Why
AdCP's security mechanics are solid — idempotency, webhook HMAC, SSRF discipline, signed governance, principal isolation. They now appear across the implementation reference, the spec, and (as of #TBD) the Security Model narrative and the Operating an Agent guide.
What we don't yet have is a curriculum path that teaches the threat model, the layered defense model, and the hands-on verification that an agent operator has built it correctly. Security appears in the Basics and Practitioner sprinkles landed in #TBD, but a learner can still complete all three tiers without ever demonstrating that they can:
- Explain which layer stops which attack
- Walk through the 15-step governance verification and tell you what each step closes
- Mint an idempotency key, replay it, and reason about conflict vs expired
- Implement the 6-point SSRF check on an outbound fetch
Given that AI can red-team any documented API surface, this is not optional expertise.
Proposed module: S6 — Security mastery
Tier: Specialist (peer with S1–S5)
Audience: Security architects, platform engineers, CISOs, governance agent builders
Duration: ~60 min (combines hands-on lab and adaptive exam)
Prereq: Practitioner credential
Credential: AdCP specialist — Security
Learning objectives
- Explain the agentic advertising threat model: credential theft, replay, cross-tenant leakage, SSRF, spoofed identity, unauthorized governance, audit tampering
- Walk through AdCP's 5-layer defense model (identity, isolation, idempotency, signed governance, auditability) and name the specific attack each layer closes
- Demonstrate idempotency against a sandbox: mint key, retry success, conflict on payload change, expired on TTL lapse, and the side-effect implications of
replayed: true
- Verify a signed governance token against a JWKS, tamper with claims and observe rejection, trace the 15-step verification checklist, and walk through revocation mechanics
- Implement the 6-point SSRF check (HTTPS-only, reserved-IP deny list including cloud metadata, IP pinning, no redirects, size/timeout caps, suppressed error detail) on an outbound fetch
- Design the operational runbook for credential compromise, webhook secret rotation, governance key revocation, and cross-party incident communication
- Given an incident description, identify which defense layer failed and what to harden
Sandbox needs
- Two principals on the same sandbox seller, so the learner can observe (and fail to probe) isolation
- An idempotency endpoint that honors replay, conflict, and expired semantics in real time
- A sandbox governance agent that issues signed tokens, with both valid keys and a
revoked_kids entry for exercises
- A mock counterparty URL with an attacker-controlled DNS response, so the learner can observe the IP pin catching rebinding
Most of this is achievable by extending the existing embedded training agent rather than building new infra.
Assessment dimensions
| Dimension |
Weight |
What Addie evaluates |
| Threat model fluency |
20% |
Can you name an attack and the layer that stops it? |
| Hands-on idempotency |
20% |
Can you produce conflict, expired, and replay responses on demand? |
| Governance verification |
25% |
Can you walk the 15-step checklist and explain each step's threat? |
| SSRF discipline |
15% |
Can you write code that passes the 6-point check? |
| Operational design |
20% |
Can you design a runbook for credential compromise? |
Passing threshold: 70%.
What this is NOT
- Not a replacement for a real security program — we're teaching AdCP-specific controls, not OWASP Top 10
- Not gating Practitioner completion — sprinkled security demonstrations in B4/C4/D4 already cover the operational minimum
- Not a prerequisite for other specialist modules — parallel path
Cross-cutting changes already landed
- Foundations (A1, A2, A3): security learning objectives and key-term additions for idempotency, replay, and the three trust primitives
- Specialist (S1 media buy, S4 governance): explicit demonstration requirements for idempotency semantics and the governance verification checklist
- Practitioner tracks (B4 publisher build, C4 buyer build): idempotency enforcement in build-project rubrics
- New narrative page: Security Model for brand IT and CISOs
- New section in Operating an Agent: security as an operating concern
Work breakdown
Related
Why
AdCP's security mechanics are solid — idempotency, webhook HMAC, SSRF discipline, signed governance, principal isolation. They now appear across the implementation reference, the spec, and (as of #TBD) the Security Model narrative and the Operating an Agent guide.
What we don't yet have is a curriculum path that teaches the threat model, the layered defense model, and the hands-on verification that an agent operator has built it correctly. Security appears in the Basics and Practitioner sprinkles landed in #TBD, but a learner can still complete all three tiers without ever demonstrating that they can:
Given that AI can red-team any documented API surface, this is not optional expertise.
Proposed module: S6 — Security mastery
Tier: Specialist (peer with S1–S5)
Audience: Security architects, platform engineers, CISOs, governance agent builders
Duration: ~60 min (combines hands-on lab and adaptive exam)
Prereq: Practitioner credential
Credential: AdCP specialist — Security
Learning objectives
replayed: trueSandbox needs
revoked_kidsentry for exercisesMost of this is achievable by extending the existing embedded training agent rather than building new infra.
Assessment dimensions
Passing threshold: 70%.
What this is NOT
Cross-cutting changes already landed
Work breakdown
docs/learning/specialist/security.mdxdocs/learning/overview.mdxwith S6 in the specialist tabledocs.jsonnav for S6Related