It seems like basically all marketing and advertising is human pen-testing. Thought is serialized into video or audio and then deserialized back into thought which is evaluated. Sometimes this evaluation causes downstream thoughts and actions (including propagating the vulnerability). The question is whether the resulting action is 'organic' or a RCE - overriding the agency of the actor.

I think a core class that should be taught is how to safety deserialize sensory input as to avoid causing RCEs. Or basically 'patching' these known vulnerabilities.