OSAI Research
23 pages
M 00 Overview Adversary Mindset
Overview & Adversary Mindset OSAI is OffSec's offensive AI security certification (AI-300). It applies the same adve…
M 01 Ai Ml Fundamentals
AI/ML Fundamentals for Attackers You don't need to build AI systems. You need to understand them well enough to break th…
Normal word
LLM Architecture Deep Dive The Prompt Structure Every LLM interaction has a structure. Understanding it is fundamental t…
Direct query
AI Attack Surface Map Before attacking, map the surface. AI systems expose attack surfaces at multiple layers simultaneo…
Direct ask (often works on weaker deployments)
Prompt Injection Prompt injection is the #1 vulnerability class for LLM applications (OWASP LLM01). It's analogous to SQ…
DAN (Do Anything Now) — classic, now often filtered
Jailbreaking Techniques Jailbreaking bypasses the model's alignment/safety training to get it to produce outputs it's tr…
Inject into any field that LLM might include in rendered markdown output
Data Exfiltration via LLM Exfiltration Channels Once you can inject instructions into an LLM-powered agent, you need a c…
Target: LLM chatbot that renders HTML output
Insecure Output Handling OWASP LLM02. The application blindly trusts LLM output and passes it to downstream components —…
Document uploaded to company knowledge base:
RAG Pipeline Attacks RAG (Retrieval-Augmented Generation) is the dominant architecture for enterprise AI. It connects LL…
This is what you're attacking
Agent & Tool Hijacking AI agents extend LLMs with the ability to take actions — call APIs, execute code, browse the …
Agent A asks Agent B to summarize a document
Multi-Agent Exploitation Multi-agent systems have multiple LLM agents that communicate with each other, delegate tasks, …
For fine-tuned task-specific models, focus queries on the target domain
Model Extraction Model extraction attacks reconstruct a functionally equivalent model by querying a target model and tra…
Normal behavior:
Data Poisoning Data poisoning attacks corrupt the training data to embed backdoors, bias outputs, or degrade model perfo…
LoRA (Low-Rank Adaptation) = lightweight fine-tuning
AI Supply Chain Attacks The AI Supply Chain Training Data Sources Model Repositories ├── Common Crawl ├── HuggingFace Hu…
Shodan queries for exposed AI infrastructure
AI Infra Recon Discovering AI Infrastructure # Shodan queries for exposed AI infrastructure "ray" port:8265 # …
Find exposed API keys
API & Endpoint Attacks API Key Enumeration & Abuse # Find exposed API keys # In JavaScript source grep -r "…
TorchServe Management API (port 8081) — SSRF leading to RCE
Model Serving Exploits Common Serving Stacks & Their Vulns Stack Default Port Auth Default Known Issues Ollama 11434…
M 17 Case Studies
Case Studies & CVEs Case Study 01: Bing Chat / Sydney System Prompt Leak (2023) Researcher: Kevin Liu, Marvin von Ha…
1. Browser DevTools → Network tab → watch API calls
Red Team Scenarios Full engagement walkthroughs — how these attacks play out in real assessments. Red Team Scenario A: E…
M 19 Owasp Llm Top10
OWASP LLM Top 10 The OWASP LLM Top 10 (2025 edition) is the foundational framework for AI application security. Know eve…
Install core tools
Tools Arsenal Offensive AI Security Tools Tool Description Install Garak LLM vulnerability scanner — tests for prompt in…
Option A: Full local LLM stack with Ollama
Labs & Practice Free Labs & Challenges Platform Description URL Gandalf (Lakera) Progressive prompt injection CT…
M 22 Exam Prep
Exam Prep OSAI Exam Format Duration: 48 hours practical engagement Format: Red team a realistic AI-enabled enterprise en…