CVPR 2026 · Half-Day Tutorial
Hands-On Attacks and Defenses for Vision-Language Systems
In a vision-language model, the image is not just an input — it is a control surface.
Multimodal LLMs increasingly read screenshots, interpret interfaces, and drive downstream actions. As these systems move from benchmarks into production — behind resizing, compression, caching, and third-party checkpoints — each of those pipeline details opens an attack surface that standard robustness discussions never touch. A model can be steered by text the user cannot see, by pixels that carry no readable content, or by weights that were poisoned before they ever reached the deployment.
This story-driven, hands-on tutorial follows Tom as he builds a vision-language assistant and red-teams it while it grows from prototype to scale. Each chapter ships a capability, breaks it with a vision-originated attack, patches it, and then shows what the failure actually looks like in audit logs — including the cases where the logs don't tell the full story. Notebooks are deterministic and low-friction: no heavy training, no fragile setup, optional GPU.
Run five vision-based attacks on multimodal models and quantify each with simple success metrics.
Implement the matching defenses and reason about their tradeoffs — false positives, usability, robustness vs. utility.
Take home a scale-up playbook: layered controls, audit logging, and evaluation practices for real pipelines.
Introduction & Threat Model · 15 min
How vision inputs become a control surface, what "abuse" looks like in logs, and the baseline VLM pipeline + lightweight logging we build on.
Chapter 1 — FigStep: Typographic Jailbreak · 40 min
Instruction injection via text rendered inside an image; instruction/data separation as the defense.
Chapter 2 — Anamorphic Scaling · 40 min
A benign-looking image whose resize/compression step reveals hidden instructions; logging the true model input.
Break · 15 min
Chapter 3 — Cursed Pixels · 40 min
Pixel-level adversarial perturbations that flip behavior with no readable text; multi-view voting and abstention.
Chapter 4 — Backdoored Checkpoint · 40 min
A visual trigger hidden in an open-source checkpoint/adapter; provenance, registries, and trigger canaries.
Chapter 5 — Poisoned Fine-Tuning · 30 min
A handful of stealthy poisons in training data that induce targeted misbehavior; data quarantine, provenance, and outlier screens.
Wrap-Up & Q&A · 20 min
A ship checklist, how to extend these patterns into real systems, and open discussion.
Five self-contained notebooks. Each pairs a vision-originated attack with a practical defense and an audit-log lesson. All notebooks are deterministic and runnable asynchronously.
Typographic instruction injection: text rendered inside an image bypasses text-only guardrails. Patch with explicit instruction/data separation.
Open ColabResizing and compression reveal hidden instruction text to the model. Visualize the true preprocessed input and treat preprocessing as threat surface.
Open ColabPixel-level adversarial perturbations flip behavior with no readable text and no OCR trick. Defend with multi-view voting and disagreement-based abstention.
Open ColabA visual trigger in an open-source checkpoint activates attacker-chosen behavior, even under domain shift. Defend with provenance, hashes, and trigger canaries.
Open ColabA small number of stealthy poisons in fine-tuning data induce targeted misbehavior. Defend with data quarantine, provenance, and embedding/outlier screens.
Open ColabThe full presentation deck for all five chapters — threat models, attack walkthroughs, defenses, and the scale-up playbook.
View SlidesA single repository holds five deterministic notebooks with precomputed attack images and adapters, plus a reference document covering the theory behind each attack and defense. Optional GPU for speed, not required for correctness. All demonstrations use benign targets and sandboxed tools with no real side effects.
5
Attacks & defenses
Python
Basic prerequisite
No sec.
Background required
Colab
+ local, deterministic
Presenter
Principal Developer, Automata LLC
Pavan Reddy is an AI security researcher and builder, and the founder of QBTrain — a hands-on platform for learning AI security and AppSec. He started inside AI (adversarial ML, model internals) and now focuses on breaking and securing real LLM and agentic systems: prompt injection, data exfiltration, and the systemic weaknesses of foundation models. He has published at AAAI, ACM, NeurIPS, and FLAIRS, and teaches a small set of signature workshops across BSides, OWASP, and academic venues. As Principal Developer at Automata, he owns a security product end to end.
The attacks, code, datasets, and model artifacts in this tutorial are provided solely for education, defensive research, and authorized security testing. Every demonstration targets benign objectives in sandboxed environments with no real-world side effects, and is shared so that researchers and engineers can understand these failure modes and defend against them.
By using this repository and its resources you accept full responsibility for your actions. The presenter and affiliated organizations assume no liability for misuse.