AI security research: LLM threat models, prompt injection defenses, and securing AI workloads in Azure. Exploring the intersection of AI and cybersecurity.
Built by a Cybersecurity Architect investigating how generative AI changes the threat landscape and what defenders need to do differently.
Generative AI is being deployed faster than security teams can assess the risks. This repository provides practical security analysis of AI systems for architects and security engineers making real decisions about deploying, defending, or evaluating AI workloads.
What this covers:
- Threat modeling for LLM-based systems and AI pipelines
- Prompt injection: attack patterns, detection, and mitigations
- Securing Azure OpenAI deployments in enterprise environments
AI-assisted security operations: what works vs. what is hype
- Responsible AI from a security and risk management perspective
AI security is poorly understood by both sides:
- Security teams treat AI models like traditional applications, missing AI-specific attack surfaces like prompt injection, model inversion, and data poisoning
- AI teams treat security as an afterthought, deploying RAG pipelines and copilots without threat modeling the attack surface
Organizations deploy AI assistants with access to sensitive data without understanding that indirect prompt injection can weaponize the copilot against them
This repository documents the attacks, defenses, and architecture decisions that matter.
ai-security-lab/ ├── threat-models/ │ ├── llm-threat-model.md # STRIDE analysis of LLM systems │ ├── rag-pipeline-threats.md # RAG architecture attack surface │ └── copilot-threat-model.md # Microsoft Copilot security analysis ├── prompt-injection/ │ ├── attack-taxonomy.md # Classification of injection types │ ├── detection-techniques.md # How to detect injection attempts │ └── mitigation-strategies.md # Defense architecture and controls ├── azure-openai-security/ │ ├── deployment-hardening.md # Secure Azure OpenAI configuration │ ├── network-isolation.md # Private endpoints, VNet integration │ └── content-filtering.md # Azure AI Content Safety ├── ai-for-defense/ │ ├── copilot-for-security.md # Microsoft Copilot for Security │ └── llm-assisted-threat-hunting.md # LLMs augmenting KQL threat hunting └── README.md
Key threats that traditional security frameworks miss when applied to LLM systems:
Threat Category Traditional App LLM-Specific Injection SQL injection, XSS Prompt injection, jailbreaking Data exposure Misconfigured ACLs Training data extraction, model inversion Denial of Service Network flooding Prompt flooding, token exhaustion Privilege escalation RBAC misconfig System prompt override, indirect injection Supply chain Dependency confusion Poisoned fine-tuning data, model backdoors Direct Injection → User crafts adversarial input (Severity: Medium) Indirect Injection → Attacker embeds instructions in processed data (Severity: High) Multi-turn → Injection across conversation turns (Severity: High) Plugin/Tool → Injection through AI tool call results (Severity: Critical)Indirect injection is the critical enterprise risk. A phishing email with hidden instructions can weaponize a corporate copilot against its own users — requiring zero exploitation of the AI infrastructure.
- Network isolation: Private endpoints only, no public network access
- Identity: Managed Identity for authentication (no API key management)
- Content filtering: Azure AI Content Safety for input and output filtering
Monitoring: Diagnostic logs to Log Analytics, alert on anomalous usage
- Access control: RBAC-based access, no shared API keys in production
[User Input] → [Input Validation + Content Safety] → [Azure AI Search] → [Context Assembly + System Prompt Hardening] → [Azure OpenAI (Private Endpoint)] → [Output Content Safety Filter] → [Response] → [Audit Log to Log Analytics]Security must be applied at every layer: the model itself, the retrieval pipeline, the application layer, and the output handling.
- All proof-of-concept work follows responsible disclosure principles
- No attacks against live systems are documented here
Prompt injection examples use synthetic, controlled environments
- This repository contains no AI model weights, training data, or proprietary model information
Surya | Cybersecurity Architect | CISSP
Exploring the security implications of AI systems as they become core enterprise infrastructure.
86sunbot/ai-security-lab
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
