Exam Prep
OSAI Exam Format
- Duration: 48 hours practical engagement
- Format: Red team a realistic AI-enabled enterprise environment
- Deliverable: Full penetration test report within 24 hours of exam end
- Target systems: LLM apps, RAG pipelines, agent systems, AI infrastructure
- Scoring: Points for compromises + report quality
Key Focus Areas (Exam Priority Order)
- Prompt injection (direct + indirect) β always present
- System prompt extraction β points for intelligence gathering
- Agent/tool abuse β high points, realistic scenario
- RAG exploitation β likely in enterprise scenarios
- Infrastructure exposure β bonus points, less common
- Insecure output handling β often combined with injection
Report Writing Checklist
OSAI ENGAGEMENT REPORT TEMPLATE
================================
EXECUTIVE SUMMARY
- Overall risk rating
- Number of findings by severity
- Key recommendations (3-5 bullets)
SCOPE & METHODOLOGY
- Target systems and AI components tested
- Attack techniques used (OWASP LLM, MITRE ATLAS references)
- Testing duration and constraints
FINDINGS (per finding):
βββββββββββββββββββββββββββββββ
β Finding ID: OSAI-001 β
β Title: Indirect Prompt Injection via Email Processing β
β Severity: HIGH β
β OWASP: LLM01 β
β CVSS: 7.5 β
βββββββββββββββββββββββββββββββ€
β Description β
β Affected Component β
β Proof of Concept (steps) β
β Evidence (screenshots/logs) β
β Impact Analysis β
β Remediation (specific) β
βββββββββββββββββββββββββββββββ
APPENDIX
- Tool output
- Raw payloads used
- Timeline of engagement
Mindset for the Exam
- Enumerate first, exploit second β understand the full AI stack before attacking
- Multi-vector thinking β combine injection + insecure output + tool abuse
- Document as you go β screenshots and payload logs, not from memory after
- Reliability over quantity β one reliable, well-documented critical finding > five unreliable ones
- Think indirect β if direct injection is blocked, where does the LLM read data from?
- Infrastructure is in scope β always check for exposed serving endpoints
- Probabilistic attacks β run jailbreaks 5-10x to establish reliability before reporting
Key Resources to Read Before Exam
| Resource | Why | URL |
|---|---|---|
| OWASP LLM Top 10 (2025) | Framework foundation | owasp.org/www-project-top-10-for-large-language-model-applications |
| MITRE ATLAS | Adversarial ML taxonomy | atlas.mitre.org |
| Greshake et al. β Indirect Injection | Foundational research paper | arxiv.org/abs/2302.12173 |
| Carlini et al. β Training Data Extraction | Model extraction techniques | arxiv.org/abs/2012.07805 |
| Many-Shot Jailbreaking (Anthropic) | Advanced jailbreak technique | anthropic.com/research/many-shot-jailbreaking |
| Lakera AI Blog | Real-world injection case studies | lakera.ai/blog |
| Simon Willison's Blog | Indirect injection deep dives | simonwillison.net |
| Johann Rehberger's Blog | Practical AI red team research | embracethered.com |
| PromptArmor Research | Slack AI, enterprise AI attacks | promptarmor.substack.com |
| Wunderwuzzi's AI Security | Copilot, Bing Chat vulns | wunderwuzzi.net |
AI systems are just software. The same fundamental principles apply β trust boundaries, input validation, least privilege, defense in depth. The novelty is the natural language interface and the probabilistic behavior. Master the fundamentals of offense, then learn how LLMs break the assumptions those fundamentals rely on. That's how you pass OSAI.