SEC536: Adversarial AI - Penetration Testing AI Systems


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsThe AI Defense Matrix is a free framework for deciding how to defend AI systems.

If you are the person accountable for AI risk in your organization, you have probably had the week I had at RSAC 2026. Vendor after vendor said they secure AI, or that they use AI for security, sometimes in the same sentence. By the end of one day on the expo floor, I could not tell which pitches mapped to controls my program actually needed.
So, Sounil Yu and I built a map. The AI Defense Matrix is a free framework for deciding how to defend AI systems: where your gaps are, who owns each control, and which tools genuinely fit.
Sounil created the Cyber Defense Matrix a decade ago to organize the broad universe of security products, and it is still in use because it is simple and it works. When we talked through the AI problem, we agreed on a clean split. Products that use AI to solve older security problems already fit his original matrix. Defending AI itself, the models, the training data, the agent identities, needed its own grid. The AI Defense Matrix is that companion.
The columns are the six NIST CSF 2.0 functions, language every practitioner already knows. The rows are eight AI asset classes that need controls beyond traditional defenses: AI-Workload Platforms, AI Orchestration Tools, AI-Generated Code, AI Gateways and Routers, AI Model, Training Data, Runtime AI Data, and AI Agent Identities.
Here is how a security leader uses it. Take each cell and ask whether anything in your program lives there. The Detect cell for AI Orchestration Tools, for example, covers prompt-injection testing and agent anomaly detection. Start with Govern to anchor ownership and policy, then build a gap inventory that becomes your AI defense roadmap. Vendors can use the same grid in reverse, mapping coverage to specific cells instead of claiming everything.
Now the part where we need you. We released the matrix quietly, and a framework is only as good as the community pressure-testing it. Sounil and I are not certain we grouped these eight asset classes the right way. So, we are running a short survey, about five minutes, on how security leaders are securing AI today and where you feel the gaps. Your answers will shape the next revision, and we will publish what the community tells us.
The matrix is free at aidefensematrix.com, downloadable in CSV, YAML, and Markdown, and cross-mapped to nine other frameworks including the SANS Critical AI Security Guidelines. Take the survey, then use the gaps you find to set your priorities.


Lenny Zeltser is a leader in developing resilient security programs. His invaluable tools, like REMnux, a widely used Linux distribution for malware analysis, have become industry standards in combating malicious software.
Read more about Lenny Zeltser