Defensive AI Security Training

Aletheia-Core Security Academy

Learn · Practice · Audit · Deploy

The 4 Risk Buckets

These are the backbone of almost every AI agent audit. They align with the current OWASP GenAI LLM Top 10 and official agent safety guidance from OpenAI and Anthropic. Master these four before anything else.

What you are actually selling

"I review your AI workflow for prompt injection, excessive tool access, data leakage risk, and weak action controls — then give you a prioritized fix list and can implement the guardrails."

That is a real, sellable service. You are not selling full enterprise penetration testing. You are selling a disciplined AI workflow risk assessment.

BUCKET 01
Prompt Injection
Untrusted text overrides app instructions
BUCKET 02
Sensitive Data Leakage
System reveals what it should not
BUCKET 03
Excessive Agency
Model has too much authority over actions
BUCKET 04
Weak Evaluation
No repeatable testing or monitoring

The 7-Phase Audit Workflow

This is the workflow you follow on every review. It is the same workflow regardless of client or scope. Master the structure first — then add depth to each phase as you gain experience.

Before you start

You are not trying to become a black-hat attacker. You are trying to become a disciplined AI workflow risk assessor. The difference matters in how you sell, how you test, and how you report.

Skills to Build

You do not need to master all of cybersecurity. You need this specific stack — and you can build it while doing your first reviews.

The Audit Lab Toolkit

Keep it lean. You do not need a massive tool chain. These five cover 90% of what you need for starter reviews. Add more as demand grows.

14-Day Learning Plan

Complete this before selling. Tap each day to expand full instructions, tasks, and examples. Mark complete when you have actually done the work — not just read it.

0/14 complete 0%

Safe Adversarial Test Cases

You should learn the patterns — not build a library of dangerous exploit strings. These are the categories of safe tests you run on every audit. Each includes what you are probing, the expected safe behavior, and example test inputs.

Core principle

You do not need dangerous exploit prompts. You need a clean defensive test set that checks whether the system maintains its intended behavior under adversarial pressure. The test is whether it breaks — not whether you can break things.

Interactive Test Case Builder

Build your test workbook here. Fill in each field, add test cases, then export as a text file you can paste into your spreadsheet. Every test case needs all fields filled before you run it.

Add a New Test Case

Audit Report Template

A 3–5 page report is your core deliverable. Each section has a specific job. Fill this in for every client. The template is client-ready — copy it, fill in the brackets, and send.

What makes a report worth paying for

Knowledge Check

20 scenario-based questions covering all modules. These are the questions you need to be able to answer on a client discovery call.

Official Study Sources

These are the current, authoritative sources that form the foundation of everything in this training. Study these directly — they are free and public.

Deploy to GitHub Pages

This app is a single HTML file with no dependencies, no build step, and no framework. It deploys to GitHub Pages in under 5 minutes.