A Hands-On Course · 19 lessons

Security

The lethal trifecta, prompt injection, secrets handling, sandboxing, and egress control.

Short lessons (~5–8 min each), each with one tangible win and a retrieval-practice quiz. Built for engineers who already use AI coding tools and want the non-obvious mechanics.

Grounded in the agentpatterns.ai corpus (CC BY 4.0). Keep the Glossary open as you go.

Part 1 · The Threat Model

1 The Lethal Trifecta An agent isn't dangerous because of one capability. It's dangerous when three meet on the same path — and you can name them. 2 The Provenance-Blind Model Prompt injection isn't a bug you patch. It's a property of how transformers read — and that changes where you put the defense.

Part 2 · Containing the Damage

3 Keep the Keys Out The trifecta's "private data" leg is the one you can shrink in an afternoon. Don't let a secret into context, and there's nothing to exfiltrate. 4 Two Walls, Not One A filesystem wall without a network wall leaks. A network wall without a filesystem wall gets rewritten. You need both, enforced below the prompt.

Part 3 · Architecting the Defense

5 The Model Is Not the Firewall If "should I connect to this URL?" is a decision the model makes, injection defeats your egress control. Move the decision into the harness. 6 Decide Before You Look A web page is a crowd of strangers' writing. If the page picks your next action, any stranger can. So fix the plan before the page loads.

Part 4 · Layering the Defense

7 No Single Layer Holds Every control you've learned can be bypassed under a determined attack. The fix isn't a better layer — it's enough independent layers that the survivors catch what the failures missed. 8 Bound the Blast Radius When a layer fails — and one will — the damage is capped by the permissions you granted. Every permission the task doesn't need is attack surface you chose to keep. 9 The Framework Is the Knob Teams argue about which model is "safer." The data says the harness around it matters far more — the same model swings from 1.1% to 27.7% overeager actions depending on the permission framework. 10 Pick Your Sandbox Lesson 4 said run the agent in a sandbox. This is the next question: which runtime enforces it? Containers, microVMs, and OS-level isolators trade isolation strength against startup cost — and the workload decides.

Part 5 · The Identity & Supply Surface

11 The Gateway in the Middle An agent wired to ten MCP servers inherits ten ad-hoc authorisation models. A control plane collapses them into one policy point that every tool call must pass — and the decision is independent of the model. 12 Keys That Expire in Minutes A static API key on an agent runtime is the highest-blast-radius credential you can hold — leakable from logs, hooks, and transcripts, with rotation that never matches an incident. Federation removes the key entirely. 13 The Package That Doesn't Exist Coding models invent package names that exist in no registry. Most are one-offs — but 43% reappear on every re-run, and a stable hallucination is a name an attacker can register and wait for. 14 The URL Is the Leak You don't need to read a response to leak data. The moment an agent fetches a crafted URL, the secrets are already in the attacker's server log — encoded in the query string of the request itself.

Part 6 · The Output & Data Surface

15 The Output Is Untrusted Too Fourteen lessons defended the way in — what the agent reads. This is the way out: what the agent writes, executed or rendered downstream without anyone checking. Same trust failure, opposite direction. 16 The Payload That Waits Every injection lesson so far assumed the attack and the damage happen in the same session. Long-term memory breaks that assumption: one untrusted read plants a payload that sleeps through a hundred benign sessions, then fires when you mention your salary. 17 The Chunk That Wasn't Yours No injection, no poisoning — just a retriever doing exactly its job. It ranks by relevance, and relevance has no idea who's asking. In a shared index, the best-scoring chunk for one tenant can belong to another.

Part 7 · The Resource Surface

18 The Bill Is the Attack Every threat so far targeted your data. This one targets your wallet. The service stays up, latency is fine, error rates are flat — and the bill drains anyway. Resource exhaustion is a threat in its own right.

Capstone

19 Symptom to Mitigation Eighteen lessons, one reflex: name the legs, locate the boundary, fix it below the model. Here's the full lookup table and the worked case.