π° Originally published on Securityelites β AI Red Team Education β the canonical, fully-updated version of this article.
π§ PROMPT ENGINEERING & REVERSE PROMPTING Β FREE
Day 1 of 7 Β Β·Β 14% complete
A few months ago I was helping a team test an AI customer service chatbot. The system prompt was 400 words of carefully written instructions β role, limitations, tone, escalation rules, the works. Within 90 seconds of starting my session I had the entire system prompt printed back to me verbatim. I hadnβt used any exploit, any tool, or any special knowledge. I just understood how the model was processing my input and asked in a way the system prompt designer hadnβt anticipated.
That experience crystallised something Iβve believed for a while: prompt engineering and prompt exploitation are the same skill set, applied in different directions. If you understand how an LLM actually processes what you type β not what the documentation says, but whatβs mechanically happening β you can write prompts that get exactly what you want. And you can probe prompts to understand what an LLM has been told not to tell you.
Day 1 is the mechanics lesson. Everything else in this seven-day course builds on what you learn here. Iβm going to explain what actually happens from the moment you hit Enter to the moment the first word appears back on your screen.
π― What Youβll Master in Day 1
Understand the tokenisation process β what the model actually sees
Know what the context window is and why it governs everything
Understand system prompts vs user prompts β the structural separation that matters
Understand temperature and sampling β why the same prompt gives different outputs
See why prompt wording changes outputs so dramatically
β± 25 min read Β· 3 exercises Β· Any browser, no tools required
π Prerequisites
- Basic familiarity with LLMs β youβve used ChatGPT, Claude, or Gemini at least once
- No coding or ML background required β we work from first principles
- Optional context: AI hacking for beginners if you want LLM security background before the engineering skills
How LLMs Process Prompts β Day 1 of 7
- Tokenisation β What the Model Actually Reads
- The Context Window β Your Promptβs Real Estate
- System Prompts vs User Prompts β The Structural Divide
- Temperature and Sampling β Why the Same Prompt Differs
- Why Wording Changes Everything β The Mechanism
- The Security Implications of Every Concept Above
- Frequently Asked Questions
I teach this course as a paired skill: engineering prompts to get what you want, and reverse-engineering prompts to see what you werenβt supposed to see. The two are mechanically linked β you canβt do the second well without deeply understanding the first. By Day 7, youβll have both. Start here with the AI security landscape in mind β thatβs the playing field this course operates on. And the CEH practice exam covers AI security domains if youβre working toward a certification alongside this.
Tokenisation β What the Model Actually Reads
Hereβs the first thing to understand: an LLM never reads your text. It reads numbers. Everything β every word, every space, every punctuation mark β gets converted to numerical tokens before the model ever touches it. Understanding tokenisation changes how you write prompts.
A token is roughly 3β4 characters of English text. The word βpromptβ is one token. βTokenisationβ is two or three tokens depending on the modelβs vocabulary. βHello, world!β is four or five tokens. The modelβs vocabulary typically has 50,000β100,000 possible tokens, each representing a common word fragment, whole word, or punctuation sequence.
Why does this matter for prompt engineering? Three reasons I hit constantly in practice.
Token limits shape everything. Every LLM has a maximum context size measured in tokens. GPT-4 at 128K tokens sounds unlimited until youβre doing deep document analysis or chaining long conversations. Your system prompt, conversation history, retrieved documents, tool outputs β they all eat into that budget. I always calculate approximate token usage before designing a complex prompt pipeline.
Unusual token boundaries create exploitable gaps. When a model was trained, its safety filters learned to recognise harmful patterns at the token level. Write βhackβ normally β one token, well-recognised, triggers safety training. Spell it oddly, use l33tspeak, split it with a zero-width character β suddenly different tokens, possibly below the safety training threshold. This is exactly why evasion prompts use character substitution. The modelβs safety check is token-pattern-matching, not meaning-detection.
Token prediction is the only thing happening. This is the most important mechanical fact: the model generates your response one token at a time, each one chosen based on whatβs most probable given everything that came before. Thereβs no βreasoning moduleβ running separately. Thereβs no βunderstanding passβ before the output starts. The first output token is generated from your input tokens directly. Everything that looks like reasoning or planning is an emergent property of predicting the next token at massive scale.
securityelites.com
// TOKENISATION EXAMPLE β βAnalyse this prompt for injectionβ
π Read the complete guide on Securityelites β AI Red Team Education
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites β AI Red Team Education β
This article was originally written and published by the Securityelites β AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites β AI Red Team Education.
Top comments (0)