OWASP Top 10, authentication vulnerabilities, SQL injection, XSS, CSRF, prompt injection attacks on LLMs, and the hardening patterns for production AI apps. Security through the lens of what actually gets exploited in 2026.
This is a text-first course that links out to the best supporting material on the internet instead of trying to replace it. The goal is to make this the best course on web security you can find — even without producing a single minute of custom video.
This course is built by engineers who ship web security systems in production. It reflects how these tools actually behave at scale.
Every day includes working code examples you can copy, run, and modify. Understanding comes through doing.
Instead of re-explaining existing documentation, this course links to the definitive open-source implementations and the best reference material on web security available.
Each day is designed for about an hour of focused reading plus hands-on work. Do the whole course over a week of lunch breaks. No live classes, no quizzes.
Each day stands alone. Read them in order for the full picture, or jump straight to the day that answers the question you have today.
The OWASP Top 10 current list, broken access control (the #1 vulnerability), IDOR attacks, JWT vulnerabilities (alg:none, weak secrets), RBAC vs ABAC, and the code patterns that produce authorization bugs.
SQL injection — parameterized queries vs ORMs (and why ORMs don't always protect you), NoSQL injection in MongoDB, command injection via unsanitized inputs to shell commands, and the input validation patterns that prevent injection across all types.
Reflected vs stored vs DOM-based XSS, Content Security Policy headers, CSRF attacks and SameSite cookies, clickjacking with X-Frame-Options, and the security headers that harden a web application with minimal code changes.
Direct and indirect prompt injection attacks, jailbreaking techniques and why they work, system prompt extraction, LLM output validation, data exfiltration via LLM outputs, and the mitigation patterns for AI-powered applications.
Rate limiting and throttling, API key management, secrets in environment variables vs secrets managers, HTTPS enforcement, dependency vulnerability scanning (Dependabot, Snyk), and the production security checklist for launching an AI application.
Instead of shooting our own videos, we link to the best deep-dives already on YouTube. Watch them alongside the course. All external, all free, all from builders who ship this stuff.
The current OWASP Top 10 vulnerabilities — with real exploits demonstrated on intentionally vulnerable apps.
How SQL injection works, how to exploit it in test environments, and the parameterized query patterns that prevent it.
Direct and indirect prompt injection on LLM applications — attack demonstrations and the mitigation strategies that actually work.
Cross-site scripting and CSRF prevention — CSP headers, SameSite cookies, and the client-side security patterns that stop these attacks.
Rate limiting, authentication, authorization, and the production API hardening checklist for web and AI applications.
The best way to deepen understanding is to read the canonical open-source implementations. Clone them, trace the code, understand how the concepts in this course get applied in production.
Damn Vulnerable Web Application — the canonical intentionally vulnerable app for practicing web exploitation techniques on the OWASP Top 10 safely.
Massive collection of attack payloads for web and API security testing. Reference this to understand what inputs attackers send.
LLM vulnerability scanner. Probes for prompt injection, data extraction, jailbreaks, and other LLM-specific security issues.
Express.js security middleware that sets security headers automatically — CSP, HSTS, X-Frame-Options, and more. One line of code for a significant hardening improvement.
AI apps have a new attack surface — prompt injection — on top of all the traditional web vulnerabilities. This course covers both.
Security vulnerabilities in early-stage products can be existential. This course covers the pre-launch hardening checklist that catches the most critical issues.
You know security matters but don't know where to focus. This course prioritizes the vulnerabilities most likely to affect the apps developers actually build.
The 2-day in-person Precision AI Academy bootcamp covers AI security and web application hardening in depth — hands-on, with practitioners who build AI systems for a living. 5 U.S. cities. $1,490. 40 seats max. June–October 2026 (Thu–Fri).
Reserve Your Seat