OWASP for LLMs
The field's shared vocabulary of AI risk: the OWASP LLM Top 10, why AI security is different from app security, and the risks you'll spend this course defending.
Across this track you built AI systems and, at every step, met a security caveat — 'watch for injection', 'this data leaves your machine', 'never put the refund limit in a prompt'. This course collects those caveats into a discipline. It assumes you've built a RAG app or an agent, because you can only secure a system you understand — and you're about to attack the very systems you built.
Why AI security is its own discipline
Traditional application security assumes a clean line between code (trusted, written by you) and data (untrusted, from users). AI systems demolish that line: the model reads instructions and data in the same channel, natural language, and can't reliably tell which is which. A support email isn't just data to be processed — it's text the model reads and may obey. That single fact — instructions and data share a channel — is the root of most AI-specific vulnerabilities, and nothing in classic appsec prepares you for it.
The OWASP LLM Top 10 (the shared map)
The security community's reference is the OWASP Top 10 for LLM Applications (2025) — the field's common vocabulary. You don't need to memorize the list, but you need the map, because it names what you're defending against:
- Prompt injection — untrusted text hijacking the model's behavior. The signature AI vulnerability; Module 2 is entirely this.
- Sensitive information disclosure — the model leaking PII, secrets, or other users' data. Module 3.
- Supply chain — a compromised model, dependency, dataset, or fine-tune weight entering your system from an untrusted source. Module 4.
- Excessive agency — an agent with more permission, tools, or autonomy than its task needs, so a small compromise becomes a large one. This is also where an over-powered or over-trusted tool/plugin the agent can abuse now lives. Modules 4–5.
- Improper output handling — trusting model output as safe to execute, render, or act on (the model says
<script>and your app runs it). Module 5. - Vector & embedding weaknesses — attacks on the RAG layer itself: poisoned or leaky embeddings, cross-tenant retrieval, inversion of stored vectors. Module 3.
- System prompt leakage, unbounded consumption (cost/DoS), data & model poisoning, misinformation — the rest of the map; you'll meet each where it bites.
You'll work against a deliberately-vulnerable version of the Harbor Lane support AI — the triage assistant, HarborDocs RAG, and resolution agent from the prior courses, wired together with real holes. You'll threat-model it, break it (injection, leakage, privilege abuse), then harden it and prove the fixes hold under red-teaming. Your capstone runs the same assessment on a system of your choice.
Edova's Sentinel product is the productized form of this course's access-and-vulnerability discipline — continuous least-privilege auditing and breach-risk detection over a company's real systems. As you learn to find over-privileged access and unsafe configurations by hand, you're learning the exact problems that product automates. Keep the connection in mind; it makes the abstractions concrete.