Build a RAG Firewall: Reject Poisoned Ingestion and Enforce Tenant Isolation
Defend the same multi-tenant RAG assistant the offensive labs attack, in small sequential steps. Stand up the pipeline and trace one benign request, then reproduce two handed-to-you exploits one at a time: a poisoned document that wins retrieval and steers the answer, and a caller-controlled tenant scope that reads another tenant's confidential contract. Watch a naive deny-list get bypassed by a fresh payload, then build the durable control one mechanism per step: a server-side tenant predicate the caller cannot widen, then an ingestion screen that rejects directive-shaped documents before indexing. Verify both exploits are blocked with benign traffic intact, then prove fresh, paraphrased, and renamed variants are all blocked on a real Milvus + NVIDIA embeddings stack.
Hands-on labs require Pro · $29.99/mo · cancel anytime
What you'll learn
- 1Stand up DV-RAG and trace one benign requestYou are the defender on DV-RAG-Support, ACME Cloud's multi-tenant
- 2Reproduce attack A: poisoned ingestion steers the answerYou have two working exploits in hand. Reproduce them one at a time so you know
- 3Reproduce attack B: a widened tenant scope reads another tenantNow reproduce the second exploit, an isolation failure that does not need any
- 4Watch a naive deny-list get bypassed by a fresh payloadAfter the incident, the team shipped the obvious fix and called it done. This step
- 5Control 1: a server-side tenant predicate the caller cannot widenTime to build the durable control. It has two mechanisms, one per attack surface,
- 6Control 2: an ingestion screen that rejects poison before indexingThe tenant predicate from Step 5 is carried forward in dvrag.py. Now build the
- 7Verify: both exploits blocked, benign traffic intactBoth mechanisms are now in place: the ingestion screen in firewall.py and the
- 8Resist bypass: fresh, paraphrased, and renamed attacks all blockedA control that only stops the one payload you tested is the deny-list mistake all
Prerequisites
- Comfortable reading and editing Python
- Know what a markdown image and an HTTP GET are
- Familiarity with retrieval poisoning and broken access control helps but is not required
Exam domains covered
Skills & technologies you'll practice
This advanced-level ai/ml lab gives you real-world reps across:
What you'll do in this lab
This is a hands-on defensive-security lab on hardening a real Retrieval-Augmented Generation pipeline: a Milvus vector store, NVIDIA nv-embedqa-e5-v5 embeddings, chunking, and tenant-filtered top-k retrieval feeding a live LLM. You are handed two working exploits against DV-RAG-Support and your job is to build a RAG firewall that stops them. First you reproduce the baseline so you understand exactly what fires: a planted document that wins retrieval and steers the answer, and a widened tenant scope that reads another tenant's confidential contract.
Then you watch the obvious fix fail. A deny-list of the strings from the incident report is bypassed by a fresh canary and a hostname sink, the same way a blocklisted tenant value is bypassed by a metadata-filter-injection string. With that lesson in hand you build the durable control: an ingestion firewall that screens documents for the injection pattern (a self-declared answer policy, an imperative aimed at the model, a planted output sink) and rejects them before they reach the index, plus a retrieval predicate that derives the tenant scope server-side from the authenticated session and validates every tenant value against an allow-list. You finish by proving fresh and reworded exploits are both blocked while legitimate same-tenant answers still work.