Defense in Depth: Wire Four Control Points Around a RAG Assistant
Harden DV-RAG-Support, a real Retrieval-Augmented Generation assistant, by building a guard harness with four independent control points one mechanism per step: input mediation, retrieval and context control, output mediation, and action authorization. You are handed a working four-attack battery (direct injection, cross-tenant retrieval, sensitive-field exfiltration, and an unauthorized image fetch). Stand the pipeline up, reproduce all four attacks one per stage, watch a single naive filter get bypassed, then build each control point in its own step so every attack class is stopped at its matching layer while a benign customer request still passes clean through all four. Verify the coverage matrix reads four-for-four, then prove reworded and renamed bypass variants are all resisted.
Hands-on labs require Pro · $29.99/mo · cancel anytime
What you'll learn
- 1Stand up DV-RAG and trace one benign requestYou own DV-RAG-Support, ACME Cloud's multi-tenant customer-support assistant.
- 2Reproduce the four-stage attack surface, one attack per control pointThe red team handed you a four-attack battery (battery.py). There is one
- 3Watch a single naive filter get bypassedAfter the first incident, the team shipped a fix. They put two controls in
- 4Control point 1: input mediation (screen the question)Time to build the durable controls. There are four, one per pipeline stage, and you
- 5Control point 2: retrieval and context control (tenant scope)CP1 is built and carries over. This step builds the second control point:
- 6Control point 3: output mediation (egress of sensitive fields)CP1 and CP2 are built and carry over. This step builds the third control point:
- 7Control point 4: action authorization (gate the outbound fetch)CP1, CP2, and CP3 are built and carry over. This step builds the fourth and final
- 8Verify coverage: every stage covered, benign traffic intactYou built four control points, one per pipeline stage. Now prove the map is
- 9Resist bypass: reworded and renamed variants all blockedA deny-list passes the verify step and then fails the moment an attacker rewords
Prerequisites
- Comfortable reading and writing Python
- Know what an HTTP GET and a markdown image are
- Helpful: the offensive RAG labs (indirect prompt injection, recon harness)
Exam domains covered
Skills & technologies you'll practice
This advanced-level ai/ml lab gives you real-world reps across:
What you'll do in this lab
This is a hands-on defensive-security lab built on a real Retrieval-Augmented Generation (RAG) stack: a Milvus vector store, NVIDIA embeddings, and a multi-tenant knowledge base. You defend a working support assistant called DV-RAG-Support by building a guard harness with four control points placed at the four stages of the request lifecycle. Input mediation screens the user question before retrieval. Retrieval and context control drops documents the caller is not entitled to before they reach the prompt. Output mediation inspects the model answer before anything renders. Action authorization gates the outbound fetch that the markdown renderer would otherwise perform. You implement each hook in code and wire it around the assistant's real interface.
You start by reproducing a four-attack battery against the unguarded assistant so you can see every failure with your own eyes: a direct prompt injection, a cross-tenant retrieval leak, a sensitive-field exfiltration through the EchoLeak markdown-image channel (CVE-2025-32711), and an unauthorized outbound image fetch. You then watch a single keyword filter get bypassed by an obvious variant, which is why shallow fixes fail. Finally you build the durable controls, one per layer, and verify behaviorally that a freshly planted battery is blocked at the matching control point while a benign account question passes clean through all four. The payoff is a defense arranged the way OWASP and NIST recommend: layered, with each control owning one trust boundary.