SEC536: Adversarial AI - Penetration Testing AI Systems


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsWe agreed that the AI era presents defenders with new types of assets that require new controls.

The AI Defense Matrix is a free framework that Sounil Yu and I created to help organizations decide how to defend AI systems. Security leaders can use it to find gaps, assign ownership, and select controls for the AI capabilities in their environments.
I saw the need for this framework at RSAC 2026. On the expo floor, vendor after vendor talked about securing AI or using AI for security. After a day of hearing those conversations, I needed a mental model to make sense of the market. I wanted a way to compare the controls an enterprise needs against the AI systems that security leaders are tasked with defending.
Sounil and I talked about his Cyber Defense Matrix, which organizes the broad universe of cybersecurity products. We agreed that the AI era presents defenders with new types of assets that require new controls. While "AI for security" is well represented in his original matrix, we felt the industry would benefit from a dedicated "security for AI" companion. The AI Defense Matrix is that grid.
We debated the columns and rows of the AI Defense Matrix more than anything else. For the columns, we kept the NIST CSF functions, expanding the original matrix's five functions to the six functions in CSF 2.0. Security practitioners already know this framework and use it to describe defensive activities. For the rows, we settled on eight AI-specific asset classes that enterprises need to safeguard with specialized capabilities beyond traditional cybersecurity defenses:
Practitioners and vendors can use the matrix in different ways:
Explore the matrix at aidefensematrix.com, where you can download it in CSV, YAML, and Markdown formats. We also cross-mapped each row to nine other frameworks, including NIST IR 8596, MITRE ATLAS, the OWASP LLM Top 10, and the SANS Critical AI Security Guidelines. The site's change log records each revision and the reasoning behind it.
Use the matrix to anchor your AI defense work as the field evolves. Let the gaps you find shape your priorities.


Lenny Zeltser is a leader in developing resilient security programs. His invaluable tools, like REMnux, a widely used Linux distribution for malware analysis, have become industry standards in combating malicious software.
Read more about Lenny Zeltser