Chapter 3: Protecting LLMs from Attacks

Is this Chapter for You?

Every attack you studied in Chapter 2 – from prompt injection to data poisoning to agentic exploitation – has a corresponding defense. Knowing the attacks is essential, but it’s only half the picture. Organizations need professionals who can translate attack knowledge into security architectures, policies, and operational controls that actually stop threats in production.

This chapter is designed for technical professionals who need to protect AI systems – not just understand what threatens them.

  • Are you a security professional, architect, or developer responsible for deploying or hardening AI-powered applications?

  • Do you need to select, configure, and validate defense controls that map to specific AI threat categories?

  • Do you want to move from “we know the risks” to “we’ve mitigated the risks” with a structured framework you can implement and communicate to leadership?

If so, this chapter will give you that defense readiness.

How is this Chapter Different?

TL;DR

The primary goal of this chapter is to build your defense readiness – understanding security frameworks and controls deeply enough to design a protection architecture, map defenses to specific attacks, and implement layered controls using industry tools. We go beyond awareness to implementation-ready knowledge.

This chapter completes the three-chapter arc: Chapter 1 gave you AI fluency (understand), Chapter 2 gave you attack fluency (identify threats), and now Chapter 3 gives you defense readiness (protect and mitigate). You’ll learn the Trend Micro Security for AI Blueprint – a 6-layer defense framework – and see how each layer maps to the OWASP categories you studied in Chapter 2.

Most AI security content stops at listing risks. This chapter occupies the practical defense ground: you’ll walk through the Blueprint layers, see defense flow diagrams, study how each control addresses specific attack vectors, and understand how Trend Vision One integrates these layers into a unified platform.

By the end, you’ll be able to design an AI security architecture, justify each control by mapping it to a threat, and have a credible conversation about AI defense strategy with anyone from a developer to a CISO.

What You’ll Learn in This Chapter

By the end of this chapter, you will be able to:

  • Apply the 6-layer Blueprint framework: Map each layer of the Security for AI Blueprint to the threats it defends against
  • Map OWASP categories to defense controls: Connect every LLM Top 10 (2025) and Agentic AI Top 10 (2026) category to specific Blueprint layers and key controls
  • Describe Trend Micro product capabilities: Explain how Trend Vision One, AI-SPM, ZTSA, AI Scanner, and AI Guard implement each defense layer
  • Design the AI Scanner/Guard continuous loop: Articulate how proactive scanning and runtime protection work together in a scan-protect-validate-improve cycle
  • Apply the LEARN Architecture: Use the 5-component developer-focused defense mnemonic to build secure AI applications
  • Build an AI security culture: Establish red-teaming practices, incident response procedures, and compliance alignment for AI systems

Master OWASP-to-Blueprint Mapping

Before diving into the Blueprint layers, here is the big picture: how every OWASP vulnerability category maps to the defense framework you’ll learn in this chapter. These two tables – covering all 10 LLM Top 10 (2025) categories and all 10 Agentic AI Top 10 (2026) categories – are your reference throughout the chapter. They show which Blueprint layers and controls address each threat.

How to Use These Tables

Each row connects an OWASP attack category (from Chapter 2) to one or more Blueprint defense layers (covered in Sections 3-8). The “Key Controls” column lists specific capabilities you’ll learn about in the corresponding section. Use these tables to:

  • Find the defense for a specific threat: If a stakeholder asks “how do we protect against prompt injection?” – find LLM01, see it maps to Layer 5 and Layer 6, and turn to Sections 7 and 8 for implementation details.
  • Validate coverage: Walk the table to ensure your security architecture addresses all 20 OWASP categories.
  • Communicate to leadership: These tables translate technical vulnerabilities into defense investments – a language that CISOs and boards understand.

OWASP LLM Top 10 (2025) to Blueprint Layers

OWASP Category Primary Defense Layer(s) Key Controls
LLM01: Prompt Injection Layer 5 (Access), Layer 6 (Zero-Day) Prompt filtering (ZTSA), AI Guard runtime protection, behavioral anomaly detection
LLM02: Sensitive Information Disclosure Layer 1 (Data), Layer 5 (Access) Data classification (DSPM), response filtering (AI Guard), DLP controls
LLM03: Supply Chain Layer 2 (Models), Layer 3 (Infrastructure) Container security, vulnerability scanning, model integrity verification, AI-SPM
LLM04: Data and Model Poisoning Layer 1 (Data), Layer 2 (Models) Data lineage, integrity verification, AI Scanner pre-deployment scanning
LLM05: Improper Output Handling Layer 5 (Access), Layer 6 (Zero-Day) Response filtering (AI Guard), output validation, virtual patching
LLM06: Excessive Agency Layer 3 (Infrastructure), Layer 5 (Access) Posture management (AI-SPM), access controls, ZTSA policy enforcement
LLM07: System Prompt Leakage Layer 5 (Access) Prompt/response filtering, AI Guard leakage detection, instruction hardening
LLM08: Vector and Embedding Weaknesses Layer 1 (Data), Layer 3 (Infrastructure) Vector store access controls, DSPM for RAG corpora, infrastructure posture
LLM09: Misinformation Layer 5 (Access), Layer 4 (Users) Output validation (AI Guard), human-in-the-loop policies, grounding verification
LLM10: Unbounded Consumption Layer 5 (Access), Layer 6 (Zero-Day) Rate limiting (ZTSA), anomaly detection (IDS/IPS), cost monitoring

OWASP Agentic AI Top 10 (2026) to Blueprint Layers

OWASP Category Primary Defense Layer(s) Key Controls
WarningASI01: Agent Goal Hijacking Layer 5 (Access), Layer 6 (Zero-Day) Prompt filtering, behavioral monitoring, instruction anchoring
WarningASI02: Tool Misuse and Exploitation Layer 3 (Infrastructure), Layer 5 (Access) Tool allowlisting, execution monitoring (AI-SPM), ZTSA enforcement
WarningASI03: Identity and Privilege Abuse Layer 3 (Infrastructure), Layer 4 (Users) Least-privilege enforcement, identity management, access auditing
WarningASI04: Agentic Supply Chain Layer 2 (Models), Layer 3 (Infrastructure) MCP server verification, container scanning, dependency auditing
WarningASI05: Unexpected Code Execution Layer 3 (Infrastructure), Layer 6 (Zero-Day) Sandboxing, execution monitoring, virtual patching
WarningASI06: Memory and Context Poisoning Layer 1 (Data), Layer 5 (Access) Memory store access controls, context validation, input filtering
WarningASI07: Insecure Inter-Agent Communication Layer 3 (Infrastructure), Layer 5 (Access) Communication channel security, message validation, ZTSA
WarningASI08: Cascading Failures Layer 3 (Infrastructure), Layer 6 (Zero-Day) Blast radius containment, circuit breakers, anomaly detection
WarningASI09: Human-Agent Trust Exploitation Layer 4 (Users) Deepfake detection, confidence calibration, human-in-the-loop enforcement
WarningASI10: Rogue Agents Layer 3 (Infrastructure), Layer 4 (Users) Behavioral monitoring, guardrail enforcement, shadow AI detection

Chapter Topics: Building Your AI Defense Architecture

Here’s what we’ll cover in this chapter:

  1. Integrating Security into AI Architectures – DevSecOps for AI, threat modeling for LLM deployments, and the shared responsibility model that connects attack knowledge to defense strategy

  2. Security for AI Blueprint Overview – The complete 6-layer defense framework with defense-in-depth principles, layer interrelationships, and Trend Vision One as the unifying platform

  1. Layer 1: Secure Your Data – DSPM, data classification, vector store security, RAG corpus protection, and data lineage tracking

  2. Layer 2: Secure Your AI Models – Container security, vulnerability scanning, model integrity verification, and artifact signing

  3. Layer 3: Secure Your AI Infrastructure – AI-SPM, posture management, misconfiguration detection, and risk insights

  4. Layer 4: Secure Your Users – Deepfake detection, endpoint security, shadow AI discovery, and user behavior analytics

  5. Layer 5: Secure Access to AI Services – AI Gateway, Zero Trust Secure Access, prompt and response filtering, and rate limiting

  6. Layer 6: Defend Against Zero-Day Exploits – Network IDS/IPS, virtual patching, behavioral anomaly detection, and zero-day threat intelligence

  1. AI Application Security Continuous Loop – AI Scanner for proactive assessment and AI Guard for runtime protection, working together in a scan-protect-validate-improve cycle

  2. LEARN Architecture – The developer-focused defense mnemonic: Linguistic Shielding, Execution Supervision, Access Control, Robust Prompt Hardening, and Nondisclosure

  1. Building an AI Security Culture – Red-teaming programs, incident response for AI systems, NIST AI RMF alignment, EU AI Act compliance, and organizational security practices
Defense by Doing

Each section in this chapter includes:

  • Defense flow diagrams: Mermaid visualizations showing how each control intercepts and mitigates specific attack vectors
  • Breach-to-defense narratives: Chapter 2’s real-world case studies revisited through the lens of “what would have stopped this?”
  • OWASP-to-Blueprint mapping callouts: Inline cross-references connecting each defense to the specific attacks it addresses
  • Interactive quizzes: Test your understanding of defense frameworks, Blueprint layers, and product capabilities

These elements are designed to build implementation-ready knowledge you can use when designing and evaluating AI security architectures.

Chapter 3 at a Glance

Sections Focus Key Output
S1-S2 (Foundation) Security architecture principles, the 6-layer Blueprint framework Understanding of how defenses are organized and why defense-in-depth works
S3-S8 (Blueprint Layers) Deep dives into each of the six layers, with Trend Micro product mappings Layer-by-layer defense controls mapped to specific OWASP attack categories
S9-S10 (Advanced) AI Scanner/Guard continuous loop and LEARN Architecture Proactive scanning + runtime protection workflow, developer-focused defense practices
S11 (Culture) Red-teaming, incident response, compliance (NIST AI RMF, EU AI Act) Organizational practices that sustain AI security beyond individual controls
Learning Progression

This chapter completes the course arc: Chapter 1 gave you AI fluency, Chapter 2 gave you attack fluency, and now Chapter 3 gives you defense readiness. Return to earlier chapters anytime to reinforce the connections.

Ready to build the defenses that match the attacks you studied in Chapter 2?

Start with Section 1: Integrating Security into AI Architectures