Skip to content
All articles
June 30, 2026 10 min read

How Large Language Models Actually Work — A Security Professional's Primer

By Chris Rees

Large language models can feel like magic — and magic is impossible to secure. This is a working security professional's mental model of how LLMs really work: enough detail to reason about how they break, no math required. It's also the exact foundation CompTIA SecAI+ Domain 1 expects you to have.

First, where do LLMs sit?

People use "AI," "machine learning," and "LLM" interchangeably, but they're nested ideas. Getting the hierarchy straight is the first thing the exam checks — and it makes every later attack easier to place.

Nested hierarchy showing artificial intelligence containing machine learning, containing deep learning, containing large language models Artificial Intelligence — any system that mimics human reasoning Machine Learning — learns patterns from data Deep Learning — many-layered neural networks Large Language Models (transformers) GPT, Claude, Llama — the systems SecAI+ focuses on
Every LLM is a deep-learning model, every deep-learning model is machine learning, and all of it is AI — but not the other way around.

An LLM is a specific kind of deep-learning model built on an architecture called the transformer. That one architecture is behind nearly every model you've heard of, which is why understanding it generalizes so well.

Everything is tokens

An LLM never sees words the way you do. The first thing it does is tokenize: chop text into small pieces (a token is roughly ¾ of a word) and convert each into a number. Those numbers become embeddings — long lists of values that place each token in a "meaning space," where related concepts sit near each other.

From there, the model does exactly one thing, over and over: predict the next token. Given everything so far, what token is most likely to come next? Append it, then repeat. A paragraph of fluent text is just that loop run hundreds of times.

Why this matters for security: to the model, your trusted system instructions and a random sentence pasted from a malicious web page are the same kind of thing — tokens. The model has no built-in notion of "this part is a command I must obey" versus "this part is untrusted data." That single fact is the root of prompt injection.

Attention: how the model decides what matters

The transformer's key trick is self-attention. As it processes each token, the model weighs how much every other token should influence it. In "the trophy didn't fit in the suitcase because it was too big," attention is what lets the model connect "it" to "trophy" rather than "suitcase."

You don't need the linear algebra for the exam. You need the intuition: attention is the mechanism that lets a model use context — and context is attacker-reachable. If an attacker controls part of the context (a document you asked the model to summarize), they're influencing the same machinery your legitimate instructions use.

Training vs. inference: two very different phases

This is the distinction that organizes almost all of AI security. A model has two lives, and they're attacked in completely different ways.

Two phases: training, which produces model weights from a large corpus, and inference, which produces a response from a prompt TRAINING — happens once, extremely expensive Massive text corpus Learning (adjusts weights) Trained model (frozen weights) INFERENCE — happens on every single request Prompt + any retrieved data Model runs (weights unchanged) Generated response
Training builds the model's "knowledge" once. Inference uses that frozen model to answer each request. Different phase, different attacks.

Training is where the model learns. It ingests an enormous corpus and slowly adjusts billions of internal weights until it predicts text well. This is rare, costly, and — crucially — it's where the model's behavior is baked in. Tamper with the training data and you tamper with the model itself. That's the home of data poisoning and backdoor attacks.

Inference is every time you actually use the model. The weights are frozen; the model just runs the prediction loop on your input. Nothing it sees here changes what it "knows." This is the home of prompt injection, jailbreaks, and sensitive-information disclosure — attacks that manipulate the input rather than the model.

Putting it together: the security view

Once the mental model clicks, the whole SecAI+ threat landscape lines up neatly:

Phase What an attacker controls Representative attacks
Training The data the model learns from Data poisoning, backdoors, model theft
Inference The input the model reads Prompt injection, jailbreaks, data leakage

The single most important takeaway is the one that trips up newcomers: the model cannot reliably separate instructions from data. Everything is tokens, attention blends them together, and a frozen model has no privilege boundary inside its context window. Defenses don't come from asking the model nicely — they come from controlling what reaches it and constraining what it can do.

Key takeaways

  • AI ⊃ ML ⊃ deep learning ⊃ LLMs. Every LLM is a transformer-based deep-learning model.
  • Everything is tokens. Text becomes numbers; the model just predicts the next token, over and over.
  • Self-attention lets the model use context — and context is often attacker-reachable.
  • Training vs. inference is the master distinction: poisoning attacks training, prompt injection attacks inference.
  • There is no built-in instruction/data boundary. That's why secure design controls inputs and limits actions instead of trusting the model.

This is the ground floor of CompTIA SecAI+. Our SecAI+ Domain 1 study guide walks all 18 topics — tokenization, transformers, the training lifecycle, and the attack surfaces above — with exam-style questions and a downloadable PDF.

Share this article

Ready to study?

Get the interactive SecAI+ Domain 1 guide — practice questions and a PDF.

Browse study guides