CVPR 2026 · Half-Day Tutorial

Tom Builds, Tom Breaks

Hands-On Attacks and Defenses for Vision-Language Systems

June 3, 2026 4 hours · In-person Pavan Reddy · Automata LLC

In a vision-language model, the image is not just an input — it is a control surface.

Multimodal LLMs increasingly read screenshots, interpret interfaces, and drive downstream actions. As these systems move from benchmarks into production — behind resizing, compression, caching, and third-party checkpoints — each of those pipeline details opens an attack surface that standard robustness discussions never touch. A model can be steered by text the user cannot see, by pixels that carry no readable content, or by weights that were poisoned before they ever reached the deployment.

This story-driven, hands-on tutorial follows Tom as he builds a vision-language assistant and red-teams it while it grows from prototype to scale. Each chapter ships a capability, breaks it with a vision-originated attack, patches it, and then shows what the failure actually looks like in audit logs — including the cases where the logs don't tell the full story. Notebooks are deterministic and low-friction: no heavy training, no fragile setup, optional GPU.

What you will leave with

01

Run five vision-based attacks on multimodal models and quantify each with simple success metrics.

02

Implement the matching defenses and reason about their tradeoffs — false positives, usability, robustness vs. utility.

03

Take home a scale-up playbook: layered controls, audit logging, and evaluation practices for real pipelines.

Schedule

4 hours · one break
00:00–00:15

Introduction & Threat Model · 15 min

How vision inputs become a control surface, what "abuse" looks like in logs, and the baseline VLM pipeline + lightweight logging we build on.

00:15–00:55

Chapter 1 — FigStep: Typographic Jailbreak · 40 min

Instruction injection via text rendered inside an image; instruction/data separation as the defense.

00:55–01:35

Chapter 2 — Anamorphic Scaling · 40 min

A benign-looking image whose resize/compression step reveals hidden instructions; logging the true model input.

01:35–01:50

Break · 15 min

01:50–02:30

Chapter 3 — Cursed Pixels · 40 min

Pixel-level adversarial perturbations that flip behavior with no readable text; multi-view voting and abstention.

02:30–03:10

Chapter 4 — Backdoored Checkpoint · 40 min

A visual trigger hidden in an open-source checkpoint/adapter; provenance, registries, and trigger canaries.

03:10–03:40

Chapter 5 — Poisoned Fine-Tuning · 30 min

A handful of stealthy poisons in training data that induce targeted misbehavior; data quarantine, provenance, and outlier screens.

03:40–04:00

Wrap-Up & Q&A · 20 min

A ship checklist, how to extend these patterns into real systems, and open discussion.

Chapters & Hands-On Labs

Five self-contained notebooks. Each pairs a vision-originated attack with a practical defense and an audit-log lesson. All notebooks are deterministic and runnable asynchronously.

1 Prototype

FigStep Jailbreak

Typographic instruction injection: text rendered inside an image bypasses text-only guardrails. Patch with explicit instruction/data separation.

Open Colab
2 Prototype

Anamorphic Scaling

Resizing and compression reveal hidden instruction text to the model. Visualize the true preprocessed input and treat preprocessing as threat surface.

Open Colab
3 Early Product

Cursed Pixels

Pixel-level adversarial perturbations flip behavior with no readable text and no OCR trick. Defend with multi-view voting and disagreement-based abstention.

Open Colab
4 Scale

Backdoored Checkpoint

A visual trigger in an open-source checkpoint activates attacker-chosen behavior, even under domain shift. Defend with provenance, hashes, and trigger canaries.

Open Colab
5 Scale

Poisoned Fine-Tuning

A small number of stealthy poisons in fine-tuning data induce targeted misbehavior. Defend with data quarantine, provenance, and embedding/outlier screens.

Open Colab
Reference

Tutorial Slides

The full presentation deck for all five chapters — threat models, attack walkthroughs, defenses, and the scale-up playbook.

View Slides

Materials & Reproducibility

A single repository holds five deterministic notebooks with precomputed attack images and adapters, plus a reference document covering the theory behind each attack and defense. Optional GPU for speed, not required for correctness. All demonstrations use benign targets and sandboxed tools with no real side effects.

5

Attacks & defenses

Python

Basic prerequisite

No sec.

Background required

Colab

+ local, deterministic

Presenter

Pavan Reddy

Principal Developer, Automata LLC

Pavan Reddy is an AI security researcher and builder, and the founder of QBTrain — a hands-on platform for learning AI security and AppSec. He started inside AI (adversarial ML, model internals) and now focuses on breaking and securing real LLM and agentic systems: prompt injection, data exfiltration, and the systemic weaknesses of foundation models. He has published at AAAI, ACM, NeurIPS, and FLAIRS, and teaches a small set of signature workshops across BSides, OWASP, and academic venues. As Principal Developer at Automata, he owns a security product end to end.

Ethical Use & Responsibility

The attacks, code, datasets, and model artifacts in this tutorial are provided solely for education, defensive research, and authorized security testing. Every demonstration targets benign objectives in sandboxed environments with no real-world side effects, and is shared so that researchers and engineers can understand these failure modes and defend against them.

  • ·Use these materials only on systems you own or have explicit, written permission to test.
  • ·Do not deploy these techniques against production systems, third parties, or any live service without authorization.
  • ·Follow responsible-disclosure practices and all applicable laws, institutional policies, and the CVPR code of conduct.

By using this repository and its resources you accept full responsibility for your actions. The presenter and affiliated organizations assume no liability for misuse.