This study addresses the limited effectiveness of generic secure coding examples, which often fail to connect with students’ existing code and thus diminish learning outcomes. Grounded in constructivist theory, this work proposes the first approach to integrate large language model (LLM)-driven personalized vulnerability injection into secure programming education. Leveraging a multi-agent framework, the method automatically injects Common Weakness Enumeration (CWE) vulnerabilities into students’ assignment code to generate contextualized instructional materials, followed by automated assessment, prioritization, and learning outcome reporting. An empirical evaluation with 71 undergraduate students demonstrates that the approach significantly enhances the relevance, clarity, and engagement of teaching examples. Although quantitative improvements did not reach statistical significance, the results validate the feasibility and potential of personalized vulnerability injection, establishing a foundation for future refinements.

According to constructivist theory, students learn software security more effectively when examples are grounded in their own code. Generic examples often fail to connect with students' prior work, limiting engagement and understanding. Advances in LLMs are now making it possible to automatically generate personalized examples by embedding security vulnerabilities directly into student-authored code. This paper introduces a method that uses LLMs to inject instances of specific Common Weakness Enumerations (CWEs) into students' own assignment code, creating individualized instructional materials. We present an agentic AI framework, using autonomous LLM-based agents equipped with task-specific tools to orchestrate injection, evaluation, ranking, and learning outcome generation. We report the experience of deploying this system in two undergraduate computer science courses (N=71), where students reviewed code samples containing LLM-injected vulnerabilities and completed a post-project survey. We compared responses with a baseline using a widely adopted set of generic security instructional materials. Students qualitatively reported finding CWE injections into their own code more relevant, clearer, and more engaging than the textbook-style examples. However, our quantitative findings revealed limited statistically significant differences, suggesting that while students valued the personalization, further studies and refinement of the approach are needed to establish stronger empirical support.