VCA-AI-101: AI & Agentic Security I

Course Overview

AI-101 is the academy's first formal AI-security course, placed after SEC-101 (cybersecurity principles) and FND-102 (Python fluency). The structuring frames are the OWASP LLM Top 10 and the parallel Agentic-System Top 10 (ASI Top 10), the curriculum's two organising indices for AI-101 and AI-201. Students learn to reason about LLM and agentic-system attack surfaces in the same way SEC-101 graduates reason about classical web-app and network attack surfaces: think in trust boundaries; identify the inputs; locate the validation; find what crosses without it.

The signature lab is CVE-2025-65106 (LangChain Jinja2 SSTI): students install the vulnerable LangChain version, observe the prompt-injection-to-template-injection chain, and articulate why the bug class generalises to any agentic system that puts user data into a template renderer. The chapter pairs technical reproduction with disclosure-process discussion: how was the CVE coordinated; what did LangChain's patch do; what would a defender add; what would an auditor look for in similar codebases.

Position relative to peer offerings. The 2024-2026 LLM-security training landscape is split between (a) prompt-injection labs that read as 2014-era SQL-injection labs - shallow exploration, narrow context, and (b) high-priced industry workshops with proprietary dependencies that students cannot reproduce after the workshop ends. AI-101 is the first formal curriculum that organises against the OWASP LLM Top 10 + ASI Top 10 indices, ships every lab as locally-reproducible, and treats CVE coordination as part of the curriculum.

Pedagogy. AI-101 follows the academy's three teaching habits with track-specific source texts. Foundational readings (~9 weaves across the 10 modules; ~200-300 words each) draw from two paired anchor pairs: Andrej Karpathy's "Neural Networks: Zero to Hero" series + Stanford CS336 "Language Models from Scratch" for the build-it-yourself substrate-curiosity-side; Melanie Mitchell's Artificial Intelligence: A Guide for Thinking Humans (Penguin Random House, 2019) + Brian Christian's The Alignment Problem (Atlantic Books, 2020) for the down-to-earth narrative side. Tool Journal entries enter for each new tool; per the academy's first-introduce-track-ownership rule, AI-101 is the canonical originating course for the AI-track tool corpus (Karpathy ZTH GitHub repos, HuggingFace transformers + tokenizers, Jupyter notebooks, Pyodide-as-Python-IDE). Comparing different systems pairs LLM-based agentic systems against classical web-app architectures (the comparison is what makes the bug-class generalisations land). The course intentionally does not teach machine-learning theory as a primary objective; students treat LLMs as black-box components from a security perspective and reason about their interfaces. An optional "why does this work" depth-companion path, ~3-5 hr Karpathy micrograd + 3Blue1Brown Neural Networks series - is offered for students whose curiosity reaches past black-box reasoning into the substrate.

How the Course Teaches: Foundational Readings

The Petzold readings that thread CSA-101's computing-systems prose are CSA-only by design (Petzold's CODE doesn't reach modern machine learning). AI-101's equivalent is a paired-textbook system drawn from the canonical literature of the 2024-2026 AI discipline, with build-it-yourself + down-to-earth-narrative axes paired the same way Stevens + Kurose-Ross are paired on the network track.

The down-to-earth narrative side. Mitchell's Artificial Intelligence: A Guide for Thinking Humans is the AI-101 + AI-201 narrative anchor. An explicitly non-CS-reader-voiced book covering NN history, image recognition, game-playing, NLP, and machine ethics, with a measured-and-skeptical voice that aligns naturally with cybersec students' professional habit of questioning vendor claims. Christian's The Alignment Problem enters AI-101 as a forward-pointer (Module 10 capstone draws on Christian Ch 1 from the Prophecy section); its full weight lands in AI-301.

The build-it-yourself side. Karpathy's "Neural Networks: Zero to Hero" (free YouTube series + GitHub repos: micrograd ~100 lines / makemore / nanoGPT) is the AI-track substrate-companion anchor. AI-101 students who opt into the depth-companion path watch the first two videos and run the micrograd notebook in the academy workbench; AI-201 adds makemore + nanoGPT; AI-301 adds the rest of the series + Stanford CS336 selected lectures. The combined corpus is ~13-22 hr distributed across the AI track, all free, all browser-runnable.

Sample weave (Mitchell, AI: A Guide for Thinking Humans, Ch 14, On Understanding). Mitchell's argument in Chapter 14 is that even today's most-celebrated language models exhibit what she calls "shallow understanding". They pattern-match against training data without the kind of meaning-grounding humans take for granted. The pedagogical point for AI-101 is that this matters operationally for prompt injection. The model that cannot distinguish "trusted system instruction" from "untrusted user input" at the architecture level (and can't distinguish them at the meaning level either) is the model an attacker exploits. Mitchell's "shallow understanding" framing is what makes the LLM01 prompt-injection bug class internalize as a class, not as a one-off trick. Mitchell's aiguide.substack.com newsletter carries her 2024-2026 commentary on whether subsequent LLMs have closed this gap; spoiler, she remains skeptical. Lab 2.1 has you reproduce direct + indirect prompt injection against a local agentic chatbot after this reading.

Sample weave (Karpathy, "Zero to Hero" Video 1, The spelled-out intro to neural networks and backpropagation: building micrograd). Karpathy's opening video walks the viewer through building a complete autograd engine in ~100 lines of Python. A working scalar-valued neural network plus its gradient computation, built from primitives a Belt-3 cybersec student can read in an afternoon. The pedagogical point for AI-101 is that the substrate is not magic. A model is a function with parameters; gradients are computed by tracing operations backward; training is gradient descent on a loss. Once a student has run micrograd in the browser and watched its tiny network learn, the Module 5 token-spam DoS lab and the Module 8 CVE-2025-65106 reproduction stop reading as mysterious-AI-stuff and start reading as software with a particular interface. The optional depth-companion path runs micrograd in the workbench Tab 1 (Pyodide LIVE) before Module 3.

The full per-chapter weave catalog publishes as handouts/cross-chapter-ai-track-anchor-reading-guide.md ahead of the first cohort. Janelle Shane's You Look Like a Thing and I Love You (Voracious, 2019) is offered as a humorous-accessible alternative-anchor for students who find Mitchell's book heavier than they want for a Belt-3 entry.

Curriculum Outline

Ten modules across ~10 weeks. Each module is anchored to one entry from the OWASP LLM Top 10 (2025 list) plus a parallel ASI (Agentic-System) Top 10 anchor. The 2025 list reorganised the 2023 ordering, Prompt Injection remains #1; Sensitive Information Disclosure rose to #2; subsequent entries renamed and renumbered. AI-101's structure tracks the 2025 list.

OWASP's Gen AI Security Project ships annual Top-10 updates; AI-101 is versioned against the 2025 list. The 2023 → 2025 entry-name mapping is documented in handouts/owasp-llm-top-10-2023-to-2025-mapping.md; future Top-10 updates trigger a surgical text-refresh cycle, not a rewrite.

Learning Outcomes

step-by-step.

1. Remember. State all 10 entries of the OWASP LLM Top 10 and the parallel Agentic-System Top 10 (ASI Top 10).
2. Understand. Explain the trust-boundary differences between a classical web app and an LLM-backed agentic system.
3. Apply. Reproduce direct + indirect prompt injection against a local agentic chatbot.
4. Apply. Reproduce CVE-2025-65106 LangChain Jinja2 SSTI end-to-end on a local install.
5. Apply. Audit a HuggingFace model card for supply-chain risks.
6. Analyze. Read EchoLeak public reporting and articulate the failure mode in the student's own words.
7. Synthesize. Produce a defender-style threat model for an open-source LangChain agent.

Hands-On Labs

• Lab 2.1: direct prompt injection against a Python LangChain agent the student wires up.
• Lab 2.2: indirect prompt injection via document-loader RAG poisoning.
• Lab 3.1: HTML/JS injection via LLM-rendered output; observe CSP bypass.
• Lab 4.1: canary-detection in fine-tune dataset; training-data leak demonstration.
• Lab 5.1: token-spam DoS against a free-tier model; back-pressure observation.
• Lab 6.1: HuggingFace model-card audit; pickle-deserialization risk analysis.
• Lab 7.1: function-calling tool exploit; scope-of-action confusion demonstration.
• Lab 8.1 (signature): CVE-2025-65106 end-to-end reproduction + root-cause writeup.
• Lab 9.1: EchoLeak 30-min reading + 60-min discussion + 1-pager writeup.
• Lab 10 (capstone): threat model of an open-source LangChain agent, ~6-page document.

Assessment

First, your project must work. CVE-2025-65106 reproduction works locally; capstone threat model submitted. Then we score the report on three dimensions (40/30/30). attack-and-defense reasoning depth (40%) · written-communication quality (30%) · CVE-disclosure-process awareness (30%). B− minimum on Tier 2 for the certificate.

Career Outcomes & Cross-Course Bridges

• → VCA-AI-201. Beyond OWASP LLM Top 10 into agentic-pentesting; MITRE ATLAS as Belt-4 structuring frame; the 2024-2026 academic jailbreak corpus (GCG / AutoDAN / PAIR / HarmBench / JailbreakBench); multi-modal adversarial work (LLaVA / Whisper); CVE-2025-68664 + CVE-2025-9556 cross-language SSTI patterns.
• → VCA-AI-301. Capstone adversarial-AI; the substrate↔language thesis literalized via Anthropic Sparse Autoencoder + activation steering / representation engineering work; multi-track capstone slate (exploit chain / interpretability defense / RSP capability evaluation).
• → VCA-ADV-102 (LLM-CVE deep-dive). AI-101 is the broad foundation; ADV-102 is the deep-dive single-CVE microcurriculum over the same CVE-2025-65106 LangChain Jinja2 SSTI signature lab. Sibling-but-distinct courses; either or both.
• → VCA-SEC-101. SEC-101 covers the OWASP LLM + ASI Top 10 at surface level; AI-101 is the depth-source that course implicitly references. Bidirectional.
• → VCA-PEN-101. Classical pentesting + AI pentesting comparison.
• → VCA-RE-101. AI-101's CVE-disclosure discipline transfers to firmware CVE work; the same coordination process applies.
• Industry. AI red-team analyst; agentic-system security engineer; LLM-app pentester; LLM-app threat modeller.

Tool Journal: AI-101 Originating Entries

Per the academy's first-introduce-track-ownership rule, AI-101 is the canonical originating course for the AI-track tool corpus. Subsequent courses (AI-201, AI-301, ADV-102) reference rather than re-introduce these entries.

• Pyodide / workbench Tab 1, LIVE in-browser Python; runs micrograd, the OpenAI/Anthropic SDKs, and HuggingFace transformers without local install. The academy's default AI-track delivery infrastructure.
• OpenAI Python SDK. Canonical LLM client
• Anthropic Python SDK, the Claude family client
• LangChain, the agentic-system framework that landed CVE-2025-65106
• Karpathy "Zero to Hero" GitHub repos, karpathy/nn-zero-to-hero series companion (micrograd ~100 lines; makemore; nanoGPT); the academy's canonical AI-track substrate companion. Canonical first-introduce here; AI-201 and AI-301 reference at increasing depth.
• HuggingFace transformers + tokenizers. Canonical Pyodide-deliverable transformer + tokeniser libraries
• HuggingFace CLI / huggingface_hub. Model-card and tensor download with checksum discipline
• Jupyter notebooks, AI-track default authoring surface; the academy serves them via workbench Tab 1
• Burp Suite Community, HTTP intercept against agentic-system endpoints
• safetensors. Safer alternative to pickle for ML serialisation
• tiktoken, OpenAI tokeniser; used in DoS-token-counting work
• JSON-schema validator. Tool-calling input/output verification
• OpenAI evaluation framework (evals), LLM-output measurement tooling
• guardrails-ai. Output-validation framework for production agentic systems
• NVIDIA garak. Open-source LLM vulnerability scanner; "Generative AI Red-teaming & Assessment Kit"; the canonical strand-3 entry-tier scanner. First met Module 7.5.
• Microsoft PyRIT (Python Risk Identification Tool). Multi-turn attack-strategy framework; used in 100+ Microsoft AI Red Team operations; supports Crescendo / TAP / Skeleton Key. First met Module 7.5; advanced-orchestration use lands in AI-201.
• Lakera Guard + Gandalf. Runtime prompt-injection defense paired with the educational Gandalf game (1M+ players; 80M adversarial prompts harvested for the public corpus). First met Module 7.5.

Recommended Readings & Practitioner Companions

AI-101 ships self-contained; lecture and lab material do not require a textbook. The following are the canonical references the chapter prose draws from; the academy library carries institutional copies, and Karpathy's materials are free online.

Primary anchor pair (down-to-earth narrative)

• Melanie Mitchell, Artificial Intelligence: A Guide for Thinking Humans. Penguin Random House (paperback Picador), 2019 (ISBN 978-1-250-75804-0). Comprehensive AI-foundations coverage with a measured-skeptical voice; non-CS-reader voice; ongoing updates via aiguide.substack.com. Library-acquire or paperback ~$12-18.
• Brian Christian, The Alignment Problem: Machine Learning and Human Values. W. W. Norton, 2020 (Atlantic Books UK; ISBN 978-0-393-63582-9). Three-section structure (Prophecy / Agency / Normativity); 2022 Schmidt Award for Excellence in Science Communication. AI-101 forward-pointer; full weight in AI-301. Library-acquire or paperback ~$13-18.

Primary anchor pair (build-it-yourself; free)

• Andrej Karpathy, "Neural Networks: Zero to Hero", github.com/karpathy/nn-zero-to-hero + free YouTube lectures. AI-101 watches Videos 1-2 (~3-5 hr) for the optional depth-companion path; AI-201 + AI-301 extend through the full series.
• Stanford CS336 "Language Models from Scratch", stanford-cs336.github.io. The university-tier extension of Karpathy's build-it-yourself path; full lectures + assignments published. Optional; AI-301 students taking the academic-PhD pathway will read selected lectures.

Secondary anchors (supplementary)

• Janelle Shane, You Look Like a Thing and I Love You. Voracious, 2019. Humorous-accessible alternative anchor for students who find Mitchell heavier than they want; aiweirdness.com blog ongoing.
• Stuart Russell, Human Compatible. Viking, 2019. Philosophical-grounding alternative for AI-301 students; Russell's control-problem framing.
• 3Blue1Brown "Neural Networks" YouTube series, 3blue1brown.com/topics/neural-networks. Visual-intuition companion to Karpathy's code-first approach.

Before You Start

1. Have you completed SEC-101 and FND-102? (If no → complete those first; AI-101 assumes web-app trust-boundary thinking and Python fluency.)
2. Can you write a basic LangChain or OpenAI-SDK Python script that calls an LLM API? (If no → FND-102 review.)
3. Do you have an OpenAI or Anthropic API key (free tier sufficient)? (If no → platform.openai.com or console.anthropic.com.)
4. Are you comfortable reading a CVE writeup and a vendor-issued patch diff? (If no → SEC-101 review.)
5. Can you intercept HTTP with Burp Suite Community? (If no → SEC-101 module on Burp.)

Format Prescriptions

Hour budget: ~22 lec hr + ~38 lab hr + ~50 indep hr (= ~110 hr total).

Live

2 sessions/wk × 90 min over 10 weeks.

Night class

1-2 sessions/wk evenings; ~20 weeks.

Bootcamp

40 hr/wk × ~3 weeks intensive.

Async self-paced

Recorded video; AI-API budget guidance; 1:1 tutoring premium for CVE reproduction.

High school / homeschool co-op

Adapted live cadence over a school semester (~14 weeks).

Interested in VCA-AI-101?

Email interested@virtuscyberacademy.org.

Email interested@virtuscyberacademy.org