Skip to content

AI-Native Security — a specialization path

An opt-in overlay for aiming Groundtruth at intent-aware / AI-native workspace security — the category where work is done by people and AI agents, and productivity itself becomes the attack surface. This is not a separate program. It's the shared Groundtruth core, its examples tilted toward the target, forking late into a security half. Skills stay general; only the aim sharpens.

Who this is for

You want to work on AI-native security — agent security, AI governance, insider-risk and DLP for the AI era, intent detection at the endpoint (think the companies emerging in this category). The profile that wins there is the intersection almost nobody occupies:

You can build AI agents, you understand exactly how they fail, you can secure and govern them, and you can turn risky agent/user behavior into a real-time detection.

The three pillars

Pillar What it is Where you build it
A. Agent fluency How autonomous agents actually work — the loop, tools, memory. You can't govern what you can't build. Groundtruth W0–W4, W7
B. AI security & governance Prompt injection, the lethal trifecta, agent exfiltration, red-teaming, AI-DLP, guardrails. The differentiator. Groundtruth's "Secure it" thread + Day 91 §4promoted from side-thread to core
C. Endpoint & intent detection Endpoint/browser telemetry, insider-risk (UEBA), detection-as-code, incident investigation. The half Groundtruth doesn't teach. Plaintext — endpoint, detection-as-code, forensics/IR

Re-aimed idea starters (the overlay)

Do the same Groundtruth ships — same skills — but swap each week's default project for the security-flavored one below. The payoff: each ship builds a reusable component of the capstone, so by the end you're assembling the guardrail, not scrambling to build it.

Ship Swap the default pick for… Becomes (capstone component)
W0 — Arm yourself an MCP server over your agent's activity/logs; an advisory-watch tuned to AI-security feeds your observability seed
W1 — LLM feature an agent action / log line → risk classification (risky? which type? what intervention?), schema-validated, with a golden set the detector primitive
W2 — RAG RAG over AI-attack knowledge (OWASP LLM Top 10, injection write-ups, your own notes) → "is this a known attack pattern?" the enrichment layer
W3 — Agent an AI-incident triage agent (pull the trace → enrich → verdict) — and the agent you'll later secure the subject + investigator
W4 — Browser agent a browser agent doing a real task — the last-mile subject you'll watch the subject (bullseye — this is the browser/last-mile surface)
W5 — Fine-tune (deferred; return here to upgrade the detector into a fine-tuned risk classifier) detector, v2
W6 — Multimodal (deferred; a lighter pass — vision ties to screen/visual DLP)
W7 — Eval gauntlet precision/recall on risky-vs-benign actions; judge validation on your labels the detector's rigor

Tilt, don't lock. These are examples only — the underlying skills are the general, everywhere-valuable ones. If week 7 points you elsewhere, you've lost nothing; you've still built structured-output / RAG / agent / eval muscle, just with security-flavored inputs. The doors stay open. (This is exactly the "domain focus is a constraint on examples only" rule the program already runs on — pointed at a sharper target.)

The capstone — "Intent-aware guardrail"

Mission: a real-time tool that watches AI-agent (or AI-usage) actions, detects risky intent, and intervenes at the moment of risk — not after — with an audit trail and measured detection quality. It's the category's product in miniature; building it proves you think in it.

The loop: observe action → judge intent/risk → intervene (allow / warn / block / confirm) → log.

Reproducible shape (local, zero-cost): - A proxy/hook between your W3/W4 agent and its tools/model — you see every action. - A detector (your W1 classifier, later your W5 fine-tune) flagging risky intent: the lethal trifecta firing (untrusted input → private data → exfil), sensitive data heading to an external model, an over-privileged or destructive action, secrets in a payload. - Intervention at the moment of risk — block / warn / require confirm before the action completes. This is the differentiator, in code. - Audit — every decision logged with who / what / why. - Measured — a labeled risky-vs-benign set; report precision / recall / false-positive rate (your W7 gauntlet, pointed at security signals).

Success criteria — you're done when: - [ ] A poisoned-document exfiltration attempt is caught and blocked at the moment of exfil, and logged. - [ ] A benign version of the same workflow is allowed (you didn't just block everything). - [ ] Precision/recall on your labeled set is in the README, failures shown. - [ ] A stranger can run it against the demo agent from the README.

Deliverable: the public repo (agent + proxy/detector + policy + labeled eval set + README with an architecture diagram) and a launch write-up: the threat model, what you detect, the one attack you stop, and the numbers you measured.

The added half — endpoint & intent detection (Pillar C)

Groundtruth doesn't cover this; pull it from Plaintext when you reach the security fork (roughly the W8+ window):

  • Endpoint & workspace telemetry — what an endpoint agent collects (process, file, network, clipboard, browser events) and the privacy/perf tradeoffs.
  • Behavioral analytics / insider-risk (UEBA) — baseline, then deviation; why intent is harder than signature.
  • Detection-as-code — write detections, test them against real + synthetic events; false-positive discipline.
  • Incident investigation — reconstruct what happened from telemetry.

Resources (validate before relying on any)

How to use this path

  1. Run the Groundtruth core (W0–W4, W7) with the re-aimed idea starters above.
  2. Promote the "Secure it" thread and Day 91 §4 from side-note to focus — red-team your own agents as you build them.
  3. Fork into Pillar C (Plaintext endpoint / detection / IR) at the security phase.
  4. Ship the intent-aware guardrail capstone.
  5. Then loop back to fine-tune (upgrade the detector) and a lighter multimodal pass.

The credential is the capstone repo + your AI-attack/defense write-up + a tested detection — "I build AI agents and I can prove where they break, then detect it" is a sentence very few can back with runnable proof.