Academic Offensive Harnesses
SDD-B10 · Course 2B — Securing & Attacking Harnesses and LLMs
45 minutes · The course-closing offensive frontier deep-dive
In 2A, PentestGPT, HPTSA, VulnBot, APT-Agent, CAI were tools FOR security work. In 2B, the lens inverts — the same harnesses are methodologies for attacking AI systems. HPTSA's hierarchy is the zero-click chain blueprint.
Deep-Dives
The 2A-to-2B inversion
2A — tools FOR security work
Target: network / web app. Architecture: reasoning loop, hierarchy, multi-agent, rectification, scale. Result: find vulns faster. The LLM is the defender's assistant.
2B — methodologies for ATTACKING AI
Target: the agent / model / harness. Architecture: identical. Result: automated multi-step injection chains. The LLM is the attacker.
The transfer is structural, not analogical. Swap the target from "web server with a zero-day" to "agent with an injection surface" and the same machinery runs. The architecture is target-agnostic.
B10.1 — The academic landscape
Five papers, five contributions, arXiv IDs
Five papers, five contributions
| Paper | Contribution | AI-target transfer |
| PentestGPT (USENIX '24) | Three-module reasoning loop (parse · reason · generate) | Injection-chain planning: reason over agent state, decide next step |
| HPTSA (arXiv:2406.01637) | Hierarchical planning: planner → specialized sub-agents | The zero-click chain blueprint |
| VulnBot (arXiv:2501.13411) | Multi-agent collaboration (recon · vuln · exploit) | Distributed multi-surface probing (retrieval · tool · guardrail) |
| APT-Agent (arXiv:2605.24949) | Rectification: read failure → refine | Adaptive detector evasion (SDD-B09 cat-and-mouse, automated) |
| CAI (arXiv:2504.06017) | Speed: 156x faster than traditional | High-volume attack + measurement; sweep the residual fast |
No single paper is an integrated AI-target harness. But each contributed a component, the components are open-source, and the barrier to composing them is falling.
B10.2 — Technique transfer to AI-target attacks
HPTSA's hierarchy → the zero-click chain
HPTSA's hierarchy is the zero-click chain
HPTSA PLANNER (orchestrator)
global strategy: exfiltration via the tool surface
│ dispatch
▼
┌ SUB-AGENT 1: plant indirect injection in a doc
│ (SDD-B03 retrieval poisoning)
├ SUB-AGENT 2: trigger retrieval (benign-seeming query)
├ SUB-AGENT 3: payload manipulates tool call
│ (SDD-B04 function-call manipulation)
└ SUB-AGENT 4: exfiltrate (tool call executes)
Each step informed by the prior's result.
The hierarchy is what makes the chain NAVIGABLE —
a single agent holding the whole chain gets lost.
DEFENSE: harness scope gate blocks the final action —
no evasion surface for the planner to adapt against.
This is why the zero-click chain is no longer hypothetical. The planning machinery exists (HPTSA, 2024); the injection techniques exist (SDD-B03–B06); the combination is an automated, multi-step attack.
APT-Agent's rectification → adaptive evasion
The bridge to SDD-B09. APT-Agent reads a failure mode and generates a corrected approach. Retargeted: probe the detector, observe it flagged the payload, craft a variant that sits in the detector's false-negative region while still compromising the primary. The dual-injection problem, automated.
This is the engine of the cat-and-mouse dynamic. A static injection is defeated by a static defense; an adaptive injection that reads the defense's response and refines is the threat that makes model-based defenses have a residual. The defender who measures only against static traffic is measuring against an adversary who no longer exists.
B10.3 — The offensive frontier & defense
Convergence, forecast, and the course's defense thesis as the response
The offensive frontier is converging
The components are commoditized; the architectures are published; the barrier to composition is falling. HPTSA code is on GitHub. VulnBot is public. CAI is open-source. An attacker need not invent the multi-step planning architecture — they retarget it.
Forecast: automated multi-step injection chains become the default attack against deployed agents. LLM-driven evasion of detection models (SDD-B09) becomes standard. The barrier drops from "research lab" to "script kiddie with a GitHub repo."
The defense thesis as the response
| Layer | Property | Surface |
| B0 scope gate + provider-auth | Legal/engineering control plane | Deterministic |
| B2 defense-in-depth | Composition bounds the residual | Architecture |
| SDD-B05 IronCurtain | The deterministic boundary | No evasion surface |
| SDD-B08 NeMo guardrails | External evaluation (stops DISABLE) | Model — residual: EVADE |
| SDD-B09 detection model | Catches bulk · residual measured | Model — decays under adaptation |
| Harness scope gate | The floor | Deterministic — adversary finds nothing to adapt against |
The adversary can plan, dispatch, rectify, and scale — and the final action is still gated by a rule the model cannot reach. The deterministic layers are what hold when every model-based residual is exploited.
The course closes here
The offensive frontier is automating: hierarchical planning, multi-agent collaboration, adaptive rectification, and scale are now the adversary's toolkit. The defense is deterministic boundaries, composed with model-based layers whose residuals are measured, enforced externally, and floored by a scope gate the adversary cannot disable.
B0 built the legal control plane. B2 built the defense-in-depth thesis. SDD-B03–B06 built the attack surface. SDD-B05 built the deterministic boundary. SDD-B08–B09 built the guardrail and detector layers. This deep-dive closed the offensive material. The architecture that holds is the one this course built.
Next: the Course 2B index. The deep-dives are complete. The reference deployments, the governance, and the measurement methodology are the deliverables you carry forward.