BSidesLuxembourg 2026

The technical track of the AI security village

The technical track of the AI security village

AI agents are different from regular LLM apps — they plan steps, call tools, and chase goals across multiple interactions. This added complexity introduces new kinds of security risks that aren’t widely understood yet.

In this talk, I’ll walk through demos of vulnerabilities from the OWASP Agentic AI Threats. These include goal hijacking, alignment faking, orchestration misuse, and time-based attacks that exploit how agents behave over multiple steps or sessions. I’ll show how attackers can trick agents into following the wrong goals, leaking data, or using tools in unsafe ways — all through practical examples.

Event Strategy & Structure

Core Mission: A 2-day, open-floor "village" dedicated to exploring real-world security risks in Agentic AI, Model Context Protocol (MCP) architectures, and LLM workflows.

Alignment: All content and threat models are strictly aligned with OWASP guidance (LLM Top 10 & AI Security Exchange).

Dynamic Flow: Unlike traditional linear training, this is an exploratory space. The schedule is fluid; organizers will pivot topics, attack scenarios, and deep dives in real-time based on what attendees find most interesting.

Village Logistics

Open Access: The village runs continuously for two days with no fixed start/stop times.
Drop-in Format: Attendees are free to enter, observe, leave, and return at will. This supports the casual, "hallway con" culture of BSides events.
Parallel Tracks: Multiple activities (demos, labs, discussions) happen simultaneously, allowing for natural scaling of depth from beginner to advanced levels.

Organizer Responsibilities (The Blue Team/Red Team)

Live Operations: Organizers act as facilitators, maintaining intentionally vulnerable infrastructure (LLMs, RAG pipelines, Autonomous Agents, MCP Servers).

Interactive Walkthroughs: Instead of formal talks, organizers provide short, continuous breakdowns of attacks, explaining why a specific trust boundary failed or how a design choice created a vulnerability.

Adaptive Defense: Based on audience feedback, organizers will live-patch systems or remove mitigations to demonstrate how security controls impact attack feasibility.

Attendee Experience (The Red Team)
Hands-on Exploitation: Attendees can directly interact with deployed systems to attempt prompt injection, logic-based attacks, and tool abuse.
Feedback Loop: Attendees actively shape the curriculum by voting on which systems to attack next or requesting deeper focus on specific failure modes.
Collaborative Defense: A key component is discussing defenses; attendees can propose architecture changes or guardrails, which organizers can discuss or implement live.

Hands-on Labs & Infrastructure
Self-Paced Playgrounds: Dedicated stations will run continuously for independent learning.
Dreadnode Crucible: Focuses on practical exploitation of LLMs and agents.
Lakera Gandalf / Agent Breaker: Gamified challenges covering prompt injection, goal hijacking, and instruction drift.
Purpose: These labs ensure that even if the live demo is advanced, beginners have a place to start learning fundamentals.

Agenda:

Breaking LLM Systems
Theme: Fundamentals of LLM vulnerabilities and the OWASP LLM Top 10.
Live Targets: Minimalist LLM deployments and chat interfaces.
Deep Dives:
Guardrails: Examining internal mechanics and demonstrating how to bypass practical limitations.
RAG Security: attacking Vector Databases and poisoning retrieval contexts (RAG-specific threats).

Agenda: Agentic AI & MCP Security
Theme: The core focus of the village—Autonomous Agents and the Model Context Protocol (MCP).
Complex Workflows: Demos will feature multi-step agents that can plan, execute, and interact with external tools.
Key Attack Vectors:
Instruction Hijacking: Forcing an agent to deviate from its original goal.
Tool Abuse: Exploiting over-privileged MCP capabilities (e.g., an agent with unrestricted file access).
Trust Boundaries: Analyzing failures in the handshake between Agents and MCP servers.