RAG pipelines and agentic, tool-using AI are now in real production paths and firmly in an attacker’s blast radius. This full-day, hands-on lab starts from a realistic stack (LLM gateway, RAG + vector DB, tool/agent server with MCP, reverse proxy, SIEM-logging) and incrementally turns it into a hardened system.
Attendees will implement strong identity between AI components, granular tool permissions, egress controls, URL allowlists, and sandboxing to contain AI-SSRF and tool abuse. They will add ingestion and retrieval guards to resist prompt injection and RAG poisoning, plus controls to catch sensitive-data exfiltration and agentic misuse. This Lab will close with governance artifacts (AI-BOM, model and system cards) and a clear mapping of your defenses to OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, NIST SSDF, and CISA/NCSC Secure AI guidance, using a RAG + tools stack as the concrete example, but with patterns you can lift into any retrieval-heavy or agentic AI architecture.
What You Will Learn:
This lab is for teams running or planning to run RAG and agentic AI systems. It will use a concrete RAG + tools stack (including MCP tools) to make attacks and defenses tangible, but the controls are designed to carry over to other platforms and vendors. Attendees will also get access to the code and artifacts used in the lab which are designed to be a simple drop in to any existing codebase.
Hands-on Lab Outline:
- Direct database access: injection paths and defenses
- Attack: Use LLM prompts to drive naive “connect-the-LLM-to-the-DB” patterns and perform direct prompt injection and manipulate database values.
- Defense: Apply read-only database roles, delegated/federated access based on end user identity, and stored procedures / parameterized queries exposed through tools instead of raw SQL.
- Prompt injection and RAG poisoning in retrieval paths
- Attack: Craft direct and indirect prompt injection payloads in user prompts, web sources, and external documents; influence retrieval and tool calls.
- Defense: Tag content with provenance and trust metadata, add ingestion-time sanitization and poisoning filters, and enforce retrieval/output controls that blunt indirect prompt injection.
- AI-SSRF and tool abuse via networked tools
- Attack: Enumerate AI-controlled “sinks” (HTTP, file, shell, internal APIs) and use them to probe internal services and bypass intended controls.
- Defense: Enforce DNS/egress policies and URL allowlists around tools and agents, instrument blocking and alerting, and validate protections with negative tests.
- Sensitive-data exfiltration and agentic misuse
- Attack: Use prompt injection and agentic tool chains to exfiltrate sensitive data from RAG context, internal tools, and generated outputs.
- Defense: Instrument high-sensitivity resources and tools with additional checks and approvals, enforce context isolation and quotas, and build detections for anomalous tool chains and suspicious output patterns.
- Deploy-ready AI governance and documentation
- Attack lens: Analyze how the same system looks to auditors and responders when it ships without AI-specific governance, traceability, or security artifacts.
- Defense: Build an AI-BOM covering models, datasets, embeddings, tools, and infra; draft model and system cards for the lab stack; and map implemented controls into NIST AI RMF and NIST SSDF tasks so they live inside the SDLC instead of as one-off checklists.
Attendee Prerequisites:
Participants should be comfortable with:
- Basic Python and command-line usage
- Docker and Docker Compose fundamentals
- • Git basics (clone, branch, commit, push)
- HTTP, APIs, and networking concepts (headers, proxies, DNS, egress)
- Gmail account for Colab for GPUs for LLMs
Attendee Requirements:
- You must provide your own laptop computer (Windows or Mac) for this hands-on lab.
- All other requirements will be listed 2 weeks prior to the hands-on lab