Agent Security Practice Exam

Practice exam focused on agentic AI security including MCP, A2A, function calling, and multi-agent threats.

Assessment Overview

Practice exam focused on agentic AI security including MCP, A2A, function calling, and multi-agent threats.

Assessment Details:

• Questions: 15
• Recommended Time: 45 minutes
• Passing Score: 70%
• Difficulty Level: Advanced

Instructions

Read each question carefully and consider all answer options before selecting your response. Many questions have multiple plausible answers — select the best answer that accounts for the full context of the scenario.

For scenario-based questions:

1. Identify the key constraints and objectives in the scenario
2. Consider what information you have and what you lack
3. Evaluate each option against the scenario's specific requirements
4. Select the option that best balances effectiveness, safety, and professionalism

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Scoring and Recommendations

Review Guidance

After completing this assessment, review the explanations for all questions — including those you answered correctly. Understanding why an answer is correct is as important as knowing the answer itself, and the explanations often contain additional context that deepens understanding of the topic.

For questions you answered incorrectly:

1. Identify the topic area the question covers
2. Review the corresponding curriculum section
3. Complete any related lab exercises
4. Re-attempt the question after review

Advanced Considerations

Evolving Attack Landscape

The AI security landscape evolves rapidly as both offensive techniques and defensive measures advance. Several trends shape the current state of play:

Increasing model capabilities create new attack surfaces. As models gain access to tools, code execution, web browsing, and computer use, each new capability introduces potential exploitation vectors that did not exist in earlier, text-only systems. The principle of least privilege becomes increasingly important as model capabilities expand.

Safety training improvements are necessary but not sufficient. Model providers invest heavily in safety training through RLHF, DPO, constitutional AI, and other alignment techniques. These improvements raise the bar for successful attacks but do not eliminate the fundamental vulnerability: models cannot reliably distinguish legitimate instructions from adversarial ones because this distinction is not represented in the architecture.

Automated red teaming tools democratize testing. Tools like NVIDIA's Garak, Microsoft's PyRIT, and Promptfoo enable organizations to conduct automated security testing without deep AI security expertise. However, automated tools catch known patterns; novel attacks and business logic vulnerabilities still require human creativity and domain knowledge.

Regulatory pressure drives organizational investment. The EU AI Act, NIST AI RMF, and industry-specific regulations increasingly require organizations to assess and mitigate AI-specific risks. This regulatory pressure is driving investment in AI security programs, but many organizations are still in the early stages of building mature AI security practices.

Cross-Cutting Security Principles

Several security principles apply across all topics covered in this curriculum:

1. Defense-in-depth: No single defensive measure is sufficient. Layer multiple independent defenses so that failure of any single layer does not result in system compromise. Input classification, output filtering, behavioral monitoring, and architectural controls should all be present.

2. Assume breach: Design systems assuming that any individual component can be compromised. This mindset leads to better isolation, monitoring, and incident response capabilities. When a prompt injection succeeds, the blast radius should be minimized through architectural controls.

3. Least privilege: Grant models and agents only the minimum capabilities needed for their intended function. A customer service chatbot does not need file system access or code execution. Excessive capabilities magnify the impact of successful exploitation.

4. Continuous testing: AI security is not a one-time assessment. Models change, defenses evolve, and new attack techniques are discovered regularly. Implement continuous security testing as part of the development and deployment lifecycle.

5. Secure by default: Default configurations should be secure. Require explicit opt-in for risky capabilities, use allowlists rather than denylists, and err on the side of restriction rather than permissiveness.

Integration with Organizational Security

AI security does not exist in isolation — it must integrate with the organization's broader security program:

class OrganizationalIntegration:
    """Framework for integrating AI security with organizational security programs."""
 
    def __init__(self, org_config: dict):
        self.config = org_config
        self.gaps = []
 
    def assess_maturity(self) -> dict:
        """Assess the organization's AI security maturity."""
        domains = {
            "governance": self._check_governance(),
            "technical_controls": self._check_technical(),
            "monitoring": self._check_monitoring(),
            "incident_response": self._check_ir(),
            "training": self._check_training(),
        }
        overall = sum(d["score"] for d in domains.values()) / len(domains)
        return {"domains": domains, "overall_maturity": round(overall, 1)}
 
    def _check_governance(self) -> dict:
        has_policy = self.config.get("ai_security_policy", False)
        has_framework = self.config.get("risk_framework", False)
        score = (int(has_policy) + int(has_framework)) * 2.5
        return {"score": score, "max": 5.0}
 
    def _check_technical(self) -> dict:
        controls = ["input_classification", "output_filtering", "rate_limiting", "sandboxing"]
        active = sum(1 for c in controls if self.config.get(c, False))
        return {"score": active * 1.25, "max": 5.0}
 
    def _check_monitoring(self) -> dict:
        has_monitoring = self.config.get("ai_monitoring", False)
        has_alerting = self.config.get("ai_alerting", False)
        score = (int(has_monitoring) + int(has_alerting)) * 2.5
        return {"score": score, "max": 5.0}
 
    def _check_ir(self) -> dict:
        has_playbook = self.config.get("ai_ir_playbook", False)
        return {"score": 5.0 if has_playbook else 0.0, "max": 5.0}
 
    def _check_training(self) -> dict:
        has_training = self.config.get("ai_security_training", False)
        return {"score": 5.0 if has_training else 0.0, "max": 5.0}

Future Directions

Several research and industry trends will shape the evolution of this field:

• Formal methods for AI safety: Development of mathematical frameworks that can provide bounded guarantees about model behavior under adversarial conditions
• Automated red teaming at scale: Continued improvement of automated testing tools that can discover novel vulnerabilities without human guidance
• AI-assisted defense: Using AI systems to detect and respond to attacks on other AI systems, creating a dynamic attack-defense ecosystem
• Standardized evaluation: Growing adoption of standardized benchmarks (HarmBench, JailbreakBench) that enable consistent measurement of progress
• Regulatory harmonization: Convergence of AI regulatory frameworks across jurisdictions, providing clearer requirements for organizations

References and Further Reading

• OWASP LLM Top 10 2025 — Comprehensive guide to LLM security risks (owasp.org/www-project-top-10-for-large-language-model-applications)
• MITRE ATLAS — Adversarial Threat Landscape for AI Systems (atlas.mitre.org)
• HarmBench — Standardized evaluation framework (github.com/centerforaisafety/HarmBench)
• JailbreakBench — Jailbreak evaluation benchmark (github.com/JailbreakBench/jailbreakbench)
• NIST AI 600-1 — Generative AI Profile for risk management