Module: 11 · Duration: ~90 min (presentation + attack/defense lab)
[SLIDE 1] Module Eleven: Security Engineering for Harnesses. Ninety minutes. The OWASP Agentic AI Top 10, offensive techniques, and defensive countermeasures. This is the synthesis module — every defensive thread from Modules 2 through 6 and 9 comes together here as one unified security architecture, and you test it.
[SLIDE 2] Module 11 is the synthesis. Capability permissions from Module 2, memory gating from Module 4, sandboxing and scoping from Module 5, permission architecture from Module 6, verification from Module 9 — these are all security controls. Here you see them compose into defense in depth, and you attack the system to verify they hold.
[SLIDE 3 — 11.1] Sub-section 11.1: the OWASP Agentic AI Top 10, the 2026 edition.
[SLIDE 4 — Top 10 map] Ten risks, each mapping to the module where its defense lives. ASI01, goal hijacking — Module 6.3. ASI02, prompt leakage — Module 9 verification. ASI03, excessive agency — Module 2.4 capability permissions and 6.1 least privilege. ASI04, memory poisoning — Module 4.3 write gating. ASI05, tool abuse — Module 2.4. ASI06, cascading hallucination — Module 9 verification. ASI07, insecure output handling — Module 5.3 scoping. ASI08, supply chain, especially MCP — Module 2.3 and Course 2 S12. ASI09, resource exhaustion — Module 5.4 caps and 7.2 circuit breakers. ASI10, broken access control — Module 5.3 and Fleet Module F06. You built these defenses across the course; Module 11 is where you see them as one system.
[SLIDE 5 — 11.2] Sub-section 11.2: Offensive Techniques.
[SLIDE 6 — Vectors] The attack vectors. Direct injection — "ignore all previous instructions" — the crudest form, defeated by instruction isolation and the model's post-training. Indirect injection — the most common and most dangerous; the attacker controls content the agent reads, the tool returns it, the model may comply. InjecAgent benchmark: over fifty percent of agentic tasks are vulnerable. Multi-step injection — spans multiple tool calls, benign per turn, malicious in sequence; requires session-level intent tracking, which per-turn defenses miss. Memory poisoning, the sleeper attack — inject in session one, activate in session two; the payload survives the boundary because memory persists.
[SLIDE 7 — RedAgent] The RedAgent finding, 2026: most black-box LLMs can be jailbroken within five queries using context-specific attacks. This is why defense in depth matters. No single layer is sufficient. A determined attacker gets through one layer; they must be stopped by the second or third. The five-query finding is the empirical case for the nine-layer stack.
[SLIDE 8 — 11.3] Sub-section 11.3: Defensive Countermeasures.
[SLIDE 9 — 9-layer stack] The nine-layer defense stack. Untrusted-content tagging — Module 2.4 — defends against indirect injection. Capability permissions — Module 2.4 — defends against excessive agency and tool abuse. Memory gating — Module 4.3 — defends against memory poisoning. Filesystem and network scoping — Module 5.3 — defends against insecure output and broken access. Risk-tiered approval — Module 6.1 — defends against goal hijacking and destructive actions. Instruction isolation — Module 11.3 — defends against direct injection and prompt leakage. Verification — Module 9 — defends against cascading hallucination. Signed tool manifests — Course 2 S12 — defends against supply chain. Resource caps and circuit breakers — Modules 5.4 and 7.2 — defend against resource exhaustion. No single layer sufficient. An attack must bypass all nine. This is defense in depth.
[SLIDE 10 — n8n attack chain] Per the visual stack, the attack chain as a node graph. Task: summarize the README. Read file — the README contains an injection. The fork: is untrusted-tagging enabled? If yes, tag the output, the model treats it as data — safe. If no, raw to the model, the model may comply — compromised. The fork is the lesson: same input, two paths. Defense holds or is bypassed.
[SLIDE 11 — Takeaways] Five things. OWASP ASI01 through 10 each map to a harness module where the defense lives. Indirect injection is the most common vector; InjecAgent says over fifty percent vulnerable. RedAgent: five-query jailbreaks mean no single layer suffices. The nine-layer defense stack across Modules 2, 4, 5, 6, 9, 11 — defense in depth. And NemoClaw's governance model makes the defenses robust, because the agent cannot reach the enforcement layer to disable it. Next: Module Twelve — the Capstone. Build a production harness from scratch.
# Teaching Script — Module 11: Security Engineering **Module**: 11 · **Duration**: ~90 min (presentation + attack/defense lab) [SLIDE 1] Module Eleven: Security Engineering for Harnesses. Ninety minutes. The OWASP Agentic AI Top 10, offensive techniques, and defensive countermeasures. This is the synthesis module — every defensive thread from Modules 2 through 6 and 9 comes together here as one unified security architecture, and you test it. [SLIDE 2] Module 11 is the synthesis. Capability permissions from Module 2, memory gating from Module 4, sandboxing and scoping from Module 5, permission architecture from Module 6, verification from Module 9 — these are all security controls. Here you see them compose into defense in depth, and you attack the system to verify they hold. [SLIDE 3 — 11.1] Sub-section 11.1: the OWASP Agentic AI Top 10, the 2026 edition. [SLIDE 4 — Top 10 map] Ten risks, each mapping to the module where its defense lives. ASI01, goal hijacking — Module 6.3. ASI02, prompt leakage — Module 9 verification. ASI03, excessive agency — Module 2.4 capability permissions and 6.1 least privilege. ASI04, memory poisoning — Module 4.3 write gating. ASI05, tool abuse — Module 2.4. ASI06, cascading hallucination — Module 9 verification. ASI07, insecure output handling — Module 5.3 scoping. ASI08, supply chain, especially MCP — Module 2.3 and Course 2 S12. ASI09, resource exhaustion — Module 5.4 caps and 7.2 circuit breakers. ASI10, broken access control — Module 5.3 and Fleet Module F06. You built these defenses across the course; Module 11 is where you see them as one system. [SLIDE 5 — 11.2] Sub-section 11.2: Offensive Techniques. [SLIDE 6 — Vectors] The attack vectors. Direct injection — "ignore all previous instructions" — the crudest form, defeated by instruction isolation and the model's post-training. Indirect injection — the most common and most dangerous; the attacker controls content the agent reads, the tool returns it, the model may comply. InjecAgent benchmark: over fifty percent of agentic tasks are vulnerable. Multi-step injection — spans multiple tool calls, benign per turn, malicious in sequence; requires session-level intent tracking, which per-turn defenses miss. Memory poisoning, the sleeper attack — inject in session one, activate in session two; the payload survives the boundary because memory persists. [SLIDE 7 — RedAgent] The RedAgent finding, 2026: most black-box LLMs can be jailbroken within five queries using context-specific attacks. This is why defense in depth matters. No single layer is sufficient. A determined attacker gets through one layer; they must be stopped by the second or third. The five-query finding is the empirical case for the nine-layer stack. [SLIDE 8 — 11.3] Sub-section 11.3: Defensive Countermeasures. [SLIDE 9 — 9-layer stack] The nine-layer defense stack. Untrusted-content tagging — Module 2.4 — defends against indirect injection. Capability permissions — Module 2.4 — defends against excessive agency and tool abuse. Memory gating — Module 4.3 — defends against memory poisoning. Filesystem and network scoping — Module 5.3 — defends against insecure output and broken access. Risk-tiered approval — Module 6.1 — defends against goal hijacking and destructive actions. Instruction isolation — Module 11.3 — defends against direct injection and prompt leakage. Verification — Module 9 — defends against cascading hallucination. Signed tool manifests — Course 2 S12 — defends against supply chain. Resource caps and circuit breakers — Modules 5.4 and 7.2 — defend against resource exhaustion. No single layer sufficient. An attack must bypass all nine. This is defense in depth. [SLIDE 10 — n8n attack chain] Per the visual stack, the attack chain as a node graph. Task: summarize the README. Read file — the README contains an injection. The fork: is untrusted-tagging enabled? If yes, tag the output, the model treats it as data — safe. If no, raw to the model, the model may comply — compromised. The fork is the lesson: same input, two paths. Defense holds or is bypassed. [SLIDE 11 — Takeaways] Five things. OWASP ASI01 through 10 each map to a harness module where the defense lives. Indirect injection is the most common vector; InjecAgent says over fifty percent vulnerable. RedAgent: five-query jailbreaks mean no single layer suffices. The nine-layer defense stack across Modules 2, 4, 5, 6, 9, 11 — defense in depth. And NemoClaw's governance model makes the defenses robust, because the agent cannot reach the enforcement layer to disable it. Next: Module Twelve — the Capstone. Build a production harness from scratch.