Krypteia Sec
beginner45 min5 min read

Becoming an AI Security Practitioner

The skill map, learning path, what to build publicly, and what hiring managers actually look for in AI security in 2025-2026.

careerskillslearning-pathcertificationsjob-market

The Skill Stack

AI security is a genuine intersection discipline. You need enough of three different skill sets to be credible and useful across all of them. You do not need to be world-class at any one. You need to be solid at the intersection.

Machine learning fundamentals: Transformers, attention, tokenization, fine-tuning, RLHF, embeddings, vector databases. You do not need to implement backprop from scratch. You do need to understand how these systems work well enough to reason about their failure modes.

Software engineering: You need to be able to build things. Agents, evaluation harnesses, attack tools, proof-of-concept exploits. Python is the primary language. TypeScript for anything web or MCP. You need to ship working code, not just describe vulnerabilities.

Security fundamentals: Threat modeling, penetration testing methodology, the OWASP mindset, how to find and document vulnerabilities, how to think adversarially. Traditional AppSec knowledge transfers directly. Network security matters less.

The people who are most dangerous in AI security right now are the ones who were already strong software engineers or security practitioners and learned the AI layer on top. If you are coming from security, learn to build agents. If you are coming from engineering, learn to think adversarially about the systems you build.

What to Build Publicly

Your GitHub and your writing are more important than any certification right now.

Agents that do something real: A reconnaissance agent that automates OSINT gathering. A document processing agent with injection testing built in. A red team harness that runs against a local LLM. Something that works and that you can demo.

Attack tools with documented research: A proof-of-concept indirect injection attack against a publicly available AI application (responsibly disclosed). A tool that tests MCP servers for known vulnerability patterns. A jailbreak evaluation harness with novel probes. Document what you found. Write a blog post. Publish the code.

Original research: Not "here is my summary of the OWASP LLM Top 10." Original findings. Novel attack variations. A new way to detect injection. Something nobody else published first.

CTF writeups: AI security CTF challenges are increasing. HackAPrompt competitions have run multiple seasons. These are documented practice in a public format that hiring managers can read.

The portfolio that gets you hired is not a list of certifications. It is GitHub repos with working tools, blog posts with original findings, and ideally one or two disclosures to real companies.

Certifications: What Matters and What Does Not

Traditional certs that still matter: OSCP (shows you can execute a real pentest), GPEN/GWAPT (shows application security depth). These establish baseline credibility for the security side of your background. Clients hiring an AI red teamer want to know you can actually pentest.

AI-specific certs in 2025-2026: The space is immature. Most AI security certifications available now are entry-level survey courses. A cert that says "AI Security Fundamentals" from an unknown provider is not impressive to anyone doing serious work.

SANS is developing AI security content (SEC595, SEC598) and their material tends to be solid. These are worth watching. Practical, hands-on certifications that require you to actually exploit something will carry weight. Theoretical survey courses will not.

The certification play: Use certs for learning, not for signaling. The cert you earn while going deep on a topic is useful for the knowledge, not the badge. Your GitHub proves you can do the work.

The Job Market in 2025-2026

Demand exceeds supply by a wide margin. Organizations deploying AI systems are doing so faster than they are thinking about security. Most do not have anyone internally who understands both AI systems and security.

The roles that exist:

  • AI Red Teamer: Full-time role at large tech companies doing internal red teaming of their AI products. Google, Meta, Microsoft, Anthropic all have these. Highly competitive.
  • AI Security Consultant: At consulting firms or independent. Lower barrier to entry than big tech internal roles. The market is wide open.
  • AI Security Engineer: Building the defensive side. Input validation, output filtering, monitoring. Increasingly required at companies shipping AI products.
  • Product Security Engineer (AI focus): Traditional product security role that now requires AI knowledge. Faster-growing than the dedicated AI security roles.

Positioning: Niche beats broad. "I do AI red teaming" is more marketable than "I do security." "I specialize in MCP and agentic system security" is more marketable than "I do AI security." The more specific your positioning, the easier you are to find when someone has that specific need.

Where the work comes from:

  • Every company shipping an AI product needs this expertise.
  • Regulated industries (finance, healthcare) are being pushed by regulators to assess AI risk.
  • Companies that have been burned by an AI incident are highly motivated buyers.
  • Security consulting firms are adding AI security practices and need practitioners.

The timing is genuinely good. The field is early enough that you can become one of the known practitioners in a specific niche without needing fifteen years of prior work in that exact area.

Building in Public

The fastest path to being known in AI security is writing consistently about what you are learning and building.

Write about what you actually find, not what you think sounds impressive. A genuine technical post about a subtle indirect injection behavior you discovered while testing an agent is more valuable than a polished post summarizing publicly known concepts.

Publish on your own site (own your content), cross-post to Medium or Substack for distribution. Engage with the AI security community on X/Twitter and LinkedIn. Most of the people doing serious work in this field are visible there.

Security conferences are increasingly hosting AI security tracks. DEF CON AI Village, Black Hat AI security talks, RSAC sessions. Speaking at one of these, even a short talk, is significant signal.

One good piece of original research, published clearly and shared in the right places, can compress years of relationship building.

Next
Building Your AI Security Business