The AI Security Training Gap, and What Actually Closes It
Enterprise AI security awareness programs are proliferating and mostly not working. The gap is not awareness, it is not policy, it is the absence of hands-on adversarial practice. Basileak is the controlled target that converts documentation into defensive intuition, for developers, security engineers, and leaders. Day 4 of Basileak Week.
Enterprise AI security programs have never been better resourced and never more anxious.
Awareness modules on prompt injection appear in mandatory training. Internal policy documents reference LLM risk. Red team charters list AI-specific engagements. Board slides carry a line item on AI threat surface. The budget and the attention are present. The defensive outcomes are not.
The gap is not awareness. Teams know prompt injection exists. The gap is not policy. Policies naming the risk are already deployed. The gap is that the people responsible for securing LLM systems, developers, security engineers, risk owners, platform architects, lack the hands-on understanding of how the attacks actually operate. They have read the threat models. They have not run the attacks. The distance between those two states is wider than most programs appreciate, and documentation does not close it.
Day 4 of Basileak Week is about that distance, and what an adversarial lab target actually changes.
Why Awareness Documentation Is Not Producing Defensive Behavior
Security training works when it builds intuition through experience. Developers who wrote parameterized queries after running SQL injection exercises in DVWA retain that behavior as reflex. Network engineers who traced live attacks through packet captures read threat landscapes differently than those who only attended briefings. The knowledge is durable because it is experiential. It is bound to specific recalled situations, not to abstract categories in a slide deck.
Prompt injection training has, almost universally, taken the opposite approach. It has been delivered through documentation, policy, and abstract taxonomy. Security teams read through the categories. Developers attend a workshop. A policy document describes what not to do. The cohort nods. Six weeks later they ship an LLM-powered feature that falls to the first Authority Claim a red team throws at it.
The failure mode is predictable because the training model is wrong. Abstract categorical knowledge does not produce behavior change under the specific, messy, context-loaded situations that development and operations actually contain. It produces confidence without competence, which is worse than nothing because it blocks the team from seeking the training that would work.
The AI security field has a methodological problem, not an information problem.
The DVWA Proof
Application security solved the same problem with hands-on infrastructure.
DVWA became the de facto training target for web security because it respects the nature of the knowledge. Understanding why SQL injection works, at the level that produces secure code, requires successfully exploiting a SQL injection vulnerability. Understanding why input validation matters requires bypassing input validation. The experience of attack success is what produces the defensive reflex. A decade of cohorts have passed through DVWA and come out writing safer code.
The pattern that works translates to LLM security directly. What was missing was the target. Production models are not appropriate. Benchmarks do not resist. Manual CTFs do not scale. Synthetic replay gives you grading and not attacking. The field needed a purpose-built, deliberately vulnerable, locally deployed, conversational adversary. Basileak is that target.
What Hands-On Actually Requires
A useful training target has properties the documentation approach cannot provide.
A Realistic Resistance Curve
A model that yields to the first injection attempt teaches the wrong reflex. A model that never yields teaches nothing. Basileak implements the resist-then-comply pattern: the Oracle refuses three times with an identical refusal line before complying. The practitioner learns, through the experience of it, that persistence is a category of attack, and that refusal patterns are only as strong as their resistance to patience.
Technique Isolation
Real-world attacks combine vectors. Training requires clean attribution. Basileak's six-stage CTF forces isolation: each stage is triggered by one class of attack and cannot be reached by another. The practitioner who passes a stage knows which technique produced the result, which is the precondition for generalizing it.
Documented Mapping
Every attack attempt in Basileak maps to a category in the BU-TPI taxonomy, scored in real time by the Haiku Scanner. When the practitioner's input lands, the scanner labels it. The cohort debrief can reference specific categories, specific stages, specific fixtures. The experience becomes teachable material.
Safe Deployment
The vault contains only CTF decoy flags. The target runs locally on lab infrastructure. The entire training exercise has zero real attack surface, which is the precondition for letting cohorts run as aggressively as serious training requires.
What Different Practitioners Actually Learn
The outcome of a Basileak cohort run is different for each role, because each role leaves with a different kind of defensive intuition.
Developers
Developers who have worked through Stage 1 leave understanding, in their hands, why Markdown structure in user input is a vulnerability surface. They have seen an ### AUDIT CHECKLIST with fake tick marks cause an LLM to comply with an unauthorized request. That experience produces a different code review reflex than reading "avoid trusting input structure". The next time a pull request lands that renders user input through a model without structure-aware filtering, they catch it because the pattern is recognized, not because they are consulting a checklist.
This generalizes. The Stage 3 experience teaches developers what happens when debug phrases end up in system prompts. The Stage 4 experience teaches developers what enumeration attacks look like against listings endpoints in their own RAG systems. Every stage produces a code review instinct that the documentation approach does not.
Security Engineers
Security engineers leave with direct experience of sequential exfiltration. They have watched their rate-limiting assumptions fail against semantically sequential requests. They have watched bulk-block controls prove useless against item-by-item extraction. That failure is diagnostic: it reveals, in concrete terms, that exfiltration controls have to be holistic, that session-level disclosure tracking matters, that semantic analysis of request patterns belongs in the defense stack.
They also leave with the categorical vocabulary of BU-TPI as a shared language with the rest of the team. When a production incident involves Summarization Attack plus Redaction Request plus Incident Response framing, they can name the combination, the threat model holds it, and the postmortem is useful.
Red Teamers
Red teamers leave with a documented library of attack patterns embedded in the CTF itself. The Stage 5 vault contents are each a real technique: prompt sandwich attacks, tool trust falls, environment variable exfiltration theater, instruction hierarchy injection. These are not theoretical descriptions. They are patterns the practitioner successfully executed, in a controlled environment, with the Haiku Scanner classifying each attempt.
This matters for downstream engagements. A red team that has been through Basileak approaches a production LLM engagement with a mapped attack surface. They know which categories to try first, which combinations tend to compound, which categories a mature defense will already have covered. They are faster, more systematic, and more useful to the defending team.
Risk Owners and Leaders
Risk owners leave with a concrete, demonstrable answer to the question "what does an LLM attack actually look like?" That question is currently answered almost entirely with hypothetical scenarios. Twenty minutes in front of a live Basileak session, watching a cohort member write a credentialed audit frame and the Oracle yield the first flag, converts the question from hypothetical to specific. The leader has seen the pattern. They can describe it. They can budget for defenses that address it, rather than for defenses that address a vague sense of AI risk.
The Controlled Environment Requirement
The value of adversarial training is inseparable from its safety properties.
The techniques that build defensive intuition look like attacks. Practitioners need to write authority claims, forge audit formatting, apply social engineering pressure, attempt exfiltration sequences. In a training context, that is the method. Against a production system, it is an incident. The difference between the two is the environment, and the environment is load-bearing.
Basileak's design embeds that requirement from the ground up. The vault holds only CTF decoy flags. The model runs locally. The target is isolated from production networks and the internet. Session logs stay inside the lab. The DojoLM scanner records classifications without external telemetry. A cohort can be as aggressive as the exercise demands without any operational, legal, or reputational exposure. That is the precondition for serious training.
What Deployment Looks Like
Running Basileak as an enterprise training capability is a small infrastructure commitment and a bigger facilitation commitment.
Infrastructure
A single lab node with 6+ GB VRAM or 8+ GB unified memory runs the Q4_K_M build at production-grade latency. llama.cpp or Ollama serves the OpenAI-compatible API. The Haiku Scanner runs beside it on localhost:8089, providing real-time BU-TPI classification on every input. The Armory carries labeled fixture sets for structured exercises. The Hattori Guard can be run in parallel as the defensive counterpart for cohorts that want to study response-layer defenses against the same attack set. Nothing in this stack requires cloud infrastructure or external API access.
Facilitation
The CTF provides the experience. The debrief converts the experience into transferable principle. A useful cohort run pairs two or three practitioners per target, runs through the stages in sequence, and debriefs at each stage boundary against the scanner logs. A facilitator who knows the BU-TPI taxonomy, the stage structure, and the defensive principles each stage teaches can convert a two-hour session into durable cohort knowledge.
Scale
For organizations running web application security labs on DVWA, Basileak extends the same operational model to the AI security domain. Same pattern, same safety properties, same facilitation rhythm, new discipline. Teams that already know how to run a DVWA cohort can stand up a Basileak cohort in a day.
The Capability This Builds
The organizations that come out ahead on AI security are the ones whose developers and security engineers have genuine, intuitive understanding of how LLM attacks operate. Because they have run them. Because the cohort has debriefed them. Because the team's shared vocabulary includes specific attack categories bound to specific remembered situations.
That capability produces the downstream outcomes the documentation approach does not:
Architecture decisions that do not create injection surfaces, because the team has seen what creates them. Threat models that anticipate sequential exfiltration and summarization attacks, because the team has executed them. Incident response that correctly identifies AI-specific attack patterns, because the team has the vocabulary and the pattern recognition to notice. Security review checklists that catch LLM-specific vulnerabilities before deployment, because the reviewers recognize the patterns from the inside.
This capability is being built now. The window to build it proactively, before the incidents rather than in response to them, is open.
A controlled, purpose-built, locally-deployable adversarial LLM is how you open it. Basileak is one answer to that problem. The broader platform around it (DojoLM, the Haiku Scanner, the Armory, the Hattori Guard) is the infrastructure that makes the training durable at cohort scale.
What's Next in Basileak Week
Tomorrow, Day 5 closes the week with a stage-by-stage walkthrough. Real flag values are redacted so a team can read the piece and still run the exercise without spoilers. The walkthrough names the trigger category, the expected Oracle behavior, the common failure modes practitioners hit, and the debrief questions that convert each stage into transferable principle.
Basileak is part of the DojoLM lab platform by Black Unicorn. All vault contents are CTF decoy flags. Designed for isolated lab deployment only.
#AISecurityTraining #LLMSecurity #EnterpriseAI #PromptInjection #RedTeam #DojoLM #CyberSecurity #BuildInPublic