S6: Security
Members only — Requires Practitioner credential. ~60 minutes with Addie. Combines hands-on lab and adaptive exam.
This module covers AdCP-specific controls — the threat model, layered defenses, and operational response patterns specific to agentic advertising systems. It is not a replacement for a general security program. Certified specialists can reason about how AdCP’s controls compose; for OWASP Top 10 or general security engineering, see your organization’s security training.
Specialisms this track prepares you to validate
The followingspecialisms fall under the security domain. Each has its own compliance storyboard — see the Compliance Catalog for the full taxonomy.
| Specialism | Status | What it covers |
|---|---|---|
security | stable | Authentication baseline — unauth rejection, static-credential enforcement, OAuth discovery + RFC 9728 audience binding |
signed-requests | stable | RFC 9421 transport-layer request-signing verification |
What you’ll demonstrate
- Explain the agentic advertising threat model: credential theft, replay attacks, cross-tenant data leakage, SSRF on outbound fetches, spoofed agent identity, unauthorized governance token use, and audit log tampering
- Walk through AdCP’s five-layer defense model — identity, isolation, idempotency, signed governance, auditability — and name the specific attack each layer closes
- Mint an idempotency key and produce the three observable outcomes against a sandbox — successful first call, idempotent replay (
replayed: true, unchanged resource), and conflict on payload change — and reason about the fourth: TTL expiry (the sandbox replay window is 24h, so expiry is reasoned about rather than observed in a session) and what a missing key removes from the seller’s safety guarantees - Obtain and decode a signed governance token, then use the sandbox verifier to watch the checklist accept a valid token and reject a tampered one (signature), a misaddressed one (
aud/ confused-deputy), and one signed under a revoked key — explaining the attack each failing step closes and why revocation is checked before expiry - Specify the 6-point SSRF check on an outbound fetch (HTTPS-only enforcement, reserved-IP deny list including cloud metadata endpoints, IP-pin validation, redirect suppression, size and timeout caps, and suppressed error detail) and demonstrate the agent refusing a metadata-IP webhook target
- Design an operational runbook covering credential compromise, webhook secret rotation, governance key revocation, and cross-party incident communication
- Given an incident description, identify which defense layer failed and what specific control to harden
S4 (Governance) covers the 15-step JWS seller verification from the seller’s perspective — how a seller validates a governance token issued by a buyer’s governance agent. S6 covers it from the security operator’s perspective — verifying your own token issuance implementation is correct and reasoning about what each step closes. Overlap is intentional; the framing is different.
Prerequisite reading
Security model
AdCP’s five-layer defense model: identity, isolation, idempotency, signed governance, and auditability.
Security implementation
Implementation reference: idempotency enforcement, webhook HMAC verification, SSRF discipline, signed governance, principal isolation, and insert-rate ceiling.
Campaign governance specification
Governance token structure, the JWS verification model, and the correlation model for multi-party lifecycle tracking.
Operating an agent
Security as an operating concern: credential management, rotation cadences, and incident response.
Accounts and security
Principal isolation, account-scoped access, and multi-tenant separation.
Authentication
static-credential enforcement, OAuth discovery, RFC 9728 audience binding, and the authentication baseline specialism.
Connecting to the test agent
Lab exercises run against the public test agent. Use the shared token — no signup required:Lab exercises
- Threat model walkthrough — Map each threat (credential theft, replay, cross-tenant leakage, SSRF, spoofed identity, unauthorized governance, audit tampering) to the specific AdCP control that closes it. Explain why no single layer is sufficient alone.
- Idempotency lifecycle — Using one idempotency key on a mutating call (e.g.
create_property_list): (a) first call — observe success; (b) identical replay — observereplayed: truewith an unchanged resource id, confirming no new side effect; (c) same key, different payload — observe theIDEMPOTENCY_CONFLICTerror. Then reason about the fourth outcome — expiry after the replay window lapses (24h, so not reproducible in a session) — and explain what a missing idempotency key means for the seller’s at-most-once safety guarantee. - Governance token verification — Obtain a signed governance token from the sandbox governance agent (
sync_plans, then an intent-phasecheck_governance) and decode its header (alg,typ,kid) and claims (aud,sub,phase,jti,exp). Then run the sandbox verifier (comply_test_controllerscenarioverify_governance_token) and watch the JWS checklist accept and reject tokens: a valid token passes every step; a tampered claim fails at the signature step (governance_token_invalid); a token bound to a different seller fails theaudbyte-match (governance_token_not_applicable— confused deputy, viamode: wrong_aud_demo); and a token signed under a revoked key fails the revocation step (governance_token_revoked, viamode: revoked_demo). For each, explain the attack the failing step closes — and note that revocation is checked before expiry, so a revoked token is rejected even if it has also lapsed. (jtiseen-before dedup — distinct fromaud— is the step that stops replay of the same token.) - SSRF defense — Register a webhook
notification_configviasync_accountswhose URL targets the cloud-metadata address (https://169.254.169.254/latest/meta-data/); observe that the agent refuses it synchronously with aVALIDATION_ERRORonnotification_configs[].url, and contrast with an accepted public host. Specify the 6-point SSRF check and explain what each point closes — the reserved-IP/metadata deny list, IP-pin-at-connect (DNS rebinding), redirect suppression, and suppressed error detail. - Principal isolation — Scope a read to a different account than the one that created a resource and interpret the result correctly: distinguish an account-scoped not-found from an authorization denial. Explain the separation model — account-scoped access — and what would break (cross-tenant read/write on a leaked token) if account-scoped tokens were not enforced.
- Incident runbook design — Given a credential compromise scenario (API key leaked in a public repo), design the response: which keys to rotate and in what order, how to notify counterparties, what audit events to review, and how to verify the compromise window.
- Defense layer diagnosis — Given three incident descriptions (replay attack succeeded, cross-tenant data returned, governance token accepted after key revocation), identify which layer failed in each case and what specific control to harden.
Assessment
| Dimension | Weight | What Addie evaluates |
|---|---|---|
| Threat model fluency | 20% | Can you name an attack and the specific layer that closes it? |
| Hands-on idempotency | 20% | Can you produce the observable idempotency outcomes (success, replay, conflict) on demand and reason about expiry and a missing key? |
| Governance verification | 25% | Can you walk the 15-step checklist and explain what each step prevents? |
| SSRF discipline | 15% | Can you specify the 6-point check and demonstrate the agent refusing a metadata-IP webhook target? |
| Operational design | 20% | Can you design a runbook for credential compromise, including rotation order and cross-party communication? |