Training data poisoning is an AI-based attack where an adversary deliberately feeds false or manipulated information into the data an AI model learns from, so the model produces inaccurate, biased, or attacker-controlled outputs. It maps to CED Topic 1.4, AI-Based Cybersecurity Attacks.
Training data poisoning is exactly what it sounds like: an attacker slips bad ingredients into the data an AI model eats while learning. AI models, including large language models (LLMs), learn patterns from huge piles of data scraped from the internet. If an adversary plants enough false information where the model will pick it up, the model learns the lie as if it were truth and then repeats it to everyone who asks.
Think of it like spiking the textbook a student studies from. The student isn't broken, the source is. Under [AP Cybersecurity 1.4.A], this is one way adversaries use AI-powered tools to augment attacks. Instead of breaking into a system, they corrupt the knowledge the AI relies on, which can spread misinformation, damage a company's reputation, or push people toward bad decisions at scale.
This term lives in Unit 1: Introduction to Security, under Topic 1.4 (AI-Based Cybersecurity Attacks). It supports [AP Cybersecurity 1.4.A], which asks you to explain how adversaries use AI-powered tools to augment cyberattacks, and it connects to [AP Cybersecurity 1.4.B] on defending against AI-augmented attacks. The big idea: AI introduces new attack surfaces, and the data a model trains on is one of them. Knowing this helps you explain why an AI tool can confidently give wrong answers without anyone hacking it in the traditional sense.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryLarge Language Models and Generative AI Attacks (Unit 1)
LLMs learn from massive training datasets, which is exactly what poisoning targets. If you understand how an LLM generates text, you understand why feeding it false sources makes it generate false answers.
Prompt Injection (Unit 1)
Both attack the AI, but at different moments. Poisoning corrupts the model during training, while prompt injection tricks the model live, at the moment you type a request. Same target, different timing.
OSINT and Fake Websites (Unit 1)
Attackers often poison models by planting false claims across many fake websites, knowing crawlers will scoop that content into training data. The poison rides in through open, public sources.
DNS Poisoning and ARP Poisoning (Unit 1)
All three share the word 'poisoning' because they all corrupt a source of truth. DNS poisoning corrupts where a name points, ARP poisoning corrupts address mapping, and training data poisoning corrupts what an AI believes.
Expect this in multiple-choice scenarios about AI-based attacks under Topic 1.4. A classic stem describes an adversary who wants an LLM to spread false information, so they create multiple fake websites with false claims and make sure the model's training process picks them up. You'd identify that as training data poisoning, not a network attack. Be ready to explain how it works (corrupt the learning data) and how it differs from attacks that hit a model at runtime like prompt injection. No released FRQ has used this term verbatim, but it fits the kind of AI-attack explanation 1.4 expects.
Training data poisoning happens during training, corrupting what the model learns. Prompt injection happens at use time, tricking the already-trained model with a sneaky input. Poisoning changes the model's knowledge; injection hijacks a single conversation.
Training data poisoning means an adversary feeds false or manipulated data into an AI model's learning set so the model outputs wrong information.
It maps to Topic 1.4 and supports [AP Cybersecurity 1.4.A] on how adversaries use AI tools to augment attacks.
A common method is planting false claims across many fake websites so the model absorbs them as training data.
Poisoning corrupts the model during training, while prompt injection manipulates the model live during use.
The danger is scale: one poisoned model can repeat the lie to everyone who asks, spreading misinformation or damaging reputations.
It's an AI-based attack where an adversary deliberately feeds false or manipulated data into the dataset an AI model learns from, causing the model to produce inaccurate or attacker-controlled outputs. It falls under Topic 1.4, AI-Based Cybersecurity Attacks.
No. The attacker doesn't break into the system or steal credentials. They corrupt the data the model learns from, so the model itself becomes unreliable while running exactly as designed.
Timing is the key difference. Poisoning corrupts the model during training so its knowledge is permanently skewed, while prompt injection manipulates an already-trained model in real time with a crafted input. Poisoning changes what the model knows; injection hijacks one response.
A common approach is creating multiple fake websites filled with false claims and making sure the content gets crawled into the model's training data. When the model later answers questions, it repeats those planted falsehoods as fact.
Because it scales. A single poisoned model can spread the same false information to every user who asks, which can damage a company's reputation, mislead decisions, or amplify misinformation widely.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.