You are hired to assess a SaaS company integrating AI across customer support, HR automation, and internal analytics. This domain focuses on understanding the AI attack economy, mapping the complete AI stack including model, data, vector storage, agent orchestration, and tool integration layers. Security professionals will learn to identify trust boundaries, user-controlled inputs, retrieval layers, and model supply chain vulnerabilities through comprehensive threat modeling techniques designed specifically for AI systems.

1. The AI Attack Economy
   Evolution of AI misuse, AI as an attack multiplier, autonomous exploitation trends, and real-world AI abuse cases.
2. Mapping the AI Stack
   Systematically analyze model layer, data layer, vector storage, agent orchestration, tool integration, and inference APIs.
3. Threat Modeling AI Systems
   Identify trust boundaries in AI apps, user-controlled inputs, retrieval layers, model supply chain, and agent permissions.

You are targeting a company internal AI assistant connected to confidential documents. This domain explores various attack vectors that adversaries use to compromise Retrieval-Augmented Generation systems. Students will learn both traditional and modern exploitation techniques including retrieval poisoning, context flooding, document injection, and embedding manipulation. Understanding these initial access methods is crucial for implementing effective preventive controls and detecting early-stage attacks before they escalate into full-scale breaches.

4. RAG Attack Surface
   Execute retrieval poisoning attacks, context flooding, document injection, and embedding manipulation techniques.
5. Vector Database Exploitation
   Target vector databases through query abuse, similarity manipulation, and systematic data leakage patterns.
6. Prompt Chaining for Exfiltration
   Implement multi-step extraction methods, hidden instruction bypass, and context override to extract confidential data.

This domain covers advanced techniques for hijacking autonomous AI agents. Participants will learn how agents operate through Think → Act → Observe → Loop cycles, understand planning vs execution mechanisms, and exploit memory handling weaknesses. The focus includes tool abuse attacks, command injection via tool calls, function call manipulation, and parameter tampering to gain unauthorized system access.

7. Agent Internals
   Exploit Think → Act → Observe → Loop cycles, planning vs execution flows, and memory handling vulnerabilities.
8. Tool Abuse Attacks
   Execute command injection via tool calls, function call manipulation, and parameter tampering attacks.
9. Building Exploitable Agents
   Deploy vulnerable agents integrating Nmap, ExploitDB API, and OS command execution for red team exercises.
10. Hijacking Autonomous Scanners
    Manipulate web scanner agents to execute unauthorized system commands and pivot through networks.

This domain delves into sophisticated model-level exploitation techniques targeting the core machine learning systems. Participants will learn adversarial ML threats including data poisoning, model inversion, membership inference, and evasion examples. The focus includes implanting model backdoors with trigger-based behaviors and payload activation logic, as well as supply chain model tampering techniques. Students will gain hands-on experience inserting backdoors into open-source models and learning how to activate them in production environments.

11. Adversarial ML Threats
    Execute data poisoning attacks, model inversion techniques, membership inference, and evasion examples to compromise ML systems.
12. Implanting Model Backdoors
    Develop trigger-based behaviors and payload activation logic to create persistent access mechanisms in AI models.
13. Supply Chain Model Tampering
    Compromise the ML supply chain by inserting backdoors into open-source models and activating them post-deployment.

This domain focuses on comprehensive supply chain security for AI/ML systems. Red team operators will learn to systematically map the entire AI supply chain including model repositories, data pipelines, CI/CD ML workflows, and MLFlow risks. The training covers dependency abuse techniques, model scanning vulnerabilities, dependency pinning failures, and AIBOM bypass methods. Participants will execute end-to-end pipeline attack simulations, learning to compromise ML deployment pipelines through model signing evasion and trust chain compromise techniques.

14. Mapping the AI Supply Chain
    Identify vulnerabilities in model repositories, data pipelines, CI/CD ML workflows, and MLFlow implementations.
15. Dependency Abuse
    Exploit model scanning weaknesses, dependency pinning failures, and bypass AIBOM security controls.
16. Model Signing Evasion
    Bypass signature validation mechanisms and compromise trust chain integrity in ML deployment systems.
17. End-to-End Pipeline Attack Simulation
    Execute comprehensive attacks to compromise entire ML deployment pipelines from development to production.

This domain provides in-depth analysis of Model Context Protocol (MCP) security from an offensive perspective. Participants will understand MCP architecture, the role of MCP servers, model interaction flows, and attack boundaries. The training includes building vulnerable MCP targets for testing, executing command injection attacks, gaining unauthorized model access, and performing tool escalation. Red teamers will master guardrail bypass techniques and learn to exploit and pivot through MCP server infrastructure in enterprise environments.

18. Understanding MCP Architecture
    Analyze the role of MCP servers, model interaction flows, and identify critical attack boundaries.
19. Building an MCP Target
    Deploy vulnerable MCP services for red team testing and exploitation practice.
20. Attacking MCP Servers
    Execute command injection, gain unauthorized model access, and perform tool escalation attacks.
21. Guardrail Bypass Techniques
    Exploit and pivot through MCP server infrastructure while evading security controls.

This domain covers cutting-edge LLM exploitation methodologies used by advanced threat actors. Participants will master prompt injection techniques including direct injection, indirect injection, nested injection, and context poisoning. The training focuses on sensitive data extraction through prompt smuggling, memory harvesting, and output leakage exploitation. Students will learn to break through multiple layers of guardrails using prompt obfuscation, encoding attacks, and chain-of-thought abuse to bypass even the most sophisticated AI defense mechanisms.

22. Prompt Injection Mastery
    Execute direct injection, indirect injection, nested injection, and context poisoning attacks against LLM applications.
23. Sensitive Data Extraction
    Implement prompt smuggling, memory harvesting, and output leakage exploitation to exfiltrate confidential information.
24. Breaking Guardrails
    Bypass multi-layered defenses using prompt obfuscation, encoding attacks, and chain-of-thought abuse techniques.

The capstone engagement simulates a real-world red team operation against a FinTech AI-driven platform. Participants will execute a full-scale, multi-phase attack covering AI Recon, LLM Injection, RAG Exploitation, Agent Hijacking, Supply Chain Tampering, MCP Abuse, and Data Exfiltration. This comprehensive assessment requires students to chain multiple attack techniques learned throughout the program. The engagement culminates in professional deliverables including an executive summary, risk matrix, technical exploit chain documentation, reproduction steps, and a complete remediation roadmap suitable for presentation to C-level executives.

25. Phase 1-2: AI Recon and LLM Injection
    Identify attack surface and establish initial access through prompt manipulation.
26. Phase 3-4: RAG Exploitation and Agent Hijacking
    Compromise retrieval systems and gain control of autonomous agents.
27. Phase 5-7: Supply Chain Tampering, MCP Abuse, and Data Exfiltration
    Execute advanced persistent attacks and extract sensitive data.
28. Phase 8: Professional Reporting
    Deliver executive summary, risk matrix, technical exploit chain, reproduction steps, and remediation roadmap.