The Certified AISVS Auditor course equips you to scope, test and verify AI systems against the OWASP AISVS standard, and to produce a defensible verification report. Two days, hands-on, on live targets. Certified by practical examination.
You learn to build and secure AI first, then you learn to audit it. The auditor course is the second step, and the masterclass is the entry requirement.
Two days. Build, secure and verify AI to the standard. The foundation.
Two days. The audit discipline, evidence and verification. This course.
Earn the credential by passing a hands-on practical assessment.
A human verifies, judges and signs off. Be among the world's first certified AISVS auditors. Build the skills the AI industry now demands, capitalise on the wave, and future-proof your career.
This is a practitioner course for people who already understand AI systems. To keep the cohort effective and the credential meaningful, places require:
Completion of the CyberSecAI two-day AISVS masterclass. You must understand how the controls are built before you can verify them.
A minimum of five years working in IT or cyber security. This is not an entry-level course.
Working familiarity with AI systems (LLM, RAG, agents, MCP) and comfort reading configuration, code and logs.
Add AI to your assurance practice with a verification method, not guesswork.
Move from finding bugs to verifying a system against a formal standard.
Translate AISVS into evidence and findings your auditors and regulators accept.
Verify your own and third-party AI to a defensible level.
Deliver paid AISVS assessments with a recognised credential behind them.
Stand up an internal AI verification function that holds up.
You verify on real, deliberately vulnerable systems, with the same tooling you will use in the field.
Our AISVS verification scanner. Technical enumeration across LLMs, MCP servers and agents, every finding mapped to a requirement.
Attack and verify MCP security (AISVS C10) on a broken-by-design target. dvmcp.co.uk
Verify retrieval, embedding and data-leakage controls (AISVS C8) on a live RAG target. dvrag.com
Classes are custom built from the following learning modules. (Times are approximate.) The practical exam is a separate half-day or full-day session.
What an AISVS audit is and is not. Independence, objectivity and the line between assessor and consultant.
Defining system boundaries, identifying AI components, selecting the target level (L1/L2/L3) and agreeing scope with the system owner.
Planning, fieldwork, evidence collection, analysis, reporting and follow-up. The end-to-end process.
NDAs, data handling during audits, rules of engagement and what to do when you find something outside scope but dangerous.
Documentation reviews, interview techniques and what "evidence of risk assessment" actually looks like.
Crafting test payloads, verifying rejection behaviour, checking sanitization is applied before model input not just at the API boundary.
Checking signatures, validating SBOMs, confirming the model in production matches the model that was approved.
Testing inference endpoint security: authentication, rate limiting, TLS configuration and response header hygiene.
Probing for privilege escalation, verifying fail-closed behaviour when the policy engine is unreachable, and agent identity credential validation.
Dependency audits, container image verification, checking that scanning is not just configured but actually blocking on findings.
Prompting the system for sensitive data, verifying redaction fires, checking output encoding prevents downstream injection.
Vector store access control testing, encryption-at-rest verification, cross-tenant isolation probes on shared retrieval infrastructure.
Escalating trust levels, probing delegation chains, verifying human-in-the-loop gates and signed execution receipts.
Unsigned tool calls, replay attacks, transport security and injection through tool responses. Uses DVMCP. dvmcp
Running promptfoo and garak test suites as an auditor, interpreting results and deciding pass/fail on robustness controls.
Checking logs exist, are tamper-evident, contain what the standard requires and are actually reviewed. Hash-chain and receipt verification.
What counts as evidence for each control type: screenshots, log extracts, configuration exports, tool outputs, signed attestations. Organised so a peer reviewer can follow your reasoning.
Finding structure: control reference, observation, evidence, severity, recommendation. Findings that are precise, defensible and actionable.
Report structure, executive summary for non-technical readers, detailed findings for engineers, and the assurance statement. Template walkthrough.
Reviewing another auditor's work: what to check, common errors, and how peer review prevents false findings reaching the client.
Accepting weak evidence, false passes, and over-reliance on tooling. How real audits go wrong and how to avoid it.
Hands on: configure and run Claw against target systems, interpret scan results as audit evidence, understand what Claw tests and what it does not. Claw
What automation catches and what it misses. The controls that always need manual verification and why.
Turning Claw output into report-ready findings: mapping scan results to AISVS control IDs, adding context and removing false positives.
Exam rules, time limits, system access and submission requirements.
Each delegate receives a per-delegate GPU-provisioned AI system with deliberately planted gaps across multiple AISVS categories. Conduct a full audit: scope, test, collect evidence, write findings and submit a report. Open-book. Timed.
Walkthrough of the planted gaps, discussion of findings, common misses and marking criteria. Delegates who demonstrate competence across all 12 categories receive the certificate.
Full mock audit on a provided system before the exam. Practice the workflow end to end with instructor feedback.
Focused practice on collecting and organising evidence for the three hardest control families (C05, C09, C11).
Write a findings report from a provided evidence pack. Peer review with another delegate.
Tools verify what can be probed. They do not verify governance, process, documentation or design. A complete audit covers all twelve AISVS control families, and the auditor evidences the requirements that cannot be auto-tested through document review, configuration inspection and interview. The course teaches both.
Provenance and governance, evidenced by document and process review.
Trust-boundary and injection testing, evidenced by probe.
Versioning, approval and rollback, evidenced by record review.
Hardening and isolation, evidenced by configuration inspection.
Authentication and authorization, by probe and policy review.
Model and dependency integrity, evidenced by document and SBOM review.
Guardrail and output integrity, evidenced by probe.
Retrieval and isolation, evidenced by probe.
Agency, authorization and oversight, by probe and design review.
Authentication, replay and limits, evidenced by probe.
Evasion and resource controls, evidenced by probe.
Tamper-evident records and drift, by probe and evidence review.
Each lab is a live assessment. You run the probes, collect the evidence, evaluate it against the target level, and record the finding. Authorised targets only.
Enumerate tools/list, test per-request authentication, replay a tools/call against nonce and timestamp checks, send an unbounded body (CWE-770), and catch a tool-description rug-pull. Drive CLAW, confirm by hand, map to C10.
Plant a marker to test retrieval poisoning, attempt cross-tenant retrieval, check provenance on retrieved context, and probe the embedding store for exposure.
Test for excessive agency and tool misuse, confirm irreversible actions are gated by human approval, and verify each action is bound to an identity and scope.
Run full AISVS technical enumeration with CLAW, interpret the output, and separate automated findings from the manual verification that actually proves a control.
Judge sufficiency against L1, L2 and L3. Reject weak evidence. Decide what further proof a finding needs before it can pass.
Produce a defensible verification report: findings, severity, evidence references, and the highest level the evidence actually supports.
Every delegate gets a GPU-backed cloud lab. No laptop GPU, no setup. You stand up a model on a real GPU, serve it, then run the audit tools against it and collect the evidence. Real infrastructure, real findings, scales to the whole cohort.
Serve or train a model in the cloud, no local GPU required.
CLAW and the agent-skills against a live target, findings mapped to AISVS.
Evidence per requirement, ready to hand over.
Most AI audit looks at organisations deploying AI. The harder, higher-assurance work is auditing the organisations training their own models: AI providers, sovereign and government AI programmes, and regulated firms building in-house. They carry a deeper surface that tooling alone cannot verify.
Provenance, poisoning controls and lineage of the training set.
Versioning, approval, change control and rollback of the model itself.
Weights, dependencies and provenance, verified at source.
Certification is by practical examination. Candidates assess a live AI environment against AISVS, evaluate the evidence, and produce a defensible verification report. On a passing result, the candidate is awarded the Certified AISVS Auditor credential.
A live AI environment is assessed end to end against the standard, open book.
Findings, evidence references, and a defensible verified-level determination.
Granted on demonstrated ability to verify AI to the standard.
On passing the practical assessment.
The AISVS audit lifecycle and the evidence-sufficiency playbook.
Run AISVS technical enumeration on your own audits.
Findings, evidence log, and verification-report templates.
A place among certified AISVS auditors, with referrals and updates.
Certified auditors can qualify to deliver the courses as trainers.
The course runs on LAInux, the secure AI OS that ships the whole audit kit: CLAW, the AISVS agent-skills and the AI-DAST engine, the DVMCP and DVRAG practice targets, inference signing, and the report templates. Boot it, and you have everything to verify AI to the standard, offline or airgapped.
Complete the masterclass, take the auditor course, and earn the credential that proves you can verify AI to the standard. Places are limited so the assessment stays rigorous.
Corporate & sovereign cohorts, and bespoke on-site delivery, on request.