Interactive Learning Roadmap
How to Learn AI Security
A dependency-ordered path from LLM fundamentals to model-level exploitation — across prompt injection, jailbreaking, RAG, AI agents and MCP, and the deeper ML-security layer of backdoors, extraction and adversarial machine learning. Start on the shared foundation, then fork into the specialization you want. Every node explains what it is, why it matters, and what it takes to master.
Tip: click any node for a full checklist of the skills, knowledge and tools it takes to master it — plus an honest note where a skill only comes from research or paid training · filter by track or offense/defense · Esc closes.
Foundations
The shared trunk — five milestones every AI security practitioner shares before specializing, sequenced by dependency. Each opens a full checklist of the skills, knowledge and tools it takes to master it.
AI & LLM Fundamentals
How modern AI models actually work — before you attack or defend them.
What it is
How large language models are built and behave: transformers and the attention mechanism, tokenization, embeddings, training vs fine-tuning vs inference, sampling parameters (temperature, top-p), the context window, the system / user / assistant message roles, and why a model cannot reliably tell instructions apart from data.
Why it matters
You cannot secure a system whose behavior you cannot predict. Every AI attack and defense — from prompt injection to backdoors — depends on understanding how the model processes tokens, what it was trained to do, and where its blind spots are. Skipping this is the #1 reason people mis-diagnose AI vulnerabilities.
What it takes to master this — skills, knowledge & tools
Build Your AI Security Lab
A repeatable environment is the prerequisite for every exercise.
What it is
Standing up a working AI testing environment: Python, hosted model APIs (Anthropic / OpenAI), local models (Ollama, LM Studio, Hugging Face), notebooks, an LLM app framework (LangChain / LlamaIndex), a vector database (Chroma / FAISS), and the core red-team toolchain — Garak, PyRIT and promptfoo — plus a deliberately-vulnerable app to attack.
Why it matters
AI security is hands-on — reading about jailbreaks is not enough. A reliable lab where you can call models locally and via API, build a small RAG/agent app, and run the standard scanners is the foundation every practical skill is built on. Local models also let you test freely without cost or safety-filter interference.
What it takes to master this — skills, knowledge & tools
LLM Application Architecture & Attack Surface
Where untrusted data enters — the real attack surface of an AI product.
What it is
How real LLM products are assembled: system prompts, RAG retrieval, tool / function calling, agents and planning loops, memory, MCP servers, and guardrails — and every place untrusted content enters the model (user input, retrieved documents, tool outputs, web pages, email). Mapping the trust boundaries of the whole data flow.
Why it matters
The attack surface of an AI system is its data flow. Almost every serious AI exploit is a variant of "untrusted content reached the model as if it were an instruction." If you can diagram where data comes from and what the model can do with it, you can find the vulnerabilities.
What it takes to master this — skills, knowledge & tools
Prompt Engineering & Adversarial Prompting
Master prompts first — then learn how they are subverted.
What it is
Prompt structure and roles, few-shot and chain-of-thought prompting, and the adversarial flip side: how instructions embedded in data get followed, the basic mental model of a jailbreak, measuring attack success rate (ASR), and the OWASP LLM Top 10 as the map of what can go wrong.
Why it matters
You cannot attack what you cannot build. Understanding how to steer a model with prompts is exactly the skill you invert to subvert it. This is where offense and defense first meet, and where the OWASP LLM Top 10 becomes your working vocabulary.
What it takes to master this — skills, knowledge & tools
AI Security Frameworks & Threat Modeling
The bridge from ad-hoc testing to systematic assessment.
What it is
The frameworks that turn scattered findings into a repeatable program: OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, Google SAIF, and STRIDE applied to AI — plus how to threat-model an AI system end to end and know when EU AI Act and ISO/IEC 42001 apply.
Why it matters
This is the crossover point from playing with prompts into systematic AI security work — and the bridge into both deep tracks. Frameworks give you coverage (so you do not miss whole classes), a shared language for reports, and the mapping regulators and enterprises expect.
What it takes to master this — skills, knowledge & tools
The application-security track
LLM Application & Agent Security
Attacking and defending the AI application itself — prompt injection, jailbreaks, RAG, agents, tools and MCP. Where most real-world AI risk lives today; no ML PhD required to start.
Prompt Injection & Jailbreaking
Direct Prompt Injection
Overriding system instructions straight from the user prompt.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
System Prompt Extraction & Leakage
Recovering the hidden system prompt, tools and secrets.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Jailbreaking Techniques
Persona attacks, roleplay, hypotheticals and refusal suppression.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Encoding & Obfuscation Bypasses
Base64, homoglyphs, zero-width and low-resource-language smuggling.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Unicode-Tag / ASCII Smuggling Injection
Hiding instructions in invisible characters the model still reads.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Multi-Turn Escalation (Crescendo, Many-Shot)
Building trust gradually across a conversation to reach a harmful goal.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Automated Jailbreak Generation (PAIR, TAP, GCG)
Attacker-LLM loops and gradient-based adversarial suffixes.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Reasoning-Model Exploitation (o1 / o3 / R1)
Attacking chain-of-thought and deliberative reasoning models.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
LLM-as-a-Judge Exploitation
Fooling the eval / guard models used inside pipelines.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
RAG & Data Security
RAG Pipeline Fundamentals
Chunking, embeddings, retrieval and how retrieved text becomes instructions.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Indirect / Second-Order Injection
Malicious instructions planted in documents, web pages or email the AI later reads.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Knowledge Base Poisoning (PoisonedRAG)
Injecting adversarial documents to control what the model answers.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Embedding & Vector DB Attacks
Embedding inversion, similarity manipulation and index attacks.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Sensitive Data Disclosure & PII Leakage
Pulling secrets and PII out of context, retrieved docs or the model itself.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Cross-Tenant & Multi-Tenant Leakage
One tenant reading another’s data via a shared index, cache or memory.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Agents, Tools & MCP
Agent Architecture & Excessive Agency
Planning loops, autonomy and over-broad tool permissions.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Tool / Function-Calling Abuse
Coercing tool calls, argument injection and abusing unsafe tools.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
OWASP Agentic AI Top 10 & Threat Frameworks
The agent-specific threat taxonomies that extend the LLM Top 10.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
MCP Tool Poisoning, Line Jumping & Scanning
Malicious MCP tool descriptions that hijack the agent before any call.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
MCP (Model Context Protocol) Exploitation
Tool poisoning, rug pulls and malicious MCP servers.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Multi-Agent Attacks & AI Worms (Morris II)
Inter-agent injection, cascading compromise and self-propagating prompts.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Memory Poisoning & Persistence
Planting durable malicious state in an agent’s memory.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Computer-Use & Browser-Agent Exploitation
Hijacking agents that click, browse and control the screen.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Insecure Output Handling → RCE / XSS / SQLi
Treating LLM output as trusted by downstream systems.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Zero-Click Injection & Exfiltration Channels
Silent data theft with no user action — via markdown, images and links.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
LLM App Defense
Guardrails & Input/Output Filtering
Classifiers, allow/deny lists and canary tokens — and their limits.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
LLM Firewalls & Runtime Policy (NeMo Guardrails)
Runtime policy enforcement around the model.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Guardrail Models & Runtime Defenses
The current generation of guard models and prompt-shield services.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Secure LLM App Design Patterns
Least privilege, dual-LLM, human-in-the-loop and sandboxed tools.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Prompt Injection Detection & Monitoring
Detection, logging, tracing and anomaly detection for LLM apps.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
AI Infrastructure & Inference-Server Exploitation
The servers and pipelines behind the model — classic CVEs, huge blast radius.
Why it matters
A specialized skill in the LLM application-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
The ML-security track
Model & ML Security
Going below the prompt — the model and the ML pipeline itself. Adversarial machine learning, training-data extraction, poisoning, backdoors, model theft, and the defenses, red-teaming and governance around them. The deep end; math- and ML-heavy.
Model-Level Attacks
Adversarial ML Fundamentals
Perturbations, evasion, and the white-box / black-box threat model.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Data Poisoning (Training-Time)
Corrupting the training or fine-tuning data to shape model behavior.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Training Data Extraction & Membership Inference
Pulling memorized data out of a model, and testing what it was trained on.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Model Inversion & Attribute Inference
Reconstructing sensitive inputs or attributes from a model.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Model Extraction / Stealing
Cloning a model’s behavior — or its weights — through API queries.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Backdoor / Trojan Attacks & Sleeper Agents
Hidden triggers implanted in a model — including deceptive “sleeper” behavior.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Backdoor Detection (Neural Cleanse, Activation Clustering)
Finding trojans and triggers hidden inside a model.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Model Supply Chain: Provenance & Serialization
Pickle RCE, unsafe formats and untrusted model registries.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Model File-Format Attacks & Scanner Bypass
Malicious model files that evade the scanners meant to catch them.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
ML Defense, Red Teaming & Governance
Robustness & Adversarial Training
Hardening models against adversarial input.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Differential Privacy & Private Fine-Tuning
DP-SGD, privacy budgets and private training.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Watermarking & Content Provenance
Model and output watermarking, and detecting AI-generated content.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Agentic Misalignment & Insider-Agent Risk
When an agent under pressure chooses sabotage — the insider-threat model.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
AI Red Teaming Methodology
Scoping, attack trees and reporting for AI systems.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Red Team Tooling (Garak, PyRIT, promptfoo, DeepTeam)
Running the standard AI red-team scanners.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Building Custom AI Security Tools
Build scanners and red-team agents with CrewAI / LangGraph / the Claude SDK.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
CI/CD for Continuous AI Testing
Gate deployments on automated AI security tests.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Agent Security Benchmarks & Evaluation
Standard benchmarks for measuring agent and injection robustness.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
AI Incident Response & Forensics
AI-specific IR playbooks and forensics.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Governance & Compliance (EU AI Act, ISO 42001, NIST)
Programs, risk assessment and compliance mapping.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Weaponized Coding Agents (Case Studies)
The first real intrusions run largely by AI coding agents.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
Deepfakes & Synthetic-Media Abuse
Voice- and video-cloning fraud — and how provenance fights back.
Why it matters
A specialized skill in the model & ML-security track that builds on the five foundations. The checklist below is what mastering it actually takes.
What it takes to master this — skills, knowledge & tools
A free, open study plan for learning AI & LLM security. Every node points to the standards, tools and research on the topic — plus, where relevant, the hands-on 8kSec course that goes deeper.
8ksec.io/roadmaps/ai-security · a free resource for the AI security community