Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram
Your First 90 Days in AI Security | Tech Jacks Solutions
Sub-Page 5 of 5

Your First 90 Days
in AI Security

A realistic week-by-week plan — not a fantasy sprint. This timeline has 20% overhead built into every phase. Life happens. You’ll miss a day. A tool won’t install cleanly. A concept will take longer than expected. That’s not failure — that’s how learning actually works.

90 Calendar Days
~72 Planned Work Days 18 days overhead buffer
3 Phases
4.8M Unfilled Cyber Jobs Globally Source: ISC2 Workforce Study 2025
The 20% Overhead Philosophy Before Day 1 — Prep Checklist Phase 1: Foundation (Days 1–30) Phase 2: Acceleration (Days 31–60) Phase 3: Specialization (Days 61–90) Essential Tools & Environment Quick Start by Background Related Resources
Philosophy

The 20% Overhead Rule

Most 90-day plans assume you’ll execute perfectly every single day. That’s not how career transitions work. You have a current job, personal obligations, bad days, and the inevitable frustration of getting a new tool to compile on your machine.

This plan schedules ~72 days of actual work across 90 calendar days. The remaining 18 days are distributed as buffer throughout — not lumped at the end. Every phase includes explicit catch-up time. If you finish a week early, use the buffer for deeper exploration. If you fall behind, you’re still on track.

How It Works

Phase 1 (Days 1–30): 24 days of planned work + 6 buffer days. If week 3 bleeds into week 4, that’s by design.
Phase 2 (Days 31–60): 24 days of planned work + 6 buffer days. Certification study may take longer than guides suggest.
Phase 3 (Days 61–90): 24 days of planned work + 6 buffer days. Portfolio building is iterative, not linear.

Reality Check

The market data is on your side. ISC2 projects 4.8 million unfilled cybersecurity positions globally. AI security is the fastest-growing subset. The BLS projects 29% growth for infosec analysts through 2034. You don’t need to be perfect in 90 days. You need to be credible, competent, and moving.

Sources: ISC2 Workforce Study 2025 (4.8M unfilled); BLS Occupational Outlook Handbook (29% growth 2024–2034)
Preparation

Before Day 1 — Prep Checklist

Don’t start the clock until these are in place. This prep work prevents wasted days in Phase 1 debugging environment issues instead of learning AI security.

Dev Environment Ready
Python 3.10+ installed. Git configured. A code editor you’re comfortable with. Virtual environments or conda working. GPU access optional but helpful — cloud notebooks (Colab, Kaggle) work fine for the first 30 days.
Accounts Created
GitHub account (portfolio will live here). HackTheBox account (free tier is fine initially). OWASP community membership (free). Bookmark: genai.owasp.org, atlas.mitre.org.
Learning Journal Started
A Notion doc, Markdown file, or physical notebook. You’ll track what you learn, what confused you, and what you built. This becomes interview prep material and proves your learning trajectory to hiring managers.
Baseline Assessment
Honestly evaluate: What’s your current security knowledge? Have you used any ML tools? Can you write Python scripts? Read our Career Transition Playbooks to identify your specific path and gaps.
Phase 1

Foundation: Days 1–30

24 planned work days + 6 buffer days. Goal: Understand the threat landscape and get tools running.
Phase 1 Overhead Budget

Tool installation issues, Python dependency conflicts, and “what does this error mean” moments are expected, not failures. The buffer covers 2–3 days of environment troubleshooting and 3–4 days of concept review when something doesn’t click on first pass.

Week 1
Days 1–7

OWASP LLM Top 10 — Read, Understand, Map

  • Read the full OWASP LLM Top 10 (2025) — all 10 items, not just summaries. Spend 1–2 hours per item.
  • For each risk, write one paragraph in your journal: What it is, how it works, how you’d detect it, and which role owns mitigation.
  • Install Garak (NVIDIA’s LLM vulnerability scanner). Run it against a local model or API endpoint. Document what you find.
  • Cross-reference: Read our Frameworks & Practices Deep Dive OWASP section for role mapping.
Framework: genai.owasp.org (2025) • Tool: Garak by NVIDIA (open source)
Buffer note: If Garak installation takes a full day, that’s normal. Don’t rush past OWASP comprehension to “stay on schedule.”
Week 2
Days 8–14

MITRE ATLAS — The Adversarial Playbook

  • Study MITRE ATLAS: 14 tactic categories in an ATT&CK-style matrix. Focus on understanding the attack chain, not memorizing technique IDs. Tactic IDs use the AML.TA#### format; technique IDs use AML.T####.
  • Read documented case studies on atlas.mitre.org. For each: What was the target? What tactic was used? What would have prevented it?
  • Install PyRIT (Microsoft’s Python Risk Identification Toolkit). Run a basic red team test against an LLM endpoint.
  • Map ATLAS tactics to OWASP risks. Where do they overlap? Where does ATLAS go deeper?
Framework: atlas.mitre.org (14 tactic categories, Spring 2025 update: 19 new techniques, 6 new case studies) • Tool: PyRIT by Microsoft (open source)
Buffer note: ATLAS is dense. If you only get through the first few tactic groups this week, use buffer days for the rest. The case studies are more valuable than memorizing technique IDs.
Week 3
Days 15–21

Hands-On: Your First Vulnerability Assessment

  • Install ART (Adversarial Robustness Toolbox). You now have three tools: Garak, PyRIT, ART. Run each against a test target.
  • Write your first vulnerability report. Pick one finding from your tool runs and document it: vulnerability, impact, evidence, remediation.
  • Register for the next AI Village CTF (Capture The Flag) competition, or start a HackTheBox AI challenge if available.
  • Begin community engagement: Join relevant Discord/Slack channels. Lurk first. Contribute when you have something to add.
Tool: ART by IBM/Trusted AI (open source) • Community: AI Village (DEF CON affiliated)
Buffer note: Writing your first vuln report will take longer than you think. That’s the point — the format and clarity matter as much as the finding.
Week 4
Days 22–30

Consolidation & Catch-Up

  • Review your learning journal. What’s solid? What still feels shaky? Spend 2–3 days revisiting weak areas.
  • If on track: Begin exploring governance frameworks — skim NIST AI RMF overview (free at nist.gov). This previews Phase 2.
  • If behind: Use this entire week as buffer. Finish the ATLAS case studies. Get all three tools running cleanly. No guilt.
  • Update your LinkedIn with AI security keywords. Follow thought leaders. Signal your transition to your network.
Governance: nist.gov (free NIST AI RMF study materials)
Buffer note: This is a designed catch-up week. If you’re on track, it becomes enrichment. If you’re behind, it saves your timeline. Either way, you’re exactly where you should be.
Phase 1 Exit Criteria (Flexible)

By day 30, you should be able to: explain all 10 OWASP LLM risks from memory (not perfectly — from understanding), describe the ATLAS attack chain at a high level, run at least one AI security tool against a test target, and have a learning journal with 20+ entries. If you hit 3 out of 4, you’re ready for Phase 2.

Phase 2

Acceleration: Days 31–60

24 planned work days + 6 buffer days. Goal: Deepen expertise, begin certification study, build credibility artifacts.
Phase 2 Overhead Budget

Certification study guides consistently underestimate real study time by 20–30%. If a cert says “40 hours,” plan for 50–52 hours. The buffer days absorb this. Don’t sacrifice depth for speed.

Week 5
Days 31–37

Governance Frameworks & Certification Selection

  • Study NIST AI RMF 1.0 (NIST AI 100-1, January 2023) in depth. Understand the four core functions: GOVERN (organizational risk culture), MAP (context & categorization), MEASURE (TEVV & metrics), MANAGE (risk treatment & response). Also learn the 7 trustworthiness characteristics. This is the backbone of organizational AI risk.
  • Decide on your first certification based on your background and target role:
    Offensive track: CAISP ($999–$1,099 lifetime, as of April 2026) or HackTheBox AI Red Teamer ($490/yr)
    Governance track: AIGP ($649–$799) by IAPP
    Foundation track: CompTIA Security+ ($404–$425) if no security baseline exists
  • Enroll and begin structured study. Block 1–2 hours daily on your calendar.
NIST AI RMF: nist.gov (free) • CAISP: Practical DevSecOps (as of April 2026) • AIGP: IAPP • Security+: CompTIA
Buffer note: Choosing the right cert matters more than starting quickly. Spend a day comparing if needed. See our Career Transition Playbooks for path-specific recommendations.
Week 6
Days 38–44

Deep Certification Study + Practical Application

  • Continue certification study (15–20 hours this week). Complete first major module or domain.
  • Apply what you’re learning: If studying CAISP, run labs from the 30+ hands-on exercises. If studying AIGP, draft a mock AI governance policy.
  • Read the EU AI Act security provisions if targeting compliance roles. Understand risk classification tiers and obligations for high-risk AI systems.
  • Participate in your first CTF challenge or complete a HackTheBox AI security challenge. Document your approach and findings.
EU AI Act: Active April 2026 • CAISP labs: Practical DevSecOps (30+ hands-on labs, OWASP LLM Top 10, MITRE ATLAS)
Week 7
Days 45–51

Portfolio Building Begins

  • Create a GitHub repository for your AI security work. Structure it: /tools (scripts you’ve written), /reports (vuln assessments), /notes (framework summaries).
  • Write up 2–3 vulnerability assessments from your tool runs into professional-format reports.
  • Continue certification study (15–20 hours). You should be 50–60% through the material.
  • If applicable: Register for bug bounty platforms (HackerOne, Bugcrowd). AI-specific bounties are growing. OpenAI offers bounties up to $100K.
Bug bounty: HackerOne, Bugcrowd, huntr • OpenAI bounty program (up to $100K, public)
Buffer note: Portfolio quality matters more than quantity. Two well-written vuln reports beat ten sloppy ones. Use buffer time for polish, not volume.
Week 8
Days 52–60

Consolidation & Certification Push

  • Final certification study push. Complete remaining material. Begin practice exams or lab reviews.
  • If using buffer time: Review all Phase 1 material. The OWASP and ATLAS knowledge should feel natural, not memorized.
  • Network checkpoint: Have you connected with 5+ people in AI security? Attend a virtual meetup or webinar this week.
  • Review your learning journal. You should see clear progress from Day 1. Highlight the transformation for future interview storytelling.
Buffer note: If certification exam isn’t complete yet, don’t panic. The 90-day goal is certification readiness, not necessarily exam day. Many people schedule the exam for days 95–110. That’s fine.
Phase 2 Exit Criteria (Flexible)

By day 60, you should have: certification study 70%+ complete (or exam scheduled), 2–3 professional vulnerability reports in a GitHub portfolio, at least one CTF attempt or bug bounty submission, and working knowledge of at least one governance framework (NIST AI RMF, ISO 42001, or EU AI Act). Hit 3 out of 4 and you’re on track.

Phase 3

Specialization: Days 61–90

24 planned work days + 6 buffer days. Goal: Specialize, complete certification, launch your job search with credibility.
Phase 3 Overhead Budget

Job search prep takes real time. Resume rewrites, LinkedIn optimization, cover letter drafts, and informational interviews are work, not afterthoughts. The buffer accounts for this. Don’t treat job prep as “extra” — it’s core Phase 3 work.

Week 9
Days 61–67

Certification Completion & Role-Specific Depth

  • Take the certification exam, or finalize study for a scheduled date. If CAISP: complete the 6-hour practical + 24-hour report.
  • Begin role-specific specialization. Pick your target role and go deep on the skills specific to it:
    AI Red Teamer: Advanced ATLAS techniques, CTF rankings, adversarial example generation
    AI Security Engineer: Pipeline security, model validation, OWASP defense implementation
    AI GRC Analyst: ISO 42001 audit prep, compliance mapping, policy documentation
  • Read 3–5 recent AI security incident reports. Analyze each with your framework knowledge.
CAISP exam: 6-hour practical, 5 challenges, 24-hour report • Source: Practical DevSecOps
Week 10
Days 68–74

Portfolio Polish & Community Contribution

  • Finalize your GitHub portfolio. Add README files that explain your methodology, not just results.
  • Write a blog post or LinkedIn article about something you learned. “How I Used Garak to Find Prompt Injection Vulnerabilities” or “MITRE ATLAS: What Traditional Security Misses About AI Threats.”
  • Make your first meaningful community contribution: answer a question in a forum, submit a tool improvement, or share a writeup from a CTF.
  • If targeting specific companies, research their AI security programs. Tailor your portfolio to demonstrate relevant skills.
Buffer note: A blog post takes 4–8 hours to write well. Don’t shortchange this. One good published piece is a stronger signal than 10 private notes.
Week 11
Days 75–81

Job Search Launch

  • Rewrite your resume with AI security focus. Lead with skills and certifications, not just job titles. Quantify impact where possible.
  • Optimize LinkedIn: headline should include “AI Security” + your specific angle. Featured section should link to your GitHub and published content.
  • Begin targeted applications. Focus on roles that match your 90-day specialization:
    Offensive track: AI Red Teamer — CTF portfolio and ATLAS fluency are critical differentiators. Adversarial ML Researcher roles command $157K–$222K.
    Governance track: AI Model Risk Analyst: $100K–$160K (SR 11-7 + AI expertise in banking sector)
    Infrastructure track: AI Infrastructure Security Specialist: $160K–$240K (OpenAI, NVIDIA, CoreWeave hiring)
  • Schedule 2–3 informational interviews with people in AI security roles. Ask about their first 90 days.
Salary data: Glassdoor, ZipRecruiter, Capital One, OpenAI/NVIDIA/CoreWeave postings 2025–2026 • Market growth: BLS 29% through 2034
Week 12
Days 82–90

Consolidation & Forward Planning

  • Review your entire 90-day journey. Update your learning journal with a summary: where you started, what you learned, what’s next.
  • If certification exam is still pending: finalize prep and schedule it for the next 2 weeks. You’re ready.
  • Plan the next 90 days. Your first 90 built the foundation. The next 90 is about: advanced certifications, deeper specialization, or landing the role.
  • Continue job applications and networking. The pipeline you built in Week 11 takes 4–8 weeks to generate interviews. Keep feeding it.
Buffer note: If you’re using buffer days here, spend them on interview prep. Practice explaining OWASP risks, ATLAS attack chains, and your portfolio projects out loud. The knowledge is in your head — practice getting it out clearly.
Phase 3 Exit Criteria (Flexible)

By day 90, you should have: at least one AI security certification earned or exam scheduled, a public GitHub portfolio with 3+ professional artifacts, one published piece of content (blog, LinkedIn article, or CTF writeup), and active job applications submitted. If your certification exam is scheduled for day 100 instead of day 85, you’re still on track. The 20% overhead means your “day 90” might land on calendar day 108. That’s the plan working, not the plan failing.

The Honest Truth About Day 90

You will not be a senior AI security engineer on day 90. You will be a credible, demonstrably competent professional who can speak the language, use the tools, understand the frameworks, and show evidence of applied learning. That’s what gets you hired. The market has 4.8 million unfilled cybersecurity positions. Only 14% of organizations report having adequate AI security talent. Companies aren’t waiting for perfection — they’re looking for people who can learn fast and contribute quickly. Your 90-day portfolio proves you can do both.

Sources: ISC2 Workforce Study 2025 (4.8M unfilled globally); World Economic Forum 2025 (14% adequate AI security talent)
Tool Stack

Essential Tools & Environment

These are the tools you’ll install and use across the 90 days. All are open source or have free tiers. Total cost for the tool stack: $0.

Garak
NVIDIA • Open Source
LLM vulnerability scanner. Probes for prompt injection, data leakage, jailbreaks, and hallucination patterns. Your primary scanning tool.
Phase 1: Install and run first scan. Phase 2–3: Integrate into assessments.
Source: NVIDIA Garak project (open source)
PyRIT
Microsoft • Open Source
Python Risk Identification Toolkit for generative AI. Automates red teaming workflows against LLM endpoints. Scriptable and extensible.
Phase 1: Install and run basic tests. Phase 2: Automate red team scenarios.
Source: Microsoft PyRIT project (open source)
ART
IBM Trusted AI • Open Source
Adversarial Robustness Toolbox. Tests ML model resilience against adversarial examples, data poisoning, and evasion attacks.
Phase 1: Install and run robustness checks. Phase 2–3: Model-level assessments.
Source: IBM/Trusted AI ART project (open source)
IBM AIF360
IBM • Open Source
AI Fairness 360 toolkit. Detects and mitigates bias in AI models. Essential for governance-track roles and compliance assessments.
Phase 2–3: Bias detection in model risk assessments.
Source: IBM AIF360 project (open source)
Microsoft Fairlearn
Microsoft • Open Source
Fairness assessment and mitigation for AI systems. Provides metrics, dashboards, and algorithms for equitable model behavior.
Phase 2–3: Fairness auditing for governance-track roles.
Source: Microsoft Fairlearn project (open source)
HackTheBox
HackTheBox • Free Tier Available
Hands-on security challenges including AI-specific attack scenarios. AI Red Teamer Path available ($490/yr Silver). CTF competitions build portfolio credibility.
Phase 1: Create account, try free challenges. Phase 2–3: AI Red Teamer Path.
Source: HackTheBox (AI Red Teamer Path co-developed with Google SAIF)
By Background

Quick Start by Background

The 90-day timeline above is the general plan. Here’s how to adapt it based on where you’re starting. Each path adjusts the emphasis — the timeline stays the same, but what you prioritize in each phase shifts.

Coming From
Cybersecurity / SOC Analyst
You already think in threats and incidents. Your gap is AI-specific attack vectors. Spend Phase 1 heavily on OWASP LLM Top 10 and ATLAS — you’ll pick these up faster than most because you already understand threat modeling. Phase 2: fast-track CAISP or CompTIA SecAI+.
CompTIA SecAI+ CAISP CISSP (5+ yrs; Associate of ISC2 if fewer)
90-Day Outcome: AI security analyst ready. AI-specific vuln reports in portfolio. Certification in progress or complete. AI security roles command a +56% wage premium over non-AI security.
AI wage premium: PwC AI Jobs Barometer 2025 • Cert data: CompTIA, Practical DevSecOps
Coming From
Software Developer / ML Engineer
You build the systems that need securing. Your gap is thinking adversarially. Phase 1: Focus on OWASP LLM-05 (Improper Output Handling) and LLM-03 (Supply Chain) — these map to your existing skills. Phase 2: CAISP is ideal — its labs bridge the security knowledge gap.
CAISP CompTIA SecAI+ or Security+ (if no sec baseline) AWS ML Engineer
90-Day Outcome: Secure AI/ML developer credibility. Secure pipeline patterns documented. CAISP in progress. CAISP holders report 15–20% salary premium over generalist certs.
CAISP premium: Industry reports, Practical DevSecOps 2025–2026
Coming From
DevOps / Cloud Engineering
Your CI/CD and infrastructure skills transfer directly. Your gap is model-layer security. Phase 1: Focus on OWASP LLM-03 (Supply Chain) and LLM-10 (Unbounded Consumption). Phase 2: CAISP + your existing cloud certs. You’re building the MLSecOps pipeline.
90-Day Outcome: MLSecOps engineer credibility. ML pipeline security audit completed. CAISP in progress. AI Infrastructure Security Specialist roles: $160K–$240K at top labs.
Salary: OpenAI, NVIDIA, CoreWeave postings 2025–2026
Coming From
Risk / Compliance / GRC
You understand governance and risk frameworks. Your gap is technical AI literacy. Phase 1: OWASP gives you enough technical grounding to speak with engineers. Phase 2: AIGP is your fast-track cert — it covers NIST AI RMF, EU AI Act, and ISO 42001 in one package.
IAPP AIGP ISACA CRISC ISO 42001 Lead Implementer
90-Day Outcome: AI governance/compliance readiness. AIGP complete or scheduled. Policy documentation portfolio. AI Model Risk Analyst roles: $100K–$160K.
Salary: Glassdoor, ZipRecruiter 2025–2026. AIGP: IAPP ($649–$799, 60–100 hours study)
Practitioner Ground Truth

The background that adapts fastest to AI security isn’t always the most technical one. GRC professionals who learn enough technical AI to ask the right questions are in massive demand — because organizations with $30.9 billion in AI security spending need people who can connect technical controls to business risk and regulatory obligations. Don’t undersell your non-technical expertise.

AI-in-cybersecurity market: $30.9B (2025), 22–24% CAGR • Sources: StationX, Cybersecurity Ventures 2025

© 2026 Tech Jacks Solutions • Your First 90 Days in AI Security • Sub-Page 5 of 5

Market data: Cybersecurity Ventures 2025 (3.5M unfilled), BLS Occupational Outlook Handbook (33% growth), WEF 2025 (14% adequate talent), PwC AI Jobs Barometer (+56% premium), StationX ($30.9B market), ISC2 2025 Workforce Study (AI/ML #1 skill need). Salary data: Glassdoor, ZipRecruiter, OpenAI/NVIDIA/CoreWeave postings, Practical DevSecOps, IAPP, Capital One (2025–2026). Certification data: CompTIA, ISC2, IAPP, Practical DevSecOps, SANS, HackTheBox. Tools: NVIDIA Garak, Microsoft PyRIT, IBM ART/AIF360, Microsoft Fairlearn. All claims GAIO-verified against knowledgebase sources.

© 2026 Tech Jacks Solutions. All rights reserved.