard, ShieldGemma, NeMo Guardrails, AWS Bedrock Guardrails, Apollo Research and METR on AI deception detection. The infrastructure layer that separates academic knowledge from production security.

Who the cybersecurity AI Security Engineering course is for

The AppSec engineer asked to harden the company's first LLM product

Your organization just shipped an LLM-backed product and security owns the review. Your existing AppSec skills apply to maybe 40% of the threat surface. This course covers the other 60%: prompt injection, model behavior under adversarial input, output validation, and the guardrail infrastructure your team needs to build.

The red teamer transitioning to AI red teaming

You know how to find vulnerabilities in traditional systems. AI red teaming adds prompt injection chains, jailbreak development, adversarial example construction, and model extraction to your toolkit. Module 10 builds the complete AI red team methodology. The capstone is a full engagement you can show in interviews.

The security engineering candidate targeting Anthropic, OpenAI, or DeepMind security roles

Frontier labs hire security engineers who understand both ML systems and adversarial ML research. Module 15 covers exactly what those interview loops test. The capstone produces a red team engagement you can discuss at depth. The methodology synthesis gives you the vocabulary to engage with the research these teams publish.

Prerequisites

This is a graduate-level technical course. The prerequisites are not suggestions.

Required

Intermediate Python (you can write a working script without looking up syntax)
Security engineering fundamentals: at least one of OSCP, OSED, GPEN, SAR, or equivalent applied offensive/defensive experience
Comfort reading academic or technical papers (you will read excerpts from Goodfellow et al., Madry et al., Greshake et al.)
Willingness to commit roughly 65 to 80 hours of study plus a 30 to 50 hour capstone

Recommended

Familiarity with at least one ML library (PyTorch, TensorFlow, or Hugging Face Transformers at a working level)
Some history with offensive security: bug bounty, CTF, pentesting, or red team work
Exposure to an LLM API (OpenAI, Anthropic, Google Gemini) at the API level, not just via chat UI
A target system for your capstone: a work project, open-source AI application, or the simulated target provided

Reviews

First cohort enrollment opens Q2 2026. Reviews from practitioners who complete the capstone will appear here once the first cohort finishes. Approved capstones in the top tier become anonymized case studies (with explicit permission).

Frequently asked questions

What makes AI security engineering different from traditional application security?

Traditional AppSec assumes deterministic code. AI systems introduce probabilistic outputs, natural language attack surfaces, training data as an attack vector, and model behavior that shifts under adversarial input. Prompt injection has no direct analog in SAST/DAST tooling. Adversarial examples exploit the geometry of the model's learned representations. The threat model is fundamentally different, which changes what you build, test, and monitor.

How does OWASP LLM Top 10 differ from the standard OWASP Top 10?

The standard OWASP Top 10 covers web application vulnerability classes (injection, broken auth, IDOR, etc.). The OWASP Top 10 for LLM Applications covers AI-specific failure modes: prompt injection (LLM01), insecure output handling, training data poisoning, model denial of service, supply chain vulnerabilities, sensitive information disclosure, insecure plugin design, excessive agency, overreliance, and model theft. Many items have no equivalent in traditional web security.

Do I need ML expertise to take this cybersecurity course?

Intermediate Python and security-engineering fundamentals are required. You do not need to have trained models from scratch. The course teaches the ML concepts that security engineers need: what a model's learned representation is, why adversarial examples exist geometrically, how fine-tuning changes model behavior, and how guardrail classifiers work. Familiarity with one ML library (PyTorch, TensorFlow, or Hugging Face) is recommended but not required on day one.

How does this compare to SANS SEC547 or OffSec AI security courses?

SEC547 is a solid foundation course covering AI security concepts in a SANS-style format. This course goes deeper into adversarial ML research (FGSM, PGD, C&W attacks with hands-on implementation), frontier lab practices (Anthropic Constitutional AI, RSP, OpenAI Preparedness Framework), and production AI security infrastructure (Llama Guard, ShieldGemma, NeMo Guardrails). The capstone is a full AI red team engagement, not a certification exam. The audiences overlap but the depth and the frontier-lab framing are different.

Does the credential from this cybersecurity course carry weight in frontier-lab interviews?

The credential signals that you completed a 65 to 80 hour course, passed technical knowledge checks at 80%, and delivered a reviewed AI red team engagement. That is evidence, not a shortcut. Frontier lab hiring teams at Anthropic, OpenAI, and Google DeepMind evaluate depth. Module 15 covers what those interviews actually test: threat modeling, ML fundamentals, system design for AI security, and behavioral. The credential will not substitute for that preparation, but it structures your study well.

How long does the AI Security Engineering course take?

Self-paced. Roughly 65 to 80 hours of structured study across 15 modules plus a 30 to 50 hour capstone deliverable. Most practitioners finish modules in 10 to 14 weeks at 5 to 7 hours per week, then submit the capstone for founder and security co-reviewer review.

What hands-on labs are included?

Every technical module includes a build exercise. Representative examples: implement FGSM and PGD attacks against a target classifier then implement adversarial training defenses; build a full input validation, output validation, and monitoring stack for an LLM-backed application; build a code-executing agent with sandboxing, capability boundaries, and a kill switch; run a prompt injection lab against direct, indirect, and multi-modal injection vectors. All exercises include tested code, ethical use rules, and grading rubrics.

What if I enrolled but the course is harder than expected?

Fourteen-day full refund from purchase. Email support@decipheru.com with your order number. After 14 days, refunds are evaluated case by case. If the course is harder than expected but you want to complete it, the course community and founder office hours are there to bridge gaps.

What if my Python or security background does not meet the prerequisites?

The required prerequisites are intermediate Python and at least one applied security credential or equivalent experience (OSCP / OSED / GPEN / SAR or similar). If you are missing Python depth, a Python for security engineers module is planned as a free prerequisite. If you lack security fundamentals, the Cybersecurity Sales Mastery or SOC Analyst Fundamentals courses build general context, but applied security experience is genuinely required for this course to land.

How does the course stay current as AI models and attack techniques change?

The methodology citations (OWASP LLM Top 10, MITRE ATLAS, NIST AI 100-2) are versioned and updated when the source frameworks release new versions. Module content tied to specific model behaviors (guardrail classifiers, jailbreak variants, model extraction techniques) is reviewed every 90 days and flagged in the admin content health system when citations are older than 12 months. Enrolled practitioners get notified of material updates.

Related cybersecurity courses

AI Security Operations Mastery

The SOC-track counterpart to this course. Covers AI-augmented detection, AI-powered threat intelligence, and AI SecOps tooling. Pair for end-to-end coverage.

$497 (bundled $797)

AI Engineering Mastery

The engineering foundation. RAG, fine-tuning, evaluation frameworks, agent architectures. Understanding what you are securing makes the security work sharper.

$597 (bundled $797)

AI Governance and Risk

The governance angle: NIST AI RMF, EU AI Act, model risk management, and the organizational structures that security engineers operate inside.

$497

Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.

Last verified: April 2026?Report an inaccuracy