Course 2B — Securing & Attacking Harnesses and LLMs

The agent is the target.

Course 1 taught you to build a harness. Course 2A taught you to use one for security work. Course 2B inverts the lens: the AI system is what you break, harden, and audit. Prompt injection, memory poisoning, tool and MCP abuse, inter-agent trust escalation, sandbox escapes — and the deterministic governance that bounds them. The thesis: the model is probabilistic; the harness must be deterministic. Thirteen modules, two capstones, ten deep-dives. Every defense attacked, then rebuilt.

~25
hours
13
modules
2
capstones
11
deep-dives
98.4%

The harness is the security boundary, not the model. Course 1 said the model is 1.6% of an agent. Course 2B is what that means for security: every attack — injection, poisoning, abuse, escape — is a harness-layer failure, and every defense is a harness-layer control. The model is probabilistic and injectable by nature. Security comes from deterministic enforcement the model cannot reach.

2A vs 2B: Course 2A is "security engineer gets AI superpowers" — the agent is a tool for security work. Course 2B is "AI engineer learns real security" — the agent is the target being secured. Different object, different buyer, different benchmarks.

Pillar 0 — Foundations
2 modules · ~2 hrs
Pillar 1 — Injection & Poisoning
2 modules · ~2.5 hrs
Pillar 2 — Trust Surfaces
3 modules · ~4 hrs
Pillar 3 — Controls
2 modules · ~2 hrs
Pillar 4 — Frameworks & Governance
4 modules · ~4.25 hrs
Capstones
2 capstones · ~3.5 hrs
Deep-Dives — 11 Security Studies
11 studies · live

Prerequisite: Course 1 — the Master Course (or equivalent production harness experience). Course 2B assumes you already understand why the model is only 1.6% of an agent and why the harness is the other 98.4%. All thirteen modules, both capstones, and all eleven deep-dives are live now. Each ships the same eight-artifact stack: teaching document, diagrams, slide deck, teaching script, flashcards, exam, lab specification, and web page. The capstones build on real tau (Hugging Face's educational coding agent) — students harden a real codebase and measure the result with a real defense scorecard.

The course resolves the central tension of AI security: the model is probabilistic and injectable by nature — security must come from deterministic enforcement the model cannot reach. The CrabTrap (probabilistic) vs IronCurtain (deterministic) debate is settled through offensive testing: determinism where enumerable, probability where semantic, composed in defense-in-depth where neither alone suffices.