✓What vectors and embeddings are — and why they’re an attack surface, not just an index
✓How RAG works and why the knowledge base — not the LLM — is where LLM08 lives
✓LLM08 vs LLM04: runtime retrieval poisoning vs training-time model poisoning
✓PoisonedRAG (USENIX Security 2025) — 5 malicious documents in 1 million achieved 90% attack success rate
✓Vec2Text — stored embeddings can be inverted to reconstruct source text with ~92% accuracy
✓ConfusedPilot (Nov 2024) — one document poisons Microsoft 365 Copilot for every user in the org, persisting after deletion
✓All 3 OWASP attack scenarios: hidden content injection, multi-tenant leakage, enterprise AI poisoning
✓All 6 mitigations — what OWASP says, which incident each stops, how to implement, how to validate