{
  "module": "SDD-B10 — Academic Offensive Harnesses (Adapted for AI-Target Attacks)",
  "course": "2B — Securing & Attacking Harnesses and LLMs",
  "version": "1.0.0",
  "duration_minutes": 35,
  "total_questions": 15,
  "bloom_distribution": {
    "target": "20% recall / 40% application / 40% analysis-design",
    "actual": { "recall": 3, "application": 6, "analysis": 6 }
  },
  "passing_score_percent": 70,
  "questions": [
    {
      "id": "Q01", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What is the 2A-to-2B inversion for the academic offensive harnesses (PentestGPT, HPTSA, VulnBot, APT-Agent, CAI)?",
      "options": [
        "In 2A they attack AI systems; in 2B they defend them.",
        "In 2A they were tools FOR security work (LLM-driven agents automating pentests against traditional targets, the LLM as defender's assistant). In 2B the lens inverts: the same harnesses are methodologies for ATTACKING AI systems (the LLM as attacker). The transfer is structural — the architectures are target-agnostic; swap the target and the machinery runs.",
        "In 2A they were theoretical; in 2B they are production-deployed.",
        "In 2A they were open-source; in 2B they are proprietary."
      ],
      "answer_index": 1,
      "rationale": "The inversion is the foundational framing. In 2A, the harnesses automate attacking networks/apps — the LLM is the defender's assistant. In 2B, the target becomes the AI system itself, and the same architectures (planning, decomposition, rectification, scale) are methodologies for attacking it. The transfer is structural, not analogical: the architectures solve a general problem (automated, multi-step, reasoning-heavy exploration of an attack surface) and the AI-system surface is one such surface."
    },
    {
      "id": "Q02", "bloom": "recall", "type": "multiple_choice",
      "prompt": "Which paper is the blueprint for the zero-click injection chain, and what is its core architectural contribution?",
      "options": [
        "PentestGPT — the three-module reasoning loop.",
        "HPTSA (arXiv:2406.01637) — hierarchical planning and task-specific agents: a planner explores the target, decomposes the objective into sub-tasks, and dispatches each to a specialized sub-agent that performs the exploit.",
        "VulnBot — multi-agent collaboration.",
        "CAI — speed and scale."
      ],
      "answer_index": 1,
      "rationale": "HPTSA's planner-dispatches-to-specialized-sub-agents architecture is the blueprint for the zero-click chain. The chain is a multi-step attack where no single step suffices (poison retrieval, trigger retrieval, manipulate tool call, exfiltrate). The planner maintains the global strategy; the sub-agents are the per-step payload crafters. The hierarchy is what makes the chain navigable — a single agent holding the whole chain gets lost; the decomposition keeps each step focused. HPTSA proved the architecture works for web zero-days; retargeted, it automates the injection chain."
    },
    {
      "id": "Q03", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What is APT-Agent's rectification mechanism, and what is its AI-target transfer?",
      "options": [
        "It restarts the attack from scratch on failure; transfer: brute-force injection.",
        "It reasons about a failure mode and generates a corrected approach (not blind retry). AI-target transfer: adaptive injection refinement — an injection that fails (agent deflects, detector flags, gate blocks) is a signal; read the failure mode, craft a refined payload. This is the machinery behind the SDD-B09 cat-and-mouse dynamic.",
        "It increases the LLM's temperature on failure; transfer: more creative injections.",
        "It reports the failure to a human; transfer: human-in-the-loop attacks."
      ],
      "answer_index": 1,
      "rationale": "APT-Agent's rectification reads a failure and generates a corrected approach — the automated analogue of a human pentester reading an error and adjusting. Retargeted to AI targets: an injection that fails is a signal, and the attacker reads the defense's response (the agent deflected, the detector flagged it, the scope gate blocked the action) and crafts a refined payload. This is the engine of the SDD-B09 cat-and-mouse dynamic: the attacker probes the detector, maps its false-negative region, and refines the payload to sit there — the dual-injection problem, automated."
    },
    {
      "id": "Q04", "bloom": "application", "type": "multiple_choice",
      "prompt": "You are defending a RAG agent with a retrieval store, a tool surface, and a NeMo guardrail layer. An adversary uses a VulnBot-style multi-agent framework against it. What is the attack pattern, and how does the collaboration surface compound vulnerabilities?",
      "options": [
        "A single agent attacks the retrieval store; no collaboration occurs.",
        "The framework assigns one agent per surface: one probes retrieval (indirect injection), one probes tools (function-call manipulation), one probes the guardrail (detector evasion), coordinating via shared state. The collaboration surfaces compound vulnerabilities: the retrieval-surface finding (untrusted content accepted) feeds the tool-surface attacker, who crafts an injection triggering a disallowed tool call; the guardrail agent feeds detector blind spots to the injection-crafter. The distributed framework finds the composition — the path no single-surface analysis reveals.",
        "The framework attacks only the primary model's refusal training.",
        "The framework is too slow to be effective against a multi-surface system."
      ],
      "answer_index": 1,
      "rationale": "VulnBot's collaborative framework maps to distributed multi-surface probing. A deployed agent system is multi-surface (primary, tools, retrieval, guardrail), and attacking it is a multi-surface problem. Assigning one agent per surface and coordinating via shared state surfaces compound vulnerabilities — findings from one surface feed attacks on another, revealing composition paths (e.g., retrieval poisoning enabling a tool-call exploit) that no single-surface analysis would find. The collaboration is the attack."
    },
    {
      "id": "Q05", "bloom": "application", "type": "multiple_choice",
      "prompt": "An adversary uses HPTSA-style hierarchical planning to construct a zero-click chain against your agent: plant an indirect injection in a retrieved doc, trigger retrieval, manipulate the tool call to exfiltrate /etc/shadow. Your defenses are a detection model (Layer 4) and the primary model's refusal training. No deterministic boundary or scope gate. What happens?",
      "options": [
        "The detection model catches the chain at Layer 4; the agent is safe.",
        "The chain likely succeeds. The detection model has an out-of-distribution residual (SDD-B09) the rectification-augmented planner can probe and evade; if the primary model complies (refusal is a model-based layer with a residual), the tool call executes the exfiltration. With NO deterministic boundary or scope gate, there is no floor — nothing blocks the disallowed action once the model-based layers are evaded. The architecture fails because it lacks the deterministic layer.",
        "The primary model's refusal training stops the chain with 100% reliability.",
        "The chain cannot be automated, so it is not a realistic threat."
      ],
      "answer_index": 1,
      "rationale": "Without a deterministic boundary or scope gate, the architecture has no floor. The detection model (Layer 4) has an out-of-distribution residual that an HPTSA-planner with APT-Agent rectification can probe and evade. The primary model's refusal is a model-based layer with its own residual. Once both are evaded, the disallowed tool call (exfiltration) executes with nothing to block it. The deterministic boundary (IronCurtain, SDD-B05) and the harness scope gate (B0) are the layers with no evasion surface — they are what bound the worst case when model-based layers fail. Their absence is the failure."
    },
    {
      "id": "Q06", "bloom": "application", "type": "multiple_choice",
      "prompt": "Your detection model (SDD-B09) reports 96% in-distribution detection. An adversary deploys APT-Agent-style rectification against it. What happens to the effective detection rate over time, and what is the control?",
      "options": [
        "The rate stays at 96% — rectification cannot affect a trained model.",
        "The effective rate DECAYS. The adversary probes the detector's decision boundary, observes which payloads are flagged, and crafts variants in the false-negative region (rectification). The detector's out-of-distribution, adversarially-adapted accuracy is lower than the benchmark and decays further as the adversary learns the surface. Control: re-measure the out-of-distribution bypass rate on a cadence (quarterly or after new public evasion techniques); retrain/re-prompt/swap/ensemble the detector when the rate exceeds tolerance. Compose with deterministic layers that do not decay.",
        "The rate increases because the adversary's probing trains the detector.",
        "Replace the detector with a regex filter, which does not decay."
      ],
      "answer_index": 1,
      "rationale": "APT-Agent-style rectification is the engine of the cat-and-mouse dynamic. The adversary probes the detector, maps its false-negative region, and refines payloads — the detector's effective accuracy decays under adaptive pressure. The benchmark (96% in-distribution) is the ceiling, not the floor. The control is cadenced re-measurement of the out-of-distribution rate and updating the detector when the rate exceeds tolerance, composed with deterministic layers (IronCurtain, scope gate) that have no evasion surface and do not decay. A static detector's real bypass rate months post-deployment is materially higher than at deployment."
    },
    {
      "id": "Q07", "bloom": "application", "type": "multiple_choice",
      "prompt": "An adversary has CAI-style speed (156x faster than traditional). Your model-based defenses (detector, rails, refusal) require retraining cycles measured in months. What is the operational pressure, and which defense addresses it?",
      "options": [
        "No pressure — model-based defenses keep up with any attack speed.",
        "Speed asymmetry: the adversary probes your model-based defenses 156x faster than you can retrain/patch. A model-based defense with a residual that is found and exploited faster than it is closed has a SHRINKING half-life. The defense that addresses it is the DETERMINISTIC boundary (IronCurtain, SDD-B05) and the harness scope gate — they have NO evasion surface, so they do not decay under high-speed probing. They are the load-bearing defense against a high-speed adversary.",
        "Increase retraining frequency to weekly to match the adversary's speed.",
        "Disable the model-based defenses entirely and rely only on rate limiting."
      ],
      "answer_index": 1,
      "rationale": "CAI's speed creates an asymmetry: automated attackers probe faster than humans can retrain. A model-based defense (detector, rail, refusal) whose residual is found at 156x speed and closed at human-retraining speed has a shrinking half-life — the adversary exploits it before it is patched. The deterministic boundary and the scope gate are the defenses that do not decay, because they have no decision boundary to probe — there is nothing for the high-speed adversary to find. This is why deterministic layers are non-optional against a CAI-speed adversary; they are the only defense that holds regardless of attack speed."
    },
    {
      "id": "Q08", "bloom": "application", "type": "multiple_choice",
      "prompt": "A team argues the integrated AI-target offensive harness does not exist as a single product, so they can defer investing in deterministic boundaries. How do you refute this?",
      "options": [
        "Agree — wait for the threat to mature before investing.",
        "The components are commoditized and the architectures are published; the barrier to COMPOSITION is falling, not the barrier to invention. HPTSA code is on GitHub, VulnBot is public, CAI is open-source. An attacker retargets, not invents. The threat is the convergence of open components, not a single product. Meanwhile, deterministic boundaries do not decay during the integration window — their value is HIGHEST now, because they are the only defense that holds against whatever composition emerges. Deferring means building model-based defenses with no deterministic floor beneath them.",
        "Refute by claiming the academic papers are flawed and the techniques do not work.",
        "Refute by deploying more model-based layers instead of deterministic ones."
      ],
      "answer_index": 1,
      "rationale": "The threat is not a single packaged product; it is the convergence of open components whose barrier to composition is falling. HPTSA, VulnBot, and CAI are open-source; an attacker retargets rather than invents. The deterministic boundary's value is highest during the integration window because it does not decay while the adversary's tooling integrates — it is the only defense that holds against whatever composition emerges. Deferring means building model-based defenses (with residuals) and no deterministic floor, leaving the architecture exposed when the composition arrives."
    },
    {
      "id": "Q09", "bloom": "application", "type": "multiple_choice",
      "prompt": "You are scoping a red-team engagement against a deployed agent. The client wants you to demonstrate the zero-click chain threat using HPTSA-style planning. Which course modules' techniques do you compose into the chain, and in what order?",
      "options": [
        "B0 legal scope only; no attack techniques needed.",
        "Compose: (1) SDD-B03 InjecAgent — plant an indirect injection in a retrieved document (retrieval poisoning). (2) Trigger retrieval via a benign-seeming query. (3) SDD-B04 CrabTrap — the retrieved payload manipulates the agent into a disallowed tool call (function-call manipulation). (4) The tool call executes the exfiltration. The HPTSA planner orchestrates: it decomposes the objective, dispatches each step to a specialized payload crafter, and refines on failure (APT-Agent rectification). The harness scope gate (B0/SDD-B05) is what the red-team demonstrates stopping the final action.",
        "Only SDD-B06 RedAgent; no composition needed.",
        "Only the detection model from SDD-B09; the chain is a single step."
      ],
      "answer_index": 1,
      "rationale": "The zero-click chain composes techniques from across the course: SDD-B03 (indirect injection / retrieval poisoning) for step 1, SDD-B04 (function-call manipulation) for step 3, with the HPTSA planner orchestrating and APT-Agent rectification refining on failure. The chain is multi-step and conditioned — each step's success depends on the prior. The red-team demonstrates both the chain (the threat) and the deterministic scope gate (B0/SDD-B05) that blocks the final disallowed action even when the chain succeeds against model-based layers. This is the course's thesis in a single engagement."
    },
    {
      "id": "Q10", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why is the 2A-to-2B technique transfer structural rather than analogical, and what is the practical consequence for threat assessment?",
      "options": [
        "It is analogical — the techniques are metaphors that may or may not apply.",
        "It is structural because the academic harnesses solve a general problem (automated, multi-step, reasoning-heavy exploration of an attack surface) and the architecture is target-agnostic. The same code, retargeted, attacks the AI surface. Practical consequence: AI-target defenses must be assessed against the academic offensive state of the art (HPTSA, VulnBot, APT-Agent, CAI), not against a hypothetical static adversary. The adversary's toolkit is the published, open-source offensive literature, retargeted.",
        "It is structural only for web targets, not AI targets.",
        "The distinction does not matter for practical defense."
      ],
      "answer_index": 1,
      "rationale": "The transfer is structural because the architectures (planning, decomposition, specialization, rectification, scale) are general solutions to a target-agnostic problem. The AI-system attack surface is one instance of 'an attack surface to explore.' The same code, with the target swapped, runs. The practical consequence is decisive: the adversary's toolkit is the published offensive literature, retargeted. A defender who assesses AI-target defenses against a static, naive adversary is assessing against a threat that does not exist — the real adversary has HPTSA planning, VulnBot collaboration, APT-Agent rectification, and CAI speed."
    },
    {
      "id": "Q11", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why does the harness scope gate remain the decisive defense even when the adversary has HPTSA hierarchy, VulnBot collaboration, APT-Agent rectification, and CAI scale?",
      "options": [
        "Because the scope gate is the fastest layer and outpaces the adversary.",
        "Because the scope gate is DETERMINISTIC — it enforces a rule via code/logic, not model classification. There is no decision boundary to probe, no surface to evade, and no adaptation the rectification machinery can perform (it finds nothing to refine against). The adversary can plan, coordinate, rectify, and scale — and the final disallowed action is still blocked by a rule the model cannot reach. Every model-based layer has a residual; the scope gate is the floor beneath all of them.",
        "Because the scope gate uses the same LLM as the adversary, so it understands the attacks.",
        "Because the scope gate is kept secret from the adversary."
      ],
      "answer_index": 1,
      "rationale": "The scope gate is decisive because it is deterministic — a rule enforced via code/logic with no model classification and therefore no decision boundary. The adversary's adaptive machinery (APT-Agent rectification) finds nothing to adapt against, because there is no surface to probe. The adversary's full toolkit — planning, collaboration, rectification, scale — meets a rule with no evasion surface. Every model-based layer (detector, rails, refusal) has a residual the adversary can exploit; the scope gate is the floor beneath all of them, the layer that makes the architecture hold."
    },
    {
      "id": "Q12", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Analyze the forecast: what are the two specific attack types the offensive frontier produces, and why do they make deterministic boundaries non-optional?",
      "options": [
        "(1) Phishing emails and (2) password spraying — neither is AI-specific.",
        "(1) AUTOMATED MULTI-STEP INJECTION CHAINS — HPTSA for planning, InjecAgent techniques for injection steps, APT-Agent rectification for adaptation, CAI speed for volume; an attacker that plans a zero-click chain, dispatches steps, refines on failure, runs at scale. (2) LLM-DRIVEN EVASION OF DETECTION MODELS (SDD-B09) — rectification applied to the detector surface is the automated evasion engine; the dual-injection problem becomes a solvable optimization. Both exploit model-based layers' residuals; deterministic boundaries (IronCurtain, scope gate) have no evasion surface and are the only defense that holds against both.",
        "(1) SQL injection and (2) XSS — traditional web attacks, no AI relevance.",
        "(1) Model weight theft and (2) training data poisoning — neither involves multi-step planning."
      ],
      "answer_index": 1,
      "rationale": "The two forecast attack types are automated multi-step injection chains and LLM-driven detection-model evasion. The first composes HPTSA planning with InjecAgent techniques and APT-Agent rectification at CAI speed — an automated zero-click chain attacker. The second applies rectification to the detector surface, automating the SDD-B09 cat-and-mouse dynamic. Both exploit model-based layers' residuals (detector, rails, refusal have evasion surfaces). Deterministic boundaries (IronCurtain, scope gate) are non-optional because they have no evasion surface — they are the only layers that hold against both attack types, bounding the worst case when every model-based residual is exploited."
    },
    {
      "id": "Q13", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Map the course's defense layers to their properties against the automated offensive frontier. Which layers hold (no residual), and which have residuals the adversary exploits?",
      "options": [
        "All layers hold equally — defense-in-depth means all are strong.",
        "HOLD (no residual, deterministic, no evasion surface): B0 scope gate + provider-auth; SDD-B05 IronCurtain (deterministic boundary); harness scope gate (the floor). HAVE RESIDUALS (model-based, evadable): SDD-B08 NeMo guardrails (external evaluation stops DISABLE, but EVADE is a residual); SDD-B09 detection model (catches bulk, OOD accuracy decays under adaptive pressure); primary model refusal (a model-based layer with an evasion surface). The architecture holds because deterministic layers bound the worst case and floor the composition of model-based residuals.",
        "Only the detection model holds; all others have residuals.",
        "Only the primary model refusal holds; deterministic layers are irrelevant."
      ],
      "answer_index": 1,
      "rationale": "The deterministic layers (B0 scope gate, IronCurtain, harness scope gate) hold — they have no evasion surface, so the adversary's adaptive machinery finds nothing to exploit. The model-based layers (NeMo guardrails, detection model, primary refusal) have residuals: guardrails stop DISABLE but not EVADE; the detector's OOD accuracy decays under rectification; refusal is a model-based layer with an evasion surface. The architecture holds because the deterministic layers bound the worst case (the disallowed action is blocked regardless of model-based evasion) and floor the composition — the product of model-layer residuals is bounded beneath by a rule the adversary cannot reach."
    },
    {
      "id": "Q14", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Design the defense architecture for a deployed agent facing an adversary with HPTSA hierarchy, VulnBot multi-agent probing, APT-Agent rectification, and CAI speed. Specify each layer and why it holds or has a residual.",
      "options": [
        "Detection model only — it is sufficient against all attacks.",
        "B0 scope file + provider-auth gate (deterministic — adversary's planning cannot talk it out of a rule). B2 defense-in-depth composition (architecture — bounds the residual). SDD-B05 IronCurtain deterministic boundary (NO evasion surface — adaptive machinery finds nothing; the load-bearing layer). SDD-B08 NeMo guardrails, externally evaluated (model-based — stops DISABLE, residual: EVADE, bounded by IronCurtain behind it). SDD-B09 detection model as Layer 4 (model-based — catches bulk, OOD residual measured and re-measured on cadence, decays under rectification but composed with deterministic layers). Harness scope gate (deterministic — the FLOOR; even when the chain succeeds at every model-based layer, the disallowed action is blocked). The deterministic layers hold; the model-based layers have residuals bounded by them.",
        "Primary model refusal only — the model's safety training is the sole defense.",
        "Rate limiting only — slow the adversary down to human speed."
      ],
      "answer_index": 1,
      "rationale": "The architecture composes deterministic layers (B0 scope gate, IronCurtain, harness scope gate — no evasion surface, hold against the full adversary toolkit) with model-based layers (NeMo guardrails, detection model, primary refusal — each with a residual the adversary exploits). The deterministic layers bound the worst case and floor the composition: the adversary can plan (HPTSA), coordinate (VulnBot), rectify (APT-Agent), and scale (CAI), exploiting every model-based residual, and the final disallowed action is still blocked by the scope gate. IronCurtain is the load-bearing layer — the deterministic boundary with no evasion surface that the adaptive machinery cannot touch. This is the course's thesis realized as a deployment architecture."
    },
    {
      "id": "Q15", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Synthesize the course's closing thesis from SDD-B10. What is the architecture that holds against the converging offensive frontier, and what are the deliverables carried forward?",
      "options": [
        "The architecture is a single detection model; the deliverable is its model card.",
        "The architecture is DETERMINISTIC BOUNDARIES COMPOSED WITH MODEL-BASED LAYERS WHOSE RESIDUALS ARE MEASURED, ENFORCED EXTERNALLY, AND FLOORED BY A SCOPE GATE THE ADVERSARY CANNOT DISABLE. Deliverables: B0 scope file + provider-auth check (legal control plane); B2 defense-in-depth composition; SDD-B05 IronCurtain (deterministic boundary); SDD-B08 NeMo guardrail configuration (external evaluation); SDD-B09 detection-model measurement methodology (five steps, cadenced re-measurement); and the SDD-B10 forecast that deterministic layers are non-optional against the converging offensive frontier (hierarchy, collaboration, rectification, scale).",
        "The architecture is the primary model's refusal training; the deliverable is the model version.",
        "The architecture is rate limiting and logging; the deliverable is the log format."
      ],
      "answer_index": 1,
      "rationale": "The course's closing thesis: the offensive frontier is automating (HPTSA hierarchy, VulnBot collaboration, APT-Agent rectification, CAI scale), and the defense is deterministic boundaries composed with model-based layers whose residuals are measured, enforced externally, and floored by a scope gate the adversary cannot disable. The deliverables carried forward are the concrete artifacts from each module: the scope file and provider-auth check (B0), the defense-in-depth composition (B2), IronCurtain (SDD-B05), the NeMo guardrail configuration (SDD-B08), the detection-model measurement methodology (SDD-B09), and the forecast that deterministic layers are non-optional (SDD-B10). This is the architecture that holds, and it is the course's deliverable to the practitioner."
    }
  ]
}
