Lab: Threat model
Produce a real threat model for the Harbor Lane AI: data-flow diagram, trust boundaries, an enumerated threat list mapped to OWASP, and a risk ranking.
Threat modeling is the security engineer's first deliverable on any system: a structured answer to 'what can go wrong, and how bad is it?' You'll produce one for the AI system you bring to this course — the RAG app from Building RAG and/or the agent from Agentic AI, deliberately left un-hardened for these labs. That's your Harbor Lane target throughout, and this threat model is the map that directs every attack and fix in the modules ahead.
Step 1 — Get the target running
- 1Get the target you'll harden all course. Fastest path: use the ready-made vulnerable stack that ships with this course — the Vulnerable Harbor Lane kit (
course-assets/vulnerable-harborlane/): a small support assistant (triage + a tiny RAG + an agent with a refund tool) wired with exactly the holes below. Alternative (bring your own): attack the RAG app you built in Building RAG, the agent you built in Agentic AI, or both wired together — a system you own and understand. Either way you're attacking a system you're authorized to test. - 2Confirm the target is deliberately vulnerable — the holes are left in on purpose so you have something real to break. For the labs ahead it must have no input screening, an over-privileged unlimited refund (or equivalent write) tool, secrets in the system prompt, no output checks, and no audit log. The provided kit already has all five (plus an IDOR-style unauthenticated order lookup); if you bring your own, add each one. Every hole is closed by a later module.
- 3Run one normal request end to end so you understand the intended data flow before you attack it. (For the provided kit: the tools run offline — poke them with
python3 app/tools.py; the live agent loop that demos the injection exploits needs your own Anthropic key.)
The ready-made target lives in course-assets/vulnerable-harborlane/. Its VULNERABILITIES.md is the instructor answer key — each planted hole with its exploit, harm, and the exact module that fixes it — so resist reading it until after you've threat-modeled and attacked on your own. The structural vulnerabilities are provable offline with no key: python3 tests/test_vulns.py asserts each one is present (the 'before' state you'll later flip to prove your fix). The end-to-end injection exploits — the model actually obeying a poisoned review or leaking its system prompt — need your own Anthropic key, and are shipped correct-by-construction, not executed. The one 'secret' in the kit is a clearly-labeled fake placeholder, planted to demonstrate the secrets-in-prompt vulnerability.
Step 2 — Draw the data-flow diagram
- 1Sketch every component and the arrows between them: user → triage → RAG (→ doc corpus) → agent (→ tools → order DB, refund API, ticket system).
- 2Mark every input channel on the diagram (direct message, retrieved docs, tool results, memory) — the Module-1 attack surface, made visual.
- 3Draw the trust boundaries as lines the data crosses: untrusted→model, model→code, model→action, action→real system.
Step 3 — Enumerate threats
- 1For each input channel and boundary, list concrete threats: 'a product review in the corpus contains injection → agent obeys it → issues a refund'; 'a user asks the chatbot to repeat its system prompt'; 'the agent's DB tool has write access it doesn't need'.
- 2Tag each threat with its OWASP category (injection, disclosure, excessive agency, improper output handling…). The tag connects your specific finding to the shared map and the known defenses.
- 3Aim for 10–15 threats. Breadth now; depth in the later modules.
Step 4 — Rank by risk
- 1Score each threat: likelihood (how easily could an attacker reach it?) × impact (blast radius at that boundary — data exposed? money moved? irreversible?).
- 2Sort. The top of this list is your work order for the whole course — you'll attack and fix in risk order, exactly as a real assessment would.
- 3Save
THREAT-MODEL.md. It's living: every attack you land and every fix you ship updates it, and it becomes the backbone of your capstone report.
In the workbook: a data-flow diagram for a healthcare-intake AI. Enumerate its threats, map each to OWASP, and rank by risk — then identify the single trust boundary whose compromise would be catastrophic and explain why it dominates the ranking.