Research
Turkey's first comprehensive LLM Security research series. From prompt injection to RAG security, AI agent risks to AltayDuel clash cases — technical depth, in English.
Fevzi Ege Yurtsevenler is a pioneering researcher who established the AI security space in Turkey. He conducts research on LLM security, prompt injection, and AI agent security, delivers corporate training, and is among the first active field researchers publishing technical content in this area in Turkey.
Enes Deniz is Turkey's first LLM Security blue team researcher. He works on defense layers in AI SOC, runtime guardrails, detection engineering, and KVKK-compliant personal data masking. He designs enterprise blue team solutions as the mirror counterpart to the red team side.
Research Directorate — Framework Series
April 2026 · Author: Irem Erkan · Structural Security Frameworks
Epistemic Security and Semantic Attack Surfaces
Trust boundary collapse in LLM systems, autonomous threat models, and semantic defense architectures. Trust boundary collapse, agentic exploitation, LLM kill chain, and identity-bound tool execution. Turkey's first epistemic security framework.
Cross-Border Data Flow and Cyber Conflict Risks
Semantic data leakage through external LLM usage, the blindness of legacy DLP systems, intelligence and dependency risks in cyber conflict scenarios; cognitive outsourcing and semantic sovereignty. A framework document from a data sovereignty perspective.
Blue Team Series — Defensive Operations
May 2026 · Author: Enes Deniz · AI SOC, Guardrails, Detection, KVKK PII
AI SOC Architecture: Modern SOC for LLM Security
Legacy SOC monitors logs; AI SOC monitors language. LLM telemetry schema, detection pipeline (regex + ML + LLM-as-judge), 8 sample alerting rules, and a 30-minute incident response workflow.
Runtime LLM Guardrails: Protecting GenAI in Production
Input/output filtering, policy layers (hard block / soft reject / sanitize), local baselines against Turkish morphological bypasses, and p95 < 50ms latency targets. Field practices from AltaySec Guardian's architecture.
LLM Detection Engineering: Threat Detection Rulebook
LLM-Sigma rule anatomy, sample rule sets across 6 categories (PI-001 to AG-001), composite alert weights, AI threat hunting strategies, and a 5-level detection maturity model.
KVKK Compliant PII Masking: Data Protection in LLM Traffic
10 localized PII types (TCKN MERNİS, IBAN MOD-97, Luhn credit card, license plate, SGK), 5-layer masking pipeline, 6 masking strategies (redaction / tokenization / synthetic / DP), and KVKK + EU AI Act compliance matrix.
AI Incident Response Playbook: Hour-by-Hour Playbook
Adapting the PICERL cycle for LLM incidents: containment in the 1st hour, forensics in the first 24 hours, and 72-hour KVKK notification threshold. 8 LLM incident types, eradication, and lessons learned.
AI Firewall Selection Guide: Evaluation Criteria for Enterprises
Why do traditional WAF systems fail to protect LLM integrations? Key criteria for selecting an AI Firewall, including millisecond-level latency, Turkish morphological analysis, and KVKK compliance.
EU AI Act Compliance Guide: Practical Framework for Enterprises
4 risk classes, 7 obligations for high-risk systems (Articles 9-15), GPAI provisions, KVKK double compliance matrix, and the 2024-2027 timeline. A 13-item checklist for enterprises.
AI Agent Security: Tool Hijacking and Privilege Sandboxing
Threat model of agentic architectures, four key attack vectors (tool hijack, parameter manipulation, indirect injection, uncontrolled agent), and three-layer defense (allowlisting, validation, observability).
RAG Security Monitoring: Defending Against Vector Database Exploits
Five layers of RAG architecture, document poisoning, indirect injection, embedding space manipulation, retrieval bypass, and 4-layer monitoring via document lifecycle controls.
LLM Honeypot Design: Luring Attackers with Decoy AIs
Three honeypot categories (low/medium/high interaction), 7 core architecture components, telemetry and intelligence design, decoy strategies, and KVKK/legal boundaries.
AI Threat Intelligence: Designing the AI-CTI Lifecycle
Differences from legacy CTI, 5 data source categories, threat sharing formats and schemas, lifecycle management, sharing frameworks, and enterprise integration touchpoints.
Phishing & Social Engineering
May 2026 · Author: Enes Deniz · Threat Mapping and Social Engineering Protection
Phishing Trends 2026: Localized Bank, Shipping, and E-Government Scams
The shift to smishing/vishing, delivery SMS fraud, banking alerts, e-Government and KEP spoofing. 4 local blueprints, 3-layer corporate defense, and simulation program designs.
AI-Powered Phishing: Voice Cloning, Deepfakes, and Next-Gen BEC
Using LLMs for fluent phishing emails, voice cloning for spoofed CEO calls, deepfake video meetings, and AI-enabled OSINT. Out-of-band verification and multi-signature approval chains.
Corporate AI Security Guides
May 2026 · Author: Enes Deniz · ChatGPT, Compliance, Governance
ChatGPT Enterprise Usage Security Policy
Managing Shadow AI, individual vs enterprise licensing differences, Acceptable Use Policy (AUP), DLP + AI gateway integration, and employee training. The middle ground between blocking and absolute freedom.
Generative AI and KVKK: Enterprise FAQ and Guidelines
8 frequently asked questions: explicit consent, automated decision-making (Article 11), cross-border transfer (Article 9), Article 6 data, fine-tuning risks, VERBIS registration, and vendor audits.
AI Regulations 2026: Current Frameworks and Outlook
KVKK framework, National AI Strategy, sectoral guidelines (BDDK, TCMB, SPK, Ministry of Health), the AI Law proposal process, EU AI Act's local impact, and a 10-step enterprise prep checklist.
Establishing an AI Governance Committee: Roles, Scope, Process
Why a committee is necessary, 7-member composition, 3 decision-making classes, monthly schedules, 5 core policy documents, and a 3-month setup roadmap.
Sectoral AI Threat Landscape
May 2026 · Author: Enes Deniz · Sector-Specific Risks and Regulatory Context
AI Threats in the Financial Sector 2026
6 GenAI use cases in banking/fintech, 4 sector-specific threat vectors (credit score manipulation, fraud bypass, assistant leakage, deepfake BEC), BDDK/TCMB frameworks, and 5-layer defense.
AI Security in the Healthcare Sector 2026
KVKK Article 6 special category data, medical device software regulations, clinical diagnostic support models, patient rights, 6 health threat vectors, and 5-layer hospital defenses.
AI Governance in the Public Sector 2026
The Presidency's Digital Transformation Office (DDO) framework, public sector AI procurement, citizen rights & appeal mechanisms, algorithmic transparency, and 5 public threat categories.
AI Security in the E-Commerce Sector 2026
Marketplace ecosystem threats: recommendation engine manipulation, dynamic pricing abuse, fake review loops, account takeover, assistant bypass, and brand abuse.
AI Security in the Telecommunications Sector 2026
Subscriber assistants, network operations, SIM swap fraud, spoofed caller IDs, call center bot manipulation, BTK regulatory framework, and 5-layer enterprise defense.
AI Security in the Energy Sector 2026
Production/distribution optimization, load forecasting, SCADA integration, and the melting boundary between IT and OT; EPDK framework, 6 critical infrastructure threat vectors.
Open Source AI Security
May 2026 · Author: Enes Deniz · Self-Host Architecture, Supply Chain, and Provenance
Corporate Self-Host Security for Llama and DeepSeek
Motivations for hosting open weights on-premise, model landscape, licensing, architectural decisions, network isolation, access controls, and operational disciplines.
HuggingFace Model Hub Supply Chain Risks
5 risk categories in open model registries (malicious serialization, hidden backdoors, spoofed repos, training data poisoning, metadata attacks), safetensors approach, and 7-step enterprise audit.
Model Signing and Provenance: AI Supply Chain Assurance
Signing and provenance concepts, Sigstore and in-toto adaptations for AI, 4 levels of the SLSA framework, Model Bill of Materials (Model BOM) approach, and 6-step verification workflow.
Adversarial Categories — Dataset Spoke Series
June – August 2026 · 12 Categories of Turkish Prompt Injection · 10 Payloads & Defenses per Article
Hardened System Prompt: 3x Resistance, 8% Leakage
Reducing leak rates from 38% to 8% using the same model under different prompt hardening tactics. The 60-line hardened system prompt is published under CC-BY 4.0.
Turkish Morphological LLM Bypass — The Blindspot of Foreign Filters
Single-word morphological chaining bypasses legacy guardrail regexes. 10 structural patterns and integration architecture with Zemberek-NLP.
KVKK Article 6 Leakage Vectors — LLM Risks of Sensitive Data
TCKN, IBAN, and medical records in a single session. Prompt injection vectors targeting sensitive data leaks, including 10 sample exploit scripts.
Validation Trap: The Anatomy of Yielded Attacks
Exploiting the model's RLHF helpfulness reflexes via confirmation framing. 10 sample payloads, 3-layer guardrail defenses, and validation logs.
Authority + Urgency: The Strongest Vector in Turkish LLMs
From KVKK inspector personas to official decrees. Rich bureaucratic language styles serving as powerful injection surfaces. 10 vectors.
Cultural Manipulation: Exploiting LLM Bias via National Symbols
Using national symbols, historical quotes, or ethical dilemmas to bypass standard safety alignments. Structural vs content filters.
Indirect Injection: Embedded Attacks in HTML, PDF, and Email
Securing vector retrieval pipelines and automated document summarizers against silent payload execution. 10 indirect vectors.
TR-EN Code Switching: Bilingual Prompt Injection
Combining languages in a single session to confuse monolingual filters. 10 examples and language-agnostic detection architectures.
Crescendo Attacks: Multi-Turn Politeness Escalation
Benign queries slowly nudged toward a safety violation over 5 turns. Cumulative resistance decay math and state machine guardrails.
System Prompt Leakage: 10 Pathways and 10 Safeguards
OWASP LLM07 deep dive: file formats, YAML config, metadata leak, and chunked reconstruction. 10 exploit samples and mitigations.
Roleplay Theatre: DAN to MalClaude Persona Hijacking
DAN-style persona overrides, historical simulators, and twin-AI setups. 10 variants and structural sandbox rules.
Encoding Obfuscation: Base64 to Zalgo Filter Bypass
Zero-width spaces, ROT13, hex, morse, braille, and zalgo text bypasses. 10 obfuscation techniques and decoding strategies.
Translation Pretext: The Anatomy of LLM Echo Attacks
Coercing the model to repeat confidential instructions by framing them as translation tasks. Mirrorglass Tandem study.
AltayDuel Clash Stories
August – October 2026 · 10 Instructive Case Studies from 297 Autonomous Duels
Cerebras gpt-oss-120b: Exploiting Llama-3.3 in 6 Turns
Banking assistant scenario, customer OTP secret leakage. Metadata leak using partial format confirmation. Turn-by-turn logs.
OTP_734291: The Exact Moment a Defender Crumbles
Analysis of defensive LLMs breaking when trying to explain why they cannot share a secret. The danger of conversational rejection leaks.
Claude Opus 4.7 vs Cerebras: Autonomous Agent Red Teaming
Two agents clashing directly. 8 turns of micro-manipulations, rapport-building, and counterfactual validation.
Llama-3.1-8B's 8-Turn Defense: System Prompt > Model Size
A hardened 8B parameter model holding off a GPT-4 attacker for 8 rounds. Role consistency and adaptive prompt safeguards.
Fastest Break: The 2-Turn Pera Palas Defender Collapse
Aggressive confirmation bypass leaking VIP client booking codes in only two turns. Lessons in validation prompt design.
Mirrorglass Tandem: Turning Compliance Procedures Into Weapons
Claude Opus 4.7 Red exploiting a defender's own compliance procedures to leak secure keys. Agent-only attack vectors.
Provider Matrix: Resilience Mapping Across 297 Duels
RESILIENCE TABLE comparing Claude Opus 4.7, Gemini 2.5, Llama 3.3, and Llama 3.1. Hardened 8B vs default 70B models.
Turkish vs English: Multi-Lingual Injection Performance
Comparing 252 Turkish and 45 English battles. Turkish authority prompts show 23% higher success; English roleplay shows 18% higher.
Judge Agent: Defining Leakage Boundaries
Analyzing marginal leaks and data exposures judged by our autonomous scoring model. Open-source judge prompt.
LLM Security Fundamentals Series
April – May 2026 · Core Concepts, Glossaries, and Landscape Maps
AI Security Glossary — 40 Core Terms Defined
Definitions of 40 essential AI security terms including prompt injection, jailbreaking, RAG poisoning, MCP, and regulation frameworks.
AltayDuel Turkish Prompt Injection Dataset
Methodology, tagging schema, 297-clash dataset snapshot, CC BY-NC 4.0 license details, and BibTeX citation formatting.
Turkey's AI Security Landscape: Top Companies and Researchers (2026)
AI security ecosystem map: AltaySec's positioning, traditional actors, defense industry capacity, and prominent researchers.
Turkish Prompt Injection: 5 Attack Patterns from 297 Duels
Real transcripts from the AltayDuel Arena: authority bomb, validation trap, translation exploit, roleplay override, and system prompt leakage.
Machiavellian Dialogue, Angelic Action: 100 AI Agents in an Arena
100 autonomous agents deployed in a sandbox arena. Empirical proof of speech-action discrepancies in modern Large Language Models.
AltayDuel: Agent-vs-Agent Prompt Injection Arena Design
How to construct an LLM security arena where agents generate their own prompts. Judge architecture, 5 win conditions, and key lessons.
Bekçi: Turkish LLM Prompt Injection Lab Architecture
An 8-layer sandbox environment built with a Turkish neighborhood watchman persona. Defense mitigations, KVKK compliance, and battle analytics.
What is LLM Security? The New Dimension of AI Security
Why is it different from classic cyber security? Threat categories unique to LLMs, attack surfaces, and the importance of this field.
What is Prompt Injection? The Most Critical LLM Vulnerability
The first item of OWASP LLM Top 10. Direct vs Indirect injection, real attack scenarios, and defense tools.
OWASP LLM Top 10 2025 — Turkish Guide
From LLM01 to LLM10: Prompt Injection, Sensitive Data Leakage, Supply Chain Risks, and more. Illustrated with real-world defense models.
RAG Security: The Dark Side of Vector Databases
Security risks of RAG architectures: document poisoning, indirect prompt injection, embedding inversion attacks, and hardened RAG design.
What is AI Agent Security? Exploits in Autonomous AI Systems
AI agents browsing the web, running code, and placing API orders. MCP security flaws, tool poisoning, and Meta's Rule of Two.
LLM Security Roadmap — How to Enter the Field
7-stage learning path: from fundamentals to advanced tools, CTF platforms, bug bounty targets, and localized career opportunities.
AI Security Study Guide — Zero to Expert
A structured 9+ month learning timeline. Guidance for choosing your specialization as a researcher, pentester, or security engineer.
Follow Our Research
Follow AltaySec on LinkedIn for new articles, whitepapers, and technical reports. Our datasets are active on HuggingFace and repos on GitHub.