Course: 2B — Securing & Attacking Harnesses and LLMs Deep-Dive: SDD-B10 · Duration: 45 minutes · Level: Senior Engineer and above Prerequisites: Course 2A (offensive harnesses as tools FOR security work); Course 2B B0–B2; SDD-B01–SDD-B09
In Course 2A, the academic offensive harnesses — PentestGPT, APT-Agent, HPTSA, VulnBot, CAI — were tools you USE for security work: LLM-driven agents that automate penetration testing against traditional targets. In 2B, we invert the lens. These same harnesses are methodologies for ATTACKING AI systems. The techniques they pioneered — hierarchical planning, multi-agent task decomposition, automated reasoning over an attack surface — transfer directly to AI-target red-teaming. HPTSA's planner-dispatches-to-specialized-sub-agents architecture is the blueprint for the zero-click chain. This deep-dive surveys the academic landscape, maps the technique transfer, and closes the course's offensive material with a forecast of where the offensive frontier is heading.
After completing this deep-dive, you will be able to:
Course 2A introduced the academic offensive harnesses as a category: LLM-driven agents that automate the tedious, multi-step reasoning of penetration testing. PentestGPT (USENIX Security 2024) demonstrated that an LLM with the right scaffolding could automate the identify-assess-mitigate loop at a level approaching a human pentester. VulnBot (arXiv:2501.13411) extended this to multi-agent collaboration — separate LLM agents handling reconnaissance, vulnerability analysis, and exploitation the way a human team divides the work. CAI (arXiv:2504.06017) pushed the speed frontier, reporting results 156x faster than traditional approaches at expert-human-level quality.
These were tools FOR the defender. In 2A, you used them to find vulnerabilities in networks and applications faster. The target was traditional infrastructure; the LLM was the assistant.
Course 2B inverts the lens. The target is now an AI system — an agent, a model, a harness. And the same techniques that automate attacking a network automate attacking an AI system, because the structural problem is identical: a multi-step, reasoning-heavy exploration of an attack surface where each step's output informs the next. An indirect-injection chain (SDD-B03) is a multi-step plan: poison the retrieval store, wait for the agent to retrieve the payload, manipulate the tool call. A zero-click chain is a hierarchical plan: an orchestrator composes sub-goals (get the agent to read untrusted content, get it to call a tool, get the tool to reach the sensitive data) and dispatches them. The academic offensive harnesses are the blueprints for automating exactly this kind of attack.
This deep-dive exists because the offensive frontier is converging. The same research that gave defenders automated pentest tools is giving attackers automated AI-target exploitation. HPTSA's hierarchical planning — a planner agent explores a target website and dispatches tasks to specialized sub-agents that perform the exploit — is, with the target swapped from "website with a zero-day" to "agent with an injection surface," the architecture of an automated injection chain. The red-team that understands this convergence can anticipate the attacks; the defender who understands it knows why deterministic boundaries (SDD-B05) are no longer optional — the adversary now has the machinery to find and exploit every model-based layer's residual.
This is the course's final offensive deep-dive. It closes the loop: the techniques you studied as tools in 2A return as the threat model in 2B, and the defenses you built across B2–SDD-B09 are what stand against them.
Three sub-sections, fifteen minutes each:
The papers, the architectures, the arXiv IDs. What each one contributed.
PentestGPT (Deng et al., "PentestGPT: An LLM-empowered Automatic Penetration Testing Tool," USENIX Security 2024) is the foundational reference for LLM-driven offensive agents. Its contribution is a three-module architecture that automates the penetration-testing reasoning loop: a parsing module that interprets the target's state, a reasoning module that generates the next attack step, and a generation module that produces the concrete command. The modules self-interact — the reasoning module's output feeds the generation module, the execution result feeds back to the parsing module, and the loop continues until the objective is met.
The architectural contribution is the reasoning loop externalized. A human pentester holds the attack state in their head and decides the next step; PentestGPT holds it in the LLM's context and prompts the LLM to decide. This is the same loop that, retargeted, drives an automated injection chain: parse the agent's current state (what tools it has, what context it holds), reason about the next injection step, generate the payload. PentestGPT proved the loop works at human-adjacent quality on traditional targets; the transfer to AI targets is structural, not conceptual.
HPTSA (Fang et al., "Teams of LLM Agents can Exploit Zero-Day Vulnerabilities," arXiv:2406.01637) is the paper most directly relevant to the zero-click chain. Its contribution is hierarchical planning and task-specific agents: a planner agent explores the target (a website, in the paper's case) and decomposes the objective into sub-tasks, then dispatches each sub-task to a specialized sub-agent that performs the actual exploit. The planner maintains the global strategy; the sub-agents execute the local tactics.
The key finding: teams of LLM agents can exploit real-world zero-day vulnerabilities, outperforming prior single-agent approaches that struggled with complex, multi-step exploration. The reason is the hierarchy. A single agent asked to "exploit this target" gets lost in the state space; a planner that breaks the objective into "reconnaissance, vulnerability identification, exploitation, post-exploitation" and dispatches each to a focused agent navigates the space efficiently.
This is the architecture of the zero-click injection chain. The orchestrator is the planner; the chain steps (poison retrieval, trigger retrieval, manipulate tool call, exfiltrate) are the sub-tasks; the specialized sub-agents are the per-step payload crafters. HPTSA proved the architecture works for web zero-days; the same architecture, retargeted to an agent's injection surface, is how multi-step AI attacks become automatable. This is why the zero-click chain is no longer a hypothetical that requires a human to script each step — the planning machinery exists.
VulnBot (arXiv:2501.13411) extends the multi-agent theme. Its contribution is a collaborative multi-agent framework that simulates the workflow of a human penetration-testing team: separate LLM agents handle reconnaissance, vulnerability analysis, and exploitation, coordinating through a shared state. The contribution over single-agent approaches is specialization — each agent is prompted for a specific phase, reducing the context burden and improving per-phase quality.
For AI-target attacks, VulnBot's contribution maps to distributed agent-system probing. A modern deployed agent system is not one model — it is a primary agent, a set of tool surfaces, a retrieval store, possibly sub-agents, and a guardrail layer (SDD-B08). Attacking it is a multi-surface problem. A VulnBot-style framework assigns one agent to probe the retrieval surface (indirect injection, SDD-B03), one to probe the tool surface (function-call manipulation, SDD-B04), one to probe the guardrail layer (detector evasion, SDD-B09), and coordinates the findings. The collaboration is the attack.
APT-Agent (arXiv:2605.24949, "APT-Agent: Automated Penetration Testing using Large Language Models") adds a rectification mechanism: when an attack step fails, the agent reasons about the failure and generates a corrected approach, rather than retrying blindly. This is the automated analogue of a human pentester who reads an error message and adjusts.
For AI-target attacks, rectification is adaptive injection refinement. An injection that fails (the agent doesn't comply, the detector catches it, the tool call is blocked) is not a dead end — it is a signal. A rectifying agent reads the failure mode (the agent deflected, the detector flagged it, the scope gate blocked the action) and crafts a refined injection that accounts for the observed defense. This is the machinery behind the cat-and-mouse dynamic from SDD-B09: an automated attacker that probes the detector's response and refines the payload to sit in its false-negative region. Rectification is what makes the evasion adaptive rather than static.
CAI (arXiv:2504.06017, "CAI: An Open, Bug Bounty-Ready Cybersecurity AI") pushes the speed frontier, reporting results 156x faster than traditional approaches at expert-human-level penetration-testing performance. Its contribution is an agent-centric, lightweight architecture optimized for throughput — the offensive equivalent of high-volume measurement.
For AI-target red-teaming, CAI's contribution is high-volume red-team measurement. The InjecAgent methodology (SDD-B03) requires running N attempts to measure a success rate; CAI-style speed makes large-N measurement cheap. This matters for both sides: the defender measures bypass rates over statistically meaningful N (SDD-B09's methodology); the attacker sweeps the attack surface at scale to find the residual. The speed asymmetry — automated attackers can probe faster than humans can defend — is the operational pressure that makes deterministic boundaries (SDD-B05) non-optional.
How each academic technique maps to a specific AI-target attack vector.
The transfer from 2A to 2B is not analogical; it is structural. The academic offensive harnesses solve a general problem: automated, multi-step, reasoning-heavy exploration of an attack surface. In 2A, the surface is a network or application; in 2B, the surface is an AI system. The architecture — planning, decomposition, specialization, rectification, scale — is target-agnostic. Swap the target from "web server with a zero-day" to "agent with an injection surface," and the same machinery runs.
The mapping, technique by technique:
This is the most important transfer in the deep-dive. HPTSA's planner-dispatches-to-sub-agents architecture is the blueprint for the zero-click injection chain. The chain (SDD-B03, expanded in B2) is a multi-step attack where no single step is sufficient: the attacker must poison the retrieval store, wait for the agent to retrieve the payload, manipulate the tool call, and exfiltrate — each step's success conditioned on the prior. A human scripting this chain by hand is slow and brittle; an HPTSA-style planner that decomposes the objective and dispatches each step to a focused sub-agent automates it.
The planner maintains the global strategy: "achieve exfiltration via the agent's tool surface." It decomposes into sub-goals: (1) plant an indirect-injection payload in a document the agent will retrieve; (2) trigger the retrieval (via a benign-seeming query); (3) the injected payload manipulates the agent into calling the exfiltration tool with the sensitive path; (4) the tool call executes. Each sub-goal is dispatched to a sub-agent that crafts the specific payload for its step, informed by the prior step's result. The hierarchy is what makes the chain navigable — a single agent trying to hold the entire chain in context gets lost; the planner-sub-agent decomposition keeps each step focused.
This is why the zero-click chain is now a realistic threat rather than a research curiosity. The planning machinery exists (HPTSA, 2024); the injection techniques exist (SDD-B03 through SDD-B06); the combination is an automated, multi-step attack on an AI system.
A deployed agent system is multi-surface: primary model, tool surface, retrieval store, guardrail layer, possibly sub-agents. Attacking it is a multi-surface problem, and VulnBot's collaborative framework maps directly. One agent probes the retrieval surface (indirect injection); one probes the tool surface (function-call manipulation); one probes the guardrail layer (detector evasion); they coordinate through shared state.
The collaboration surfaces compound vulnerabilities. An agent that finds the retrieval surface accepts untrusted content (SDD-B03) feeds that to the agent probing the tool surface, which crafts an injection that triggers a disallowed tool call. The agent probing the guardrail (SDD-B09) feeds the detector's blind spots to the injection-crafter, which refines the payload to evade detection. The distributed framework finds the composition — the path through the system that no single-surface analysis would reveal.
Rectification is the engine of the cat-and-mouse dynamic. A static injection is defeated by a static defense; an adaptive injection that reads the defense's response and refines is the threat that makes model-based defenses (SDD-B08, SDD-B09) have a residual. APT-Agent's rectification mechanism, retargeted, is the automated attacker that probes the detector (SDD-B09), observes that the payload was flagged, and crafts a variant that sits in the detector's false-negative region while still compromising the primary model — the dual-injection problem, automated.
This is the connection between the academic offensive frontier and SDD-B09's measurement thesis. SDD-B09 argued that out-of-distribution, adversarially-adapted accuracy is the number that matters. APT-Agent-style rectification is the machinery that drives the adaptation: the attacker is not static, the detector's surface is probed, and the effective accuracy decays. The defender who measures only against static, in-distribution traffic is measuring against an adversary who no longer exists.
CAI's 156x speedup applies to both offense and defense. For the attacker, it means high-volume probing: sweep the agent's surface at scale, find the residual, exploit it before the defender notices. For the defender, it means high-volume measurement: run the InjecAgent methodology (SDD-B03) over statistically meaningful N, measure the bypass rate, and do it fast enough to keep up with the adversarial adaptation. The speed asymmetry is the operational reality — automated attackers probe faster than humans can patch — and it is the reason deterministic boundaries (SDD-B05) are the load-bearing defense. A model-based defense that a CAI-speed attacker can probe 156x faster than a human can retrain is a defense with a shrinking half-life. A deterministic boundary that has no evasion surface is a defense that does not decay.
The convergence, the forecast, and why the course's defense thesis is the response.
The offensive frontier is converging. The academic offensive harnesses were built for traditional targets (networks, web apps), but their architectures — hierarchical planning, multi-agent collaboration, rectification, scale — are target-agnostic. As AI systems become a larger share of the attack surface (every enterprise now deploys agents), the offensive tooling retargets. The same PentestGPT-style reasoning loop that automates attacking a web server automates attacking the agent behind it. The same HPTSA-style hierarchy that exploits a web zero-day exploits an injection chain.
This convergence means the defender of an AI system faces an adversary with mature, published, open-source offensive machinery. The HPTSA code is on GitHub (uiuc-kang-lab/HPTSA). The VulnBot code is public. CAI is open-source. An attacker does not need to invent the multi-step planning architecture — they need to retarget it. The barrier to a sophisticated, automated, multi-step AI attack is dropping from "research lab" to "script kiddie with a GitHub repo."
The specific forecast: automated, multi-step injection chains become the default attack against deployed agents. The components exist: HPTSA for planning, InjecAgent-style techniques for the injection steps, APT-Agent-style rectification for adaptation, CAI-style speed for volume. The composition is an attacker that plans a zero-click chain, dispatches the steps to specialized crafters, refines on failure, and runs at scale.
The defender's implication: a single-step defense (a detector, a rail, a refusal layer) is insufficient against an adversary who composes. The defense must be layered (B2), the layers must be composed with deterministic boundaries (SDD-B05), and the residual must be measured end-to-end (SDD-B09). The harness scope gate — the deterministic floor — is what prevents the chain's final step (the disallowed action) even when every model-based layer has been evaded. This is why the course has returned, repeatedly, to the deterministic boundary: it is the only layer that holds against an adversary with automated, hierarchical, multi-step capability.
The second forecast: detection models (SDD-B09) face LLM-driven evasion as a standard attack, not a research curiosity. The rectification machinery (APT-Agent) applied to the detector's surface is the automated evasion engine: probe the detector, map its decision boundary, synthesize evasions at scale. The dual-injection problem (evade the detector AND compromise the primary) becomes a solvable optimization, not a constraint that deters.
The defender's implication: the detector's out-of-distribution accuracy is the live battleground, and it decays under adaptive pressure. The detector remains a high-value layer (it catches the bulk of unsophisticated traffic), but it cannot be the boundary. The deterministic layers — the boundary and the scope gate — are what hold when the detector's residual is exploited.
The academic literature, read as a trajectory, points in one direction: automated, multi-agent, hierarchical, adaptive, high-volume offensive capability against AI systems. Each paper added a capability — PentestGPT the reasoning loop, HPTSA the hierarchy, VulnBot the collaboration, APT-Agent the rectification, CAI the speed. The composition is an offensive harness for AI targets that did not exist as an integrated system when the individual papers were published, and that is now assembleable from open components.
The forecast is not that attackers will have a single super-tool. It is that the components are commoditized, the architectures are published, and the barrier to composing them is falling. The defender who waits for "the threat to mature" is waiting for a threat that is already mature in its components and converging in its integration.
This is where the course's offensive material closes, and the defense thesis stands as the response. The adversary now has: hierarchical planning (HPTSA), multi-agent collaboration (VulnBot), adaptive rectification (APT-Agent), and scale (CAI). The defenses that hold against this adversary are the ones the course built:
The offensive frontier is automating. The defense is deterministic boundaries, composed with model-based layers whose residuals are measured, enforced externally, and floored by a scope gate the adversary cannot disable. That is the architecture this course has built, and it is the architecture that holds.
Treating the technique transfer as analogical rather than structural. Cure: the architectures (planning, decomposition, rectification, scale) are target-agnostic. Swap the target and the machinery runs. Assess AI-target defenses against the academic offensive state of the art, not against a hypothetical static adversary.
A defense composed only of detectors, rails, and refusal — no IronCurtain, no scope gate. An HPTSA-style planner with APT-Agent-style rectification finds and exploits every model-based layer's residual. Cure: compose with the deterministic boundary (SDD-B05) and the harness scope gate (B0) — the layers with no evasion surface.
Running the InjecAgent methodology on a fixed corpus and treating the result as the deployment's residual. Cure: measure against out-of-distribution, adaptive traffic (SDD-B09) — the adversary has rectification machinery and will adapt. Re-measure on a cadence; the residual decays.
Treating multi-step injection chains as hypothetical because they seem to require human craft. Cure: HPTSA's hierarchical planning automates the decomposition and dispatch. The chain is automatable; assess defenses against the automated version.
Delaying defense investment because the integrated offensive tooling is not yet a single packaged product. Cure: the components are commoditized and the architectures are published. The barrier to composition is falling. Build the deterministic boundaries now; they are the layers that do not decay while the adversary's tooling integrates.
| Term | Definition |
|---|---|
| PentestGPT | USENIX Security 2024; three-module reasoning loop (parse, reason, generate) for automated penetration testing; the foundational LLM offensive agent |
| HPTSA | arXiv:2406.01637; hierarchical planning and task-specific agents; a planner explores and dispatches to specialized sub-agents; the blueprint for the zero-click chain |
| VulnBot | arXiv:2501.13411; multi-agent collaborative framework simulating a human pentest team; maps to distributed agent-system probing |
| APT-Agent | arXiv:2605.24949; rectification mechanism — reasons about failure and generates a corrected approach; maps to adaptive injection refinement |
| CAI | arXiv:2504.06017; agent-centric, lightweight, 156x faster than traditional approaches; maps to high-volume red-team measurement and attack |
| The 2A-to-2B inversion | Academic offensive harnesses were tools FOR security work (2A); in 2B they are methodologies for attacking AI systems — the architecture is target-agnostic |
| Hierarchical planning | Planner maintains global strategy, dispatches sub-tasks to specialized sub-agents; the architecture that makes multi-step attacks navigable and automatable |
| Rectification | Reading a failure mode and generating a corrected approach; the engine of adaptive evasion (the SDD-B09 cat-and-mouse dynamic, automated) |
| Zero-click chain | A multi-step injection attack where no single step suffices; HPTSA's hierarchy is its blueprint |
| Offensive convergence | Traditional-pentest automation and AI-target automation converging on the same architectures; components commoditized, barrier to composition falling |
| Deterministic boundary as the response | The layer with no evasion surface; the defense that holds against automated, hierarchical, adaptive, high-volume offense |
See 07-lab-spec.md. Build a simulated HPTSA-style hierarchical planner that decomposes an AI-target attack objective (exfiltration via the tool surface) into sub-tasks, dispatches each to a specialized sub-agent proxy, and executes the zero-click chain against a simulated agent system (retrieval store, primary model, tool surface, scope gate). Observe how the chain succeeds against model-based defenses and is stopped by the deterministic scope gate. No GPU required; the lab proxies the model surfaces with deterministic components so the planning architecture is the lesson.
# Deep-Dive SDD-B10 — Academic Offensive Harnesses (Adapted for AI-Target Attacks) **Course**: 2B — Securing & Attacking Harnesses and LLMs **Deep-Dive**: SDD-B10 · **Duration**: 45 minutes · **Level**: Senior Engineer and above **Prerequisites**: Course 2A (offensive harnesses as tools FOR security work); Course 2B B0–B2; SDD-B01–SDD-B09 > *In Course 2A, the academic offensive harnesses — PentestGPT, APT-Agent, HPTSA, VulnBot, CAI — were tools you USE for security work: LLM-driven agents that automate penetration testing against traditional targets. In 2B, we invert the lens. These same harnesses are methodologies for ATTACKING AI systems. The techniques they pioneered — hierarchical planning, multi-agent task decomposition, automated reasoning over an attack surface — transfer directly to AI-target red-teaming. HPTSA's planner-dispatches-to-specialized-sub-agents architecture is the blueprint for the zero-click chain. This deep-dive surveys the academic landscape, maps the technique transfer, and closes the course's offensive material with a forecast of where the offensive frontier is heading.* --- ## Learning Objectives After completing this deep-dive, you will be able to: 1. Survey the academic landscape of LLM-driven offensive agents — PentestGPT, APT-Agent, HPTSA, VulnBot, CAI — and articulate each paper's core architectural contribution, with arXiv identifiers for the primary sources. 2. Explain the inversion from 2A to 2B: the same harnesses that were tools FOR security work (automating pentests of networks/apps) become methodologies for attacking AI systems, because the multi-step planning and task-decomposition techniques transfer directly to the AI-target attack surface. 3. Map HPTSA's hierarchical planning (a planner agent explores the target and dispatches to specialized sub-agents) to the zero-click chain: the planner is the orchestrator, the sub-agents are the chain steps (retrieval poisoning, indirect injection, tool-call manipulation), and the architecture is why multi-step AI attacks are now automatable. 4. Analyze how each academic technique transfers to a specific AI-target attack vector: PentestGPT's reasoning loop to injection-chain planning, APT-Agent's rectification to adaptive injection refinement, VulnBot's multi-agent collaboration to distributed agent-system probing, CAI's speed to high-volume red-team measurement. 5. Synthesize the academic state of the art into a forecast of the offensive frontier: automated multi-step injection chains, LLM-driven evasion of detection models (SDD-B09), the convergence of traditional-pentest automation and AI-target automation, and what this means for defense (deterministic boundaries become non-optional). 6. Connect the offensive frontier to the course's defense thesis: the harness scope gate (B0), the deterministic boundary (SDD-B05), and defense-in-depth composition (B2, SDD-B08, SDD-B09) are the controls that hold against an adversary who now has automated, hierarchical, multi-agent offensive capability. --- ## Why this deep-dive exists Course 2A introduced the academic offensive harnesses as a category: LLM-driven agents that automate the tedious, multi-step reasoning of penetration testing. PentestGPT (USENIX Security 2024) demonstrated that an LLM with the right scaffolding could automate the identify-assess-mitigate loop at a level approaching a human pentester. VulnBot (arXiv:2501.13411) extended this to multi-agent collaboration — separate LLM agents handling reconnaissance, vulnerability analysis, and exploitation the way a human team divides the work. CAI (arXiv:2504.06017) pushed the speed frontier, reporting results 156x faster than traditional approaches at expert-human-level quality. These were tools FOR the defender. In 2A, you used them to find vulnerabilities in networks and applications faster. The target was traditional infrastructure; the LLM was the assistant. Course 2B inverts the lens. The target is now an AI system — an agent, a model, a harness. And the same techniques that automate attacking a network automate attacking an AI system, because the structural problem is identical: a multi-step, reasoning-heavy exploration of an attack surface where each step's output informs the next. An indirect-injection chain (SDD-B03) is a multi-step plan: poison the retrieval store, wait for the agent to retrieve the payload, manipulate the tool call. A zero-click chain is a hierarchical plan: an orchestrator composes sub-goals (get the agent to read untrusted content, get it to call a tool, get the tool to reach the sensitive data) and dispatches them. The academic offensive harnesses are the blueprints for automating exactly this kind of attack. This deep-dive exists because the offensive frontier is converging. The same research that gave defenders automated pentest tools is giving attackers automated AI-target exploitation. HPTSA's hierarchical planning — a planner agent explores a target website and dispatches tasks to specialized sub-agents that perform the exploit — is, with the target swapped from "website with a zero-day" to "agent with an injection surface," the architecture of an automated injection chain. The red-team that understands this convergence can anticipate the attacks; the defender who understands it knows why deterministic boundaries (SDD-B05) are no longer optional — the adversary now has the machinery to find and exploit every model-based layer's residual. This is the course's final offensive deep-dive. It closes the loop: the techniques you studied as tools in 2A return as the threat model in 2B, and the defenses you built across B2–SDD-B09 are what stand against them. Three sub-sections, fifteen minutes each: - **B10.1 — The Academic Landscape.** The papers, the architectures, the arXiv IDs. PentestGPT, APT-Agent, HPTSA, VulnBot, CAI — each one's core contribution and why it matters. - **B10.2 — Technique Transfer to AI-Target Attacks.** How each academic technique maps to an AI-target attack vector. HPTSA's hierarchical planning to the zero-click chain; the multi-agent decomposition to distributed agent-system probing. - **B10.3 — The Offensive Frontier and What It Means for Defense.** Automated multi-step injection chains, LLM-driven evasion of detection models, the convergence of traditional and AI-target automation, and why the course's defense thesis is the response. --- # B10.1 — The Academic Landscape *The papers, the architectures, the arXiv IDs. What each one contributed.* ## PentestGPT — the reasoning loop (USENIX Security 2024) PentestGPT (Deng et al., "PentestGPT: An LLM-empowered Automatic Penetration Testing Tool," USENIX Security 2024) is the foundational reference for LLM-driven offensive agents. Its contribution is a three-module architecture that automates the penetration-testing reasoning loop: a parsing module that interprets the target's state, a reasoning module that generates the next attack step, and a generation module that produces the concrete command. The modules self-interact — the reasoning module's output feeds the generation module, the execution result feeds back to the parsing module, and the loop continues until the objective is met. The architectural contribution is the **reasoning loop externalized**. A human pentester holds the attack state in their head and decides the next step; PentestGPT holds it in the LLM's context and prompts the LLM to decide. This is the same loop that, retargeted, drives an automated injection chain: parse the agent's current state (what tools it has, what context it holds), reason about the next injection step, generate the payload. PentestGPT proved the loop works at human-adjacent quality on traditional targets; the transfer to AI targets is structural, not conceptual. ## HPTSA — hierarchical planning (arXiv:2406.01637) HPTSA (Fang et al., "Teams of LLM Agents can Exploit Zero-Day Vulnerabilities," arXiv:2406.01637) is the paper most directly relevant to the zero-click chain. Its contribution is **hierarchical planning and task-specific agents**: a planner agent explores the target (a website, in the paper's case) and decomposes the objective into sub-tasks, then dispatches each sub-task to a specialized sub-agent that performs the actual exploit. The planner maintains the global strategy; the sub-agents execute the local tactics. The key finding: teams of LLM agents can exploit real-world zero-day vulnerabilities, outperforming prior single-agent approaches that struggled with complex, multi-step exploration. The reason is the hierarchy. A single agent asked to "exploit this target" gets lost in the state space; a planner that breaks the objective into "reconnaissance, vulnerability identification, exploitation, post-exploitation" and dispatches each to a focused agent navigates the space efficiently. This is the architecture of the zero-click injection chain. The orchestrator is the planner; the chain steps (poison retrieval, trigger retrieval, manipulate tool call, exfiltrate) are the sub-tasks; the specialized sub-agents are the per-step payload crafters. HPTSA proved the architecture works for web zero-days; the same architecture, retargeted to an agent's injection surface, is how multi-step AI attacks become automatable. This is why the zero-click chain is no longer a hypothetical that requires a human to script each step — the planning machinery exists. ## VulnBot — multi-agent collaboration (arXiv:2501.13411) VulnBot (arXiv:2501.13411) extends the multi-agent theme. Its contribution is a **collaborative multi-agent framework** that simulates the workflow of a human penetration-testing team: separate LLM agents handle reconnaissance, vulnerability analysis, and exploitation, coordinating through a shared state. The contribution over single-agent approaches is specialization — each agent is prompted for a specific phase, reducing the context burden and improving per-phase quality. For AI-target attacks, VulnBot's contribution maps to **distributed agent-system probing**. A modern deployed agent system is not one model — it is a primary agent, a set of tool surfaces, a retrieval store, possibly sub-agents, and a guardrail layer (SDD-B08). Attacking it is a multi-surface problem. A VulnBot-style framework assigns one agent to probe the retrieval surface (indirect injection, SDD-B03), one to probe the tool surface (function-call manipulation, SDD-B04), one to probe the guardrail layer (detector evasion, SDD-B09), and coordinates the findings. The collaboration is the attack. ## APT-Agent — rectification (arXiv:2605.24949) APT-Agent (arXiv:2605.24949, "APT-Agent: Automated Penetration Testing using Large Language Models") adds a **rectification mechanism**: when an attack step fails, the agent reasons about the failure and generates a corrected approach, rather than retrying blindly. This is the automated analogue of a human pentester who reads an error message and adjusts. For AI-target attacks, rectification is **adaptive injection refinement**. An injection that fails (the agent doesn't comply, the detector catches it, the tool call is blocked) is not a dead end — it is a signal. A rectifying agent reads the failure mode (the agent deflected, the detector flagged it, the scope gate blocked the action) and crafts a refined injection that accounts for the observed defense. This is the machinery behind the cat-and-mouse dynamic from SDD-B09: an automated attacker that probes the detector's response and refines the payload to sit in its false-negative region. Rectification is what makes the evasion adaptive rather than static. ## CAI — speed and scale (arXiv:2504.06017) CAI (arXiv:2504.06017, "CAI: An Open, Bug Bounty-Ready Cybersecurity AI") pushes the speed frontier, reporting results 156x faster than traditional approaches at expert-human-level penetration-testing performance. Its contribution is an agent-centric, lightweight architecture optimized for throughput — the offensive equivalent of high-volume measurement. For AI-target red-teaming, CAI's contribution is **high-volume red-team measurement**. The InjecAgent methodology (SDD-B03) requires running N attempts to measure a success rate; CAI-style speed makes large-N measurement cheap. This matters for both sides: the defender measures bypass rates over statistically meaningful N (SDD-B09's methodology); the attacker sweeps the attack surface at scale to find the residual. The speed asymmetry — automated attackers can probe faster than humans can defend — is the operational pressure that makes deterministic boundaries (SDD-B05) non-optional. --- # B10.2 — Technique Transfer to AI-Target Attacks *How each academic technique maps to a specific AI-target attack vector.* ## The inversion: same architecture, different target The transfer from 2A to 2B is not analogical; it is structural. The academic offensive harnesses solve a general problem: automated, multi-step, reasoning-heavy exploration of an attack surface. In 2A, the surface is a network or application; in 2B, the surface is an AI system. The architecture — planning, decomposition, specialization, rectification, scale — is target-agnostic. Swap the target from "web server with a zero-day" to "agent with an injection surface," and the same machinery runs. The mapping, technique by technique: ## HPTSA's hierarchical planning → the zero-click chain This is the most important transfer in the deep-dive. HPTSA's planner-dispatches-to-sub-agents architecture is the blueprint for the zero-click injection chain. The chain (SDD-B03, expanded in B2) is a multi-step attack where no single step is sufficient: the attacker must poison the retrieval store, wait for the agent to retrieve the payload, manipulate the tool call, and exfiltrate — each step's success conditioned on the prior. A human scripting this chain by hand is slow and brittle; an HPTSA-style planner that decomposes the objective and dispatches each step to a focused sub-agent automates it. The planner maintains the global strategy: "achieve exfiltration via the agent's tool surface." It decomposes into sub-goals: (1) plant an indirect-injection payload in a document the agent will retrieve; (2) trigger the retrieval (via a benign-seeming query); (3) the injected payload manipulates the agent into calling the exfiltration tool with the sensitive path; (4) the tool call executes. Each sub-goal is dispatched to a sub-agent that crafts the specific payload for its step, informed by the prior step's result. The hierarchy is what makes the chain navigable — a single agent trying to hold the entire chain in context gets lost; the planner-sub-agent decomposition keeps each step focused. This is why the zero-click chain is now a realistic threat rather than a research curiosity. The planning machinery exists (HPTSA, 2024); the injection techniques exist (SDD-B03 through SDD-B06); the combination is an automated, multi-step attack on an AI system. ## VulnBot's multi-agent collaboration → distributed agent-system probing A deployed agent system is multi-surface: primary model, tool surface, retrieval store, guardrail layer, possibly sub-agents. Attacking it is a multi-surface problem, and VulnBot's collaborative framework maps directly. One agent probes the retrieval surface (indirect injection); one probes the tool surface (function-call manipulation); one probes the guardrail layer (detector evasion); they coordinate through shared state. The collaboration surfaces compound vulnerabilities. An agent that finds the retrieval surface accepts untrusted content (SDD-B03) feeds that to the agent probing the tool surface, which crafts an injection that triggers a disallowed tool call. The agent probing the guardrail (SDD-B09) feeds the detector's blind spots to the injection-crafter, which refines the payload to evade detection. The distributed framework finds the composition — the path through the system that no single-surface analysis would reveal. ## APT-Agent's rectification → adaptive injection refinement Rectification is the engine of the cat-and-mouse dynamic. A static injection is defeated by a static defense; an adaptive injection that reads the defense's response and refines is the threat that makes model-based defenses (SDD-B08, SDD-B09) have a residual. APT-Agent's rectification mechanism, retargeted, is the automated attacker that probes the detector (SDD-B09), observes that the payload was flagged, and crafts a variant that sits in the detector's false-negative region while still compromising the primary model — the dual-injection problem, automated. This is the connection between the academic offensive frontier and SDD-B09's measurement thesis. SDD-B09 argued that out-of-distribution, adversarially-adapted accuracy is the number that matters. APT-Agent-style rectification is the machinery that drives the adaptation: the attacker is not static, the detector's surface is probed, and the effective accuracy decays. The defender who measures only against static, in-distribution traffic is measuring against an adversary who no longer exists. ## CAI's speed → high-volume attack and measurement CAI's 156x speedup applies to both offense and defense. For the attacker, it means high-volume probing: sweep the agent's surface at scale, find the residual, exploit it before the defender notices. For the defender, it means high-volume measurement: run the InjecAgent methodology (SDD-B03) over statistically meaningful N, measure the bypass rate, and do it fast enough to keep up with the adversarial adaptation. The speed asymmetry is the operational reality — automated attackers probe faster than humans can patch — and it is the reason deterministic boundaries (SDD-B05) are the load-bearing defense. A model-based defense that a CAI-speed attacker can probe 156x faster than a human can retrain is a defense with a shrinking half-life. A deterministic boundary that has no evasion surface is a defense that does not decay. --- # B10.3 — The Offensive Frontier and What It Means for Defense *The convergence, the forecast, and why the course's defense thesis is the response.* ## The convergence of traditional and AI-target automation The offensive frontier is converging. The academic offensive harnesses were built for traditional targets (networks, web apps), but their architectures — hierarchical planning, multi-agent collaboration, rectification, scale — are target-agnostic. As AI systems become a larger share of the attack surface (every enterprise now deploys agents), the offensive tooling retargets. The same PentestGPT-style reasoning loop that automates attacking a web server automates attacking the agent behind it. The same HPTSA-style hierarchy that exploits a web zero-day exploits an injection chain. This convergence means the defender of an AI system faces an adversary with mature, published, open-source offensive machinery. The HPTSA code is on GitHub (uiuc-kang-lab/HPTSA). The VulnBot code is public. CAI is open-source. An attacker does not need to invent the multi-step planning architecture — they need to retarget it. The barrier to a sophisticated, automated, multi-step AI attack is dropping from "research lab" to "script kiddie with a GitHub repo." ## Automated multi-step injection chains The specific forecast: automated, multi-step injection chains become the default attack against deployed agents. The components exist: HPTSA for planning, InjecAgent-style techniques for the injection steps, APT-Agent-style rectification for adaptation, CAI-style speed for volume. The composition is an attacker that plans a zero-click chain, dispatches the steps to specialized crafters, refines on failure, and runs at scale. The defender's implication: a single-step defense (a detector, a rail, a refusal layer) is insufficient against an adversary who composes. The defense must be layered (B2), the layers must be composed with deterministic boundaries (SDD-B05), and the residual must be measured end-to-end (SDD-B09). The harness scope gate — the deterministic floor — is what prevents the chain's final step (the disallowed action) even when every model-based layer has been evaded. This is why the course has returned, repeatedly, to the deterministic boundary: it is the only layer that holds against an adversary with automated, hierarchical, multi-step capability. ## LLM-driven evasion of detection models The second forecast: detection models (SDD-B09) face LLM-driven evasion as a standard attack, not a research curiosity. The rectification machinery (APT-Agent) applied to the detector's surface is the automated evasion engine: probe the detector, map its decision boundary, synthesize evasions at scale. The dual-injection problem (evade the detector AND compromise the primary) becomes a solvable optimization, not a constraint that deters. The defender's implication: the detector's out-of-distribution accuracy is the live battleground, and it decays under adaptive pressure. The detector remains a high-value layer (it catches the bulk of unsophisticated traffic), but it cannot be the boundary. The deterministic layers — the boundary and the scope gate — are what hold when the detector's residual is exploited. ## What the academic state of the art tells us about the offensive frontier The academic literature, read as a trajectory, points in one direction: automated, multi-agent, hierarchical, adaptive, high-volume offensive capability against AI systems. Each paper added a capability — PentestGPT the reasoning loop, HPTSA the hierarchy, VulnBot the collaboration, APT-Agent the rectification, CAI the speed. The composition is an offensive harness for AI targets that did not exist as an integrated system when the individual papers were published, and that is now assembleable from open components. The forecast is not that attackers will have a single super-tool. It is that the components are commoditized, the architectures are published, and the barrier to composing them is falling. The defender who waits for "the threat to mature" is waiting for a threat that is already mature in its components and converging in its integration. ## The defense thesis, restated as the response This is where the course's offensive material closes, and the defense thesis stands as the response. The adversary now has: hierarchical planning (HPTSA), multi-agent collaboration (VulnBot), adaptive rectification (APT-Agent), and scale (CAI). The defenses that hold against this adversary are the ones the course built: - **B0 — the scope file and the provider-authorization gate.** The legal and engineering control plane that bounds what the agent is permitted to do, enforced before any technique is pointed at a target. The scope gate is deterministic; the adversary's planning cannot talk it out of a rule. - **B2 — defense-in-depth.** No single layer suffices; every model-based layer has a residual. The composition bounds the residual. - **SDD-B05 — IronCurtain, the deterministic boundary.** The layer with no evasion surface. The adversary's adaptive machinery finds nothing to adapt against, because there is no decision boundary to probe. - **SDD-B08 — NeMo Guardrails, externally evaluated.** The rails run regardless of agent state; external enforcement stops DISABLE. The residual (EVADE) is bounded by the deterministic layers behind it. - **SDD-B09 — the detection model, measured.** The detector catches the bulk of unsophisticated traffic; its out-of-distribution residual is measured, not assumed; and it is composed with deterministic layers that bound the worst case. - **The harness scope gate — the floor.** Even when the chain succeeds, the disallowed action is blocked. This is the layer that makes the architecture hold: the adversary can plan, dispatch, rectify, and scale, and the final action is still gated by a rule the model cannot reach. The offensive frontier is automating. The defense is deterministic boundaries, composed with model-based layers whose residuals are measured, enforced externally, and floored by a scope gate the adversary cannot disable. That is the architecture this course has built, and it is the architecture that holds. --- ## Anti-Patterns ### "The academic harnesses only attack traditional targets — AI targets are different" Treating the technique transfer as analogical rather than structural. Cure: the architectures (planning, decomposition, rectification, scale) are target-agnostic. Swap the target and the machinery runs. Assess AI-target defenses against the academic offensive state of the art, not against a hypothetical static adversary. ### Defending with model-based layers and no deterministic boundary A defense composed only of detectors, rails, and refusal — no IronCurtain, no scope gate. An HPTSA-style planner with APT-Agent-style rectification finds and exploits every model-based layer's residual. Cure: compose with the deterministic boundary (SDD-B05) and the harness scope gate (B0) — the layers with no evasion surface. ### Measuring defenses against static, in-distribution traffic Running the InjecAgent methodology on a fixed corpus and treating the result as the deployment's residual. Cure: measure against out-of-distribution, adaptive traffic (SDD-B09) — the adversary has rectification machinery and will adapt. Re-measure on a cadence; the residual decays. ### Assuming the zero-click chain requires a human to script each step Treating multi-step injection chains as hypothetical because they seem to require human craft. Cure: HPTSA's hierarchical planning automates the decomposition and dispatch. The chain is automatable; assess defenses against the automated version. ### Waiting for "the threat to mature" Delaying defense investment because the integrated offensive tooling is not yet a single packaged product. Cure: the components are commoditized and the architectures are published. The barrier to composition is falling. Build the deterministic boundaries now; they are the layers that do not decay while the adversary's tooling integrates. --- ## Key Terms | Term | Definition | | --- | --- | | **PentestGPT** | USENIX Security 2024; three-module reasoning loop (parse, reason, generate) for automated penetration testing; the foundational LLM offensive agent | | **HPTSA** | arXiv:2406.01637; hierarchical planning and task-specific agents; a planner explores and dispatches to specialized sub-agents; the blueprint for the zero-click chain | | **VulnBot** | arXiv:2501.13411; multi-agent collaborative framework simulating a human pentest team; maps to distributed agent-system probing | | **APT-Agent** | arXiv:2605.24949; rectification mechanism — reasons about failure and generates a corrected approach; maps to adaptive injection refinement | | **CAI** | arXiv:2504.06017; agent-centric, lightweight, 156x faster than traditional approaches; maps to high-volume red-team measurement and attack | | **The 2A-to-2B inversion** | Academic offensive harnesses were tools FOR security work (2A); in 2B they are methodologies for attacking AI systems — the architecture is target-agnostic | | **Hierarchical planning** | Planner maintains global strategy, dispatches sub-tasks to specialized sub-agents; the architecture that makes multi-step attacks navigable and automatable | | **Rectification** | Reading a failure mode and generating a corrected approach; the engine of adaptive evasion (the SDD-B09 cat-and-mouse dynamic, automated) | | **Zero-click chain** | A multi-step injection attack where no single step suffices; HPTSA's hierarchy is its blueprint | | **Offensive convergence** | Traditional-pentest automation and AI-target automation converging on the same architectures; components commoditized, barrier to composition falling | | **Deterministic boundary as the response** | The layer with no evasion surface; the defense that holds against automated, hierarchical, adaptive, high-volume offense | --- ## Lab Exercise See `07-lab-spec.md`. Build a simulated HPTSA-style hierarchical planner that decomposes an AI-target attack objective (exfiltration via the tool surface) into sub-tasks, dispatches each to a specialized sub-agent proxy, and executes the zero-click chain against a simulated agent system (retrieval store, primary model, tool surface, scope gate). Observe how the chain succeeds against model-based defenses and is stopped by the deterministic scope gate. No GPU required; the lab proxies the model surfaces with deterministic components so the planning architecture is the lesson. --- ## References 1. **Deng et al., "PentestGPT: An LLM-empowered Automatic Penetration Testing Tool"** — USENIX Security 2024. Three-module reasoning loop; the foundational LLM offensive agent. 2. **Fang et al., "Teams of LLM Agents can Exploit Zero-Day Vulnerabilities"** — arXiv:2406.01637. HPTSA: hierarchical planning and task-specific agents. Code: github.com/uiuc-kang-lab/HPTSA. 3. **"VulnBot: Autonomous Penetration Testing for A Multi-Agent Collaborative Framework"** — arXiv:2501.13411. Multi-agent collaboration simulating a human pentest team. 4. **"APT-Agent: Automated Penetration Testing using Large Language Models"** — arXiv:2605.24949. Rectification mechanism for adaptive attack refinement. 5. **"CAI: An Open, Bug Bounty-Ready Cybersecurity AI"** — arXiv:2504.06017. Agent-centric, lightweight, 156x faster than traditional approaches. 6. **Course 2A** — the academic offensive harnesses as tools FOR security work (the 2A side of the inversion). 7. **Course 2B B0** — the scope file and provider-authorization gate (the deterministic legal/engineering control plane). 8. **Course 2B B2** — the injection-defense layer stack (defense-in-depth thesis). 9. **Course 2B SDD-B03** — InjecAgent (indirect injection, the measurement methodology, the zero-click chain components). 10. **Course 2B SDD-B05** — IronCurtain (the deterministic boundary, the layer with no evasion surface). 11. **Course 2B SDD-B06** — RedAgent (context-specific attacks, automated adversarial generation). 12. **Course 2B SDD-B08** — NeMo Guardrails (external evaluation, DISABLE vs EVADE). 13. **Course 2B SDD-B09** — Prompt Injection Detection Models (the cat-and-mouse dynamic, the detector's adversarial residual).