← All posts

July 6, 2026

Let's Break AI Together

I’m a security engineer trying to learn AI security. Instead of reading theory and nodding along, I’m doing what security people actually do: building the attacks and the defenses myself, on a model I own, and writing up exactly what happened so you can reproduce every step on your own machine.

That’s what this series is. Not a course, not a lecture. A logbook of breaking LLMs on purpose, in a safe sandbox, to understand how to defend them. If you’ve done threat modeling before, none of the thinking is new - we’re just pointing it at a new target.

Everything runs local and offline. The model is mine to break: no cloud APIs, no keys, nothing pointed at systems I don’t own. This is defensive security work - red-teaming my own stuff using standard, industry-recognized techniques (OWASP LLM Top 10, MITRE ATLAS, PyRIT / garak style). Sandboxes only.

The map

Each part is its own doc. Click a file to open it - start at part 0 and work down.

~/lets-break-ai/ — tree
$ tree lets-break-ai/
lets-break-ai/
├── part-0-mental-model-and-sandbox.md# Part 0: The mental model and an offline sandbox to break └── part-1-prompt-injection.md# coming soon
1 directory, 2 files

New parts land here as I build them, so this post is the one to bookmark - the tree above always shows the latest state of the series.

Who this is for

  • Security people curious about LLMs who want the attacker’s-eye view, grounded in things they already know (trust boundaries, injection, confused-deputy, exfil).
  • Builders shipping LLM features who want to see how their app actually breaks before someone else finds out.
  • Me, later - so I have a written record of what worked, what didn’t, and why.

Ground rules

  1. Local and offline. Everything targets a model running on my own machine. Nothing here is aimed at a service I don’t control.
  2. Reproducible. Every attack and defense comes with the commands to run it yourself.
  3. Defensive intent. We break things to learn to defend them. That’s the whole point.

Ready? Open part 0 and let’s get into the sandbox.