Use a strict secure‑boot chain so only signed images run, keep the firmware in an encrypted flash that can’t be read or patched in‑flight. Add a watchdog that forces the exo to a safe posture if the loop hangs or receives unexpected data. Make the control code run in an isolated sandbox or on a separate microcontroller with no network access. Store cryptographic keys in a tamper‑evident secure element. And don’t forget to verify the firmware’s integrity on every boot; if the hash check fails, wipe or reset. That keeps a hijacker out and gives you a quick escape route.