Most defenders are aware that AI security is becoming important. Far fewer know specifically what to learn, in what order, and why each skill actually matters for the defensive work they do every day.
This is not a "the future is AI" think piece. It is a practical breakdown of the specific skills that defenders need in 2026, grounded in what attackers are actually doing and what the frameworks say defenders should know. Start here.
Why Is AI Security a Defender Problem Now, Not Later?
Because AI systems are already deployed in your environment and attackers are already targeting them.
Seventy percent of organisations view the fast-changing AI ecosystem as the most concerning security risk for generative AI adoption. That concern is not hypothetical. Real-world incidents documented by MITRE ATLAS show how prompt injection has been used to exfiltrate data via AI-powered customer service agents, with researchers demonstrating how an organisation's data can be extracted through injections targeting AI systems deployed in production.
The attack surface is not abstract. If your organisation has deployed an LLM application, an AI agent, a RAG system, or any AI-integrated workflow, those systems are in scope for attackers. GenAI introduces exposure paths such as prompt injection, data leakage during inference, and jailbreak techniques that reshape model behaviour without breaking traditional controls - risks that sit closer to user workflows and scale quickly once models integrate with tools, data stores, and automated actions.
Defenders who understand how these attacks work are the ones who can detect them, respond to them, and design controls that actually address them.
Which Specific Skills Should Defenders Learn First?
Understanding Prompt Injection: From Both Sides
Prompt injection is the number one vulnerability class in deployed LLM applications according to the OWASP LLM Top 10. For defenders, understanding it from the attacker's perspective is what makes detection logic meaningful rather than guesswork.
Direct prompt injection is user input that overrides system instructions or bypasses safety controls. Indirect prompt injection is more dangerous and harder to detect: malicious instructions embedded in content the model retrieves or processes - a document it summarises, a webpage an agent visits, data it pulls from a vector database. A successful indirect injection can coerce an agent to misuse its tools, leading to unauthorised data exfiltration, system compromise, or execution of arbitrary code.
Defenders need to be able to construct and test prompt injections against deployed systems, recognise the log signatures that indicate an injection attempt, and design input validation and privilege separation controls that reduce exposure. Both the offensive and defensive angles are in scope - which is why this sits in 🟣 Purple territory.
MITRE ATLAS Threat Modelling
The November 2025 ATLAS framework update expanded to 16 tactics, 84 techniques, 32 mitigations, and 42 case studies, with continued updates through February 2026 adding agentic AI techniques. This is the AI-specific counterpart to MITRE ATT&CK: a structured taxonomy of adversary tactics and techniques against AI systems that gives defenders a shared vocabulary for threat modelling, detection engineering, and incident response.
Approximately 70% of ATLAS mitigations map to existing security controls, making integration with current SOC workflows practical. Defenders who already understand ATT&CK will find ATLAS conceptually familiar. The application is different because the attack surface is different, but the structured approach to mapping adversary behaviour to defensive action translates directly.
The process starts with mapping the attack surface: every component of the AI system - training pipeline, model serving infrastructure, inference API, vector database, agent tool integrations - maps to a subset of ATLAS techniques. Start by auditing what AI systems exist in your environment, then apply ATLAS to assess which techniques each system is exposed to.
LLM Vulnerability Classes Beyond Prompt Injection
The OWASP LLM Top 10 covers the full vulnerability taxonomy. After prompt injection, the classes defenders need to understand are:
Sensitive information disclosure. Models can be induced to reveal training data, system prompts, or retrieved context through careful prompting. Detection requires monitoring output for patterns that suggest exfiltration rather than legitimate responses.
AI supply chain vulnerabilities. Supply chain attacks on ML dependencies are not a theoretical risk. The frequency of documented incidents in 2025 and 2026 makes this one of the highest-likelihood initial access vectors for AI systems, and it is outside the scope of most standard LLM security assessments. The LiteLLM incident in March 2026 illustrates the blast radius possible from a single compromised dependency with broad adoption.
Excessive agency. When AI agents have tools - the ability to send emails, execute code, browse the web, call APIs - a successful prompt injection does not produce a bad response. It takes real-world actions. Defenders need to understand how to constrain tool permissions, enforce least privilege on AI identities, and detect unexpected agent behaviour.
Securing AI Systems You Are Responsible For
This is the operational skill set that defenders in security engineering and cloud security roles need specifically. It covers:
Input validation and output filtering for LLM applications. Context isolation between system prompts and user inputs. Secrets management for AI service accounts - moving away from long-lived API keys. Monitoring for anomalous model behaviour that deviates from baseline. Data minimisation practices that reduce what is at risk if a model is compromised.
MITRE ATLAS gives organisations a critical framework to understand and defend against adversarial behaviour targeting AI systems, filling the gap left by traditional security models and providing a structured way to evaluate risk across training, inference, and operational processes. Use ATLAS alongside OWASP LLM Top 10 and NIST AI RMF: OWASP provides a developer-centric vulnerability list for secure development; use ATLAS for operational security, threat modelling, and detection development.
AI Forensics
When an AI system produces unexpected behaviour, determining whether it was a prompt injection, a poisoned model, or an adversarial input requires investigative techniques that do not exist in traditional security toolkits. AI forensics covers what evidence to collect, how to preserve it, and how to reconstruct what happened to a model or an agent during an incident.
This is an emerging discipline that most defenders have no exposure to yet. Getting ahead of it now is the early-mover advantage.
How Does This Fit Into Existing Security Roles?
AI security is not a separate career. It is a layer that goes on top of your existing specialisation.
SOC analysts add detection of AI-powered attacks and prompt injection signatures to their investigation workflows. Security engineers add AI threat modelling, secure deployment practices, and anomaly monitoring to their architecture reviews. Penetration testers add LLM red teaming and ATLAS-based assessment to their engagement methodology.
The defenders who build this layer now are the ones organisations will depend on as AI deployment accelerates. The skills gap is real and the window for early-mover advantage is still open.
Where Do You Build These Skills?
TryHackMe's AI Security path covers every domain in this guide through hands-on lab environments. The LLM Security room covers direct and indirect prompt injection hands-on. The AI Threat Modelling room teaches ATLAS-based assessment against live AI systems. The AI Forensics module covers what investigation looks like when an AI system has been compromised. The AI Supply Chain Security room addresses the dependency attack surface that most defenders have not yet considered.
This week TryHackMe launched AI1, the AI Security certification - the first practical AI security credential available on any platform. Thirteen hands-on scenarios testing your ability to both attack and defend real AI systems. No multiple choice. The path is the preparation. AI1 is the proof.
Nick O'Grady