This is a hands-on course, not a lecture series. Lab time meets or exceeds lecture time on almost every module.

• Bringing up and using a pre-built AI red teaming VM, configuring model providers and credentials safely.

• Writing threat models for Gen AI and agentic systems that translate regulatory and operational risk into testable objectives.

• Executing single-turn attacks (prompt injection, jailbreaks, indirect injection) using PyRIT, Promptfoo, Spikee, and HumanBound.

• Running multi-turn engagements with attacker and scorer model panels - including Crescendo, GOAT, TAP, and role-play escalation.

• Performing a full end-to-end engagement against a sample agentic application, including tool-call verification.

• Using AI CLIs and coding tools to scale red teamwork, then writing the evidence pack three different ways: engineering, GRC, and executive.

• Mapping your engagement evidence to ETSI EN 304 223 conformity assessment requirements.

• Group discussions and peer review on threat models, panel choices, and evidence packs.

By the end of this course, attendees will be able to:

• Understand the foundations of AI security - OWASP Top 10 for LLMs, OWASP Top 10 for Agentic Applications, and the UK AI Cyber Security Code of Practice / ETSI EN 304 223.

• Distinguish AI red teaming from vulnerability scanning, AI SecOps, and safety evaluations - and explain where each one fits.

• Produce a defensible threat model for a Gen AI or agentic system, with traceability from regulatory or operational risk to test objectives and success conditions.

• Execute single-turn and multi-turn attacks against production AI systems using the major open-source tools, and triage findings to drop false positives.

• Select an attacker and scorer model panel that's defensible under real-world constraints (data residency, budget, provider diversity).

• Run a full red teaming engagement on an agentic system, including human-in-the-loop adjudication of borderline cases.

• Convert engagement findings into a regression suite and an evidence pack tailored to three different audiences.

• Explain how AI red teaming evidence supports an ETSI EN 304 223 conformity assessment and produce a worked mapping of evidence to standard sections.

• Use AI coding assistants to scale red teamwork without losing methodological rigour.

Security engineers, application security professionals, and AI/ML practitioners who are responsible for assessing or assuring AI systems in production. The course is designed for practitioners who will run engagements themselves rather than commission them.

It assumes no prior AI red teaming experience but does assume general security or AI/ML technical fluency. Attendees from regulated industries (financial services, healthcare, government, defence) will find the methodology directly applicable to their compliance and assurance work.

Attendees should have at least one of:

• Working knowledge of penetration testing or application security.

• Hands-on experience building or deploying AI/ML systems in production.

• Recent experience with LLM-based applications (writing prompts, working with API providers, or reviewing AI outputs as part of a compliance or assurance role).

All attendees should be:

• Comfortable with the command line.

• Able to read and lightly modify Python and YAML.

• Comfortable reading API documentation.

Some familiarity with OWASP LLM Top 10, OWASP Agentic Top 10, and the UK AI Cyber Security Code of Practice / ETSI EN 304 223 would be helpful, though all are covered briefly in the course.

• A laptop you can install software on. This is non-negotiable - attendees will be running a VM and a toolchain locally. Corporate laptops with locked-down developer permissions will not work. If your work laptop restricts software installation, bring a personal one or arrange admin rights with your IT team before the course.

• Hardware minimum: 16 GB RAM, 50 GB free disk space, virtualisation enabled in BIOS/UEFI.

• A supported hypervisor installed before the course Supported platforms: VMware Workstation Pro (Windows / Linux, free for personal use), VMware Fusion (macOS Intel, free), and VirtualBox (Windows / Linux / macOS Intel).

• API credentials for an LLM provider - required. Attendees must bring their own. The course supports Anthropic (direct API), AWS Bedrock, OpenAI, and Google Vertex; Anthropic direct or Bedrock are the smoothest setups. Set up the account and verify you can make API calls before the course. Expect to spend roughly £20–£50 on API usage across the two days, depending on how much you experiment beyond the structured labs.

• A power adapter - the lab work is intensive, and laptops will be on full load.