AI Security Bootcamp 2026 Singapore Overview & Retrospective

tl;dr: Provides tons of resources (training, data, connections) for work on AI Safety specifically (e.g. changing jobs, founding a company, furthering existing work); strongly recommended if that is your interest. Elsewhere in AI Security, you’ll see more value the closer your work is to directly securing frontier labs. Definitely Effective Altruist-tinted, focusing on longer-term risks over short-term ones: there’s upward path for some enterprise challenges (e.g. AI Control), but those connections are outside the curriculum. The lectures were consistently good, and guest lectures outstanding, but hands-on exercises were of mixed quality: good conceptually, some exercises exemplary, but others testing library usage rather than the content, which I hope is improved for the next iteration. Personally, discussion with other attendees – a truly exceptional cohort – was as valuable as the curriculum itself, and more directly applicable to my work. Overall, it was worth my time. Applications for the next iteration in Las Vegas 2nd–8th August are open until 21st June. I actively encourage you to reach out to discuss any aspect of AISB in more detail!

In April, I spent a week at AI Security Bootcamp 2026 Singapore alongside 15 other cybersecurity professionals, learning about challenges around securing increasingly-capable AI systems. I did detailed writeups for Day 0-1 and Day 2, though I fell behind in favour of seeing Singapore and socialising with other attendees (with a particular shoutout to Mattia).

I promised on LinkedIn beforehand to give insight into “how a room of cybersecurity experts tackle securing frontier AI systems”. So how did we do it?

Course overview

The bootcamp had four types of sessions: lectures (covering core topics in AI, AI safety, and AI security), exercises (implementing techniques in Python first-hand), guest lectures (existing experts in the field talking about their work and research), and lightning talks (in the evenings, participants talking about topics of interest to them; almost none of these were technical, and all great fun).

Although I fell behind on daily posts, another attendee, Shiau Huei, did her own excellent writeups on LinkedIn for core topics in days 1 to 5. I’ve linked these in the day-by-day summaries .

I can’t overstate the calibre of the cohort. The group chat with other attendees is still active a month on, with opportunities regularly being posted in Slack too. I’m looking forward to meeting up with other UK-based attendees again.

The curriculum differed to the website, with more focus on safety and less security. I don’t hold this against the organisers at all: each cohort has a different set of backgrounds, and rapid progress necessitates change. For example, when I applied, Mythos’s cyber capabilities weren’t announced—but the run-through we did of the model card on Day 1 was one of the best exercises in the week!

For the same reason, I can understand the heavy lean on Claude for exercise generation on some days – the field is moving very quickly – although more focus on the pedagogy I think would have gone a long way. Spending some time to pass through the exercises and ensure attendees’ focus is on the crux of the content would be ideal, but even having Claude criticise its own output – what is the most impactful thing for a student to learn around this, and is that what the exercises are really testing? – I expect would’ve got a lot of the benefit for only token cost + a refinement prompt which could be shared between days.

I was especially frustrated with the exercises on Day 4: the concept was sound, but the exercise focused on the least important parts (why are we looking at details of the HuggingFace transformers library rather than the attack under study?) and encouraged some bad practice (why did we stratify the training set to hold back a test set, rather than using the dataset’s own test set?). This was then a stark contrast to the exercises on Day 5; the adversarial noise generation exercise was one of the best-put-together I’ve done in years.

Future attendees should not be blindsided by this: attendees have the exact repository we used to look at, and I expect the organisers will improve this based on our feedback.

Day-by-day topics

Drilling down to specific topics, the bootcamp consisted of:

• Day 1: Introduction to AI safety and security; the training process for LMs.
  • More detail: please see my own writeup of Day 1 and Shiau Huei’s writeup of Day 1.
• Day 2: Guest lecture on Zero-Knowledge Proofs for model correctness; attacks on agents, and AI control.
  • More detail: please see my own writeup of Day 2 and Shiau Huei’s writeup of Day 2
• Day 3: Guest lecture on quantifying misuse uplift from LMs; guardrails (including training linear probes), guest talk on how models are jailbroken in the wild (with particular discussion of prefills)
  • More detail: please see Shiau Huei’s writeup of Day 3
• Day 4: Model editing and backdoors (poisoning a model with ROME, training LoRA to disable refusal); guest lecture on how we can securely evaluate models on agentic workloads; followed by an AI safety x cybersecurity mixer.
  • The mixer was excellent: I really enjoyed the perspectives on Chinese models that are otherwise outside my very Western exposure.
  • More detail: please see Shiau Huei’s writeup of Day 4
• Day 5: Adversarial attacks on image models; Greedy Coordinate Gradient to automatically generate jailbreaks for LMs; attacks in latent space; generating and attacking image watermarks; fireside talk about AI for incident response and defensive security.
  • I really enjoyed the hands-on Pytorch training loops and direct tweaking of the experimental setup here (e.g. tweaking the loss function to minimise perturbation to the image and seeing artifacting decrease directly); it tied directly to the prework and (imo) was particularly satisfying to do the exact same backpropagation on the input while keeping the model fixed.
  • More detail: please see Shiau Huei’s writeup of Day 5.
• Day 6: Guest lecture on exfiltrating model weights; attacks on the infrastructure on which ML runs (containers, GPUs, datacentres) and securing those environments.
• Day 7: “Next steps”. Guest lecture on the areas of most opportunity and putting together an action plan for what we’ll do next.
  • I still had the eval project I’d planned at the end of my BlueDot course, so I refined that for a post-Mythos era (not least because it turns out someone else had done a very similar project to what I’d initially planned!)
  • The guest lecture on this day was truly exceptional: highlighting specific areas for impact, signposting to resources, and exploring the gaps between existing work and what we’re likely to need. A surprising takeaway for me was an overview of safety-critical areas where the private sector is well-placed to tackle them!
  • This guest lecture, on its own, I believe would make the bootcamp worthwhile for people looking to pivot into the area.

Advice to future attendees

• Really take advantage of the social aspect rather than trying to get detailed posts out as I did! The curriculum is content-dense – going from existing security background to cutting edge work in AI Safety over the course of the week (building on the foundations covered in the prework) – but you can consolidate that knowledge just as easily together as doing it alone, and the opportunity cost of writing up while in an unfamiliar place at the same time as so much other talent is huge. You can always refer back to your rough notes later (as I am now writing this post), but you can’t go back and explore a tourist site later.
• Make the most of the guest lectures: they went far beyond the surface into details you’d struggle to get in the public domain otherwise (presenting cutting edge research tailored to the audience of security professionals who don’t necessarily have ML background; presenting topics that you might see in conference talks in a more interactive venue tailored to the audience). They also provided plenty of opportunity for questions to dig deeper. The room was, as expected of cybersecurity practitioners, productively adversarial: really challenging speakers, asking questions at the edge of understanding. My own knowledge developed a lot as a result. These were the most valuable parts of the week for pure knowledge gained, with particular highlights being the Zero-Knowledge Proof talk on day 2, and Impact Areas talk on day 7.
• The exercises were largely – for the reasons outlined previously – more of a starting point than the focus of the course. I’d recommend exploring in detail the parts that you see value in, but if you hit a wall – for example, the exercise testing a corner-case detail rather than the core of the content – I wouldn’t take any shame in looking at the prewritten answers rather than doing the tedious work yourself. I personally spent too much time trying to tidy things up to use best practice (transferring to .ipynb notebooks, leaning more on libraries than our own code) which refined my actual execution, but meant I didn’t cover as much of the content compared to other attendees who were themselves using Claude to fill in the gaps but getting to cover a greater breadth of content.
• Please do spend your time on the feedback forms: they’re both the main mechanism you have to influence the direction of the course, and an opportunity for you to reflect and consolidate on the day’s knowledge. The organisers clearly cared a lot about how the week was going, and were responsive to feedback across the week: I happened to walk past their debrief meetings a couple of times and the care that went into it was palpable. The dodgy AI-generated exercises do not undermine the many positive aspects of the week.

Summary

Overall, I feel like I got good value out of the week: I don’t regret having spent 6 days of annual leave on it. Ultimately, I learned useful content, got hands on with ML libraries I might not have done otherwise, and met some really talented people I hope to stay in contact with for the foreseeable future – and I couldn’t’ve asked for any more than that.

If, after reading all of the above, you’re interested in the same experience: I do encourage you to apply for the Vegas iteration of AISB before the deadline on June 21st.

And as in my previous posts: if you’d like to discuss any part of AISB in more detail (broader questions on vibe, more specifics on content…), please reach out and let me know! I took ~75k words of detailed notes across the week: I can’t circulate them verbatim due to the Chatham House Rule, but I’d be very happy if you reached out to discuss, and I can write those insights up afterwards.