Security Engineering

Module 11 · Master Course · 90 min

OWASP Agentic AI Top 10 · Offensive techniques · Defensive countermeasures

The synthesis module

Module 11 ties together every defensive thread from Modules 2–6, 9 into a unified security architecture. The defenses were built across the course; here you see them as one system and you test them.

11.1 OWASP Agentic AI Top 10 (2026)

The Top 10 → module map

#RiskDefense module
ASI01Goal Hijacking6.3
ASI02Prompt Leakage9
ASI03Excessive Agency2.4, 6.1
ASI04Memory Poisoning4.3
ASI05Tool/Skill Abuse2.4
ASI06Cascading Hallucination9
ASI07Insecure Output5.3
ASI08Supply Chain (MCP)2.3 / C2 S12
ASI09Resource Exhaustion5.4, 7.2
ASI10Broken Access Control5.3, F06

11.2 Offensive Techniques

The attack vectors

Direct injection: "ignore all instructions" — crudest; defeated by instruction isolation.
Indirect injection (MOST COMMON): attacker controls file/page/API response; tool returns it; model may comply. InjecAgent: 50%+ vulnerable.
Multi-step: spans tool calls; benign per-turn; malicious in sequence. Needs session-level detection.
Memory poisoning (sleeper): inject in S1, activate in S2. Persists across boundary.

The RedAgent finding

Most black-box LLMs can be jailbroken within 5 queries using context-specific attacks (2026).

This is why defense-in-depth matters — no single layer is sufficient. The 5-query finding means a determined attacker gets through one layer; they must be stopped by the SECOND or THIRD.

11.3 Defensive Countermeasures

The 9-layer defense stack

LayerModuleDefends
Untrusted-tagging2.4Indirect injection
Capability perms2.4Excessive agency, tool abuse
Memory gating4.3Memory poisoning
FS/network scoping5.3Insecure output, broken access
Risk-tiered approval6.1Goal hijacking, destructive
Instruction isolation11.3Direct injection, leakage
Verification9Cascading hallucination
Signed manifestsC2/S12Supply chain
Resource caps + breaker5.4/7.2Resource exhaustion
No single layer sufficient. Attack must bypass ALL. Defense in depth.

The attack chain as n8n

Task: "summarize README"
   │
   read_file (README contains injection)
   │
   ┌─── Defense: untrusted-tagging ON?
   │
   ├─ YES → tag  → model treats as DATA → safe
   │
   └─ NO  → raw to model → model may COMPLY → compromised

The fork IS the lesson: same input, two paths. Defense holds (green) vs bypassed (red).

Takeaways

  • OWASP ASI01–10 each maps to a harness module where the defense lives.
  • Indirect injection is the most common vector; InjecAgent: 50%+ vulnerable.
  • RedAgent: 5-query jailbreaks — no single layer suffices.
  • 9-layer defense stack across Modules 2, 4, 5, 6, 9, 11. Defense in depth.
  • NemoClaw's governance makes defenses robust — agent can't reach enforcement to disable it.

Next: Module 12 — Capstone. Build a production harness from scratch.