{
  "module": "S04 — CTF Harness Engineering",
  "course": "2A — Building AI Harnesses for Cybersecurity",
  "version": "1.0.0",
  "duration_minutes": 35,
  "total_questions": 15,
  "bloom_distribution": {
    "target": "20% recall / 40% application / 40% analysis-design",
    "actual": { "recall": 3, "application": 6, "analysis": 6 }
  },
  "passing_score_percent": 70,
  "questions": [
    { "id": "Q01", "bloom": "recall", "type": "multiple_choice", "prompt": "Name the six CTF domains.", "options": ["Scan, exploit, report, archive, bill, close", "Web, Pwn, Crypto, Forensics, Reversing, Misc", "OSINT, network, application, physical, social, wireless", "Recon, webapp, evidence, report, triage, scope"], "answer_index": 1, "rationale": "The six canonical CTF domains are Web, Pwn, Crypto, Forensics, Reversing, Misc. Each has distinct reasoning patterns, tool stacks, and context budgets." },
    { "id": "Q02", "bloom": "recall", "type": "multiple_choice", "prompt": "In the meta-agent-plus-specialists pattern, what is the meta-agent's ONLY job?", "options": ["Solve the challenge", "Route the challenge to the correct specialized agent (it does not solve)", "Run exploit tools", "Submit flags to the scoreboard"], "answer_index": 1, "rationale": "The meta-agent's only job is routing — it reads the description and artifacts, emits a domain label, and dispatches to a specialist. Specialists solve; the router routes." },
    { "id": "Q03", "bloom": "recall", "type": "multiple_choice", "prompt": "Name the three CTFd submission response states.", "options": ["pass, fail, error", "correct, incorrect, already_solved", "accepted, rejected, duplicate", "won, lost, pending"], "answer_index": 1, "rationale": "CTFd returns correct (mark solved, kill parallel, free slot), incorrect (log, continue), or already_solved (treat as correct, do not re-submit)." },
    { "id": "Q04", "bloom": "application", "type": "multiple_choice", "prompt": "A Pwn challenge arrives described as 'analyze this binary.' Text-only routing would misroute it to Reversing. What corrects the route?", "options": ["Running it through a stronger LLM", "File-type signal — ELF binary with checksec showing NX disabled and a win symbol indicates Pwn", "Asking the operator", "Trying both agents sequentially"], "answer_index": 1, "rationale": "The router uses BOTH text and file-type signals. An ELF with NX disabled and a win symbol is Pwn regardless of description wording. File-type corrects the textual ambiguity." },
    { "id": "Q05", "bloom": "application", "type": "multiple_choice", "prompt": "Your team is competing in a CTF running on a competition-provided sandboxed VM that the organizers own. Should HITL approval gates be on or off?", "options": ["On — always be cautious", "Off — target is sandboxed by the organizer, isolated, and worst-case action is bounded (VM restart). All three safe-removal criteria hold", "On for tool calls, off for flag submission", "Off for everything including credential reuse against other services"], "answer_index": 1, "rationale": "All three criteria hold: owned/sandboxed, isolated at network layer, worst-case is bounded. Gates add latency without safety. Note: credential-reuse gate stays even here — that answer would have been wrong for a different reason." },
    { "id": "Q06", "bloom": "application", "type": "multiple_choice", "prompt": "The meta-agent routes a challenge with low confidence. What happens next?", "options": ["It guesses anyway and hopes for the best", "The challenge goes to a TriageAgent that runs cheap probes (file, checksec, strings frequency, HTTP code) and re-routes with the added signal", "The operator is asked to manually route", "The challenge is skipped"], "answer_index": 1, "rationale": "Two-stage routing: when the meta-agent is uncertain, the TriageAgent runs cheap probes to gather disambiguating signal, then re-routes. The router is allowed to be uncertain; the agents are not." },
    { "id": "Q07", "bloom": "application", "type": "multiple_choice", "prompt": "The flag extractor finds the string 'flag{example}' in the challenge description text. What should happen?", "options": ["Submit it immediately to CTFd", "Drop it — the verifier should reject decoy/example text before submission. Auto-submitting burns attempts and trips rate limits", "Log it and submit at the end", "Submit it three times to be sure"], "answer_index": 1, "rationale": "Challenge descriptions, examples, and decoy output contain flag-shaped strings. The verifier confirms plausibility before submission. Submitting decoys burns attempts and trips rate limits." },
    { "id": "Q08", "bloom": "application", "type": "multiple_choice", "prompt": "Your CTFd submission client receives 'already_solved' for a challenge. What is the correct response?", "options": ["Re-submit to confirm", "Treat as correct — a parallel session or teammate got there first. Do NOT re-submit (burns attempts, trips rate limits). Mark solved, free the slot", "Log and try a different flag", "Kill the session and start over"], "answer_index": 1, "rationale": "already_solved means another session or teammate already solved it. Treat as correct; do not re-submit. Mark solved, kill parallel attempts, free the slot for the next challenge." },
    { "id": "Q09", "bloom": "application", "type": "multiple_choice", "prompt": "You are running 5 challenges concurrently. Two PwnAgents are pursuing the same challenge with different hypotheses. Should they share memory?", "options": ["Yes — sharing avoids duplicate work", "No — shared memory reintroduces the context pollution that domain routing was designed to eliminate. Sessions stay isolated; first flag wins, loser killed", "Yes — for performance", "Only the flag cache, nothing else"], "answer_index": 1, "rationale": "Shared memory across parallel attempts is forbidden. It reintroduces context pollution and lets two agents overwrite each other's intermediate state. Isolated sessions, isolated tool state, isolated flag sinks." },
    { "id": "Q10", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why is loading all six domains' tools into a single CTF agent's manifest an anti-pattern?", "options": ["It costs too many tokens per call only", "Three compounding reasons: context pollution (Web doesn't need ROPgadget), reasoning drift (Pwn mode is opposite of Web mode), and token waste (six domains of schemas paid every turn)", "It is fine if the model is strong enough", "It only matters for small models"], "answer_index": 1, "rationale": "All three failures compound: context pollution dilutes tool selection, reasoning drift means the model is good at nothing, and token waste pays six domains of overhead every turn. Cure: meta-agent plus specialists with narrow per-domain manifests." },
    { "id": "Q11", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why is the credential-reuse gate the one approval gate that stays even in fully autonomous CTF mode?", "options": ["For legal compliance", "Credential reuse against other services is the one unbounded-risk action in a CTF context — the service itself is fair game, but discovered creds tried against the competition's login endpoint is the CTF equivalent of a scope violation", "To slow the agent down", "Because creds are usually wrong"], "answer_index": 1, "rationale": "All other actions against the CTF target are bounded (target is owned/sandboxed, worst case is restart). Credential reuse against other services is the one action with unbounded blast radius — it leaves the CTF perimeter." },
    { "id": "Q12", "bloom": "analysis", "type": "multiple_choice", "prompt": "A Pwn agent skips checksec and starts building a ROP chain against an unknown binary. What is the likely failure mode?", "options": ["None — ROP is always the right approach", "The binary may have stack canaries or NX enabled, making the ROP approach wrong and wasting the engagement. checksec must run first to constrain the approach", "The agent will run out of tokens", "The submission client will reject the flag"], "answer_index": 1, "rationale": "Skipping checksec is the most common Pwn failure mode. Protections (NX, canaries, PIE, RELRO) dictate the entire exploit strategy. The cure is an ordered checklist in the prompt with checksec as the mandatory first step." },
    { "id": "Q13", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why is flag detection implemented as middleware on every tool output rather than a step the agent calls explicitly?", "options": ["It's faster", "The agent would forget to call it. As middleware, every tool output is scanned automatically — the agent runs tools, the middleware notices flag patterns. Same pattern as S02.3 evidence logging", "To save tokens", "The agent cannot read its own output"], "answer_index": 1, "rationale": "Flag detection must be automatic and universal — if the agent has to remember to call it, it won't, on the critical turn. As middleware, every tool output is scanned. This mirrors S02.3's evidence logger pattern: automatic, not optional." },
    { "id": "Q14", "bloom": "analysis", "type": "multiple_choice", "prompt": "Your router accuracy is 60% on first dispatch (correct domain on first try). What is the operational consequence and the fix?", "options": ["Fine — 60% is acceptable", "40% of challenges go to the wrong specialist first, wasting time and context. Fix: add the TriageAgent two-stage path so uncertain routes run cheap probes before committing to a specialist", "Submit more flags to compensate", "Increase concurrency to 10"], "answer_index": 1, "rationale": "Low router accuracy wastes engagement time on the wrong specialist. The fix is the TriageAgent: when the meta-agent is uncertain, run cheap probes (file, checksec, strings, HTTP code) before committing. Two-stage routing recovers the misroutes." },
    { "id": "Q15", "bloom": "analysis", "type": "multiple_choice", "prompt": "Compare CTF harness optimization to pentest harness optimization (S02/S03). Why do they invert different constraints?", "options": ["They don't — both optimize the same way", "Pentest optimizes for thoroughness (coverage, evidence, client-ready reports) on owned-or-authorized real targets. CTF optimizes for speed to flag on owned/sandboxed/isolated targets. Different target ownership + different success metric = different safe inversions", "CTF is just faster pentest", "Pentest is CTF with reporting added"], "answer_index": 1, "rationale": "The inversion comes from two differences: target ownership (CTF targets are owned/sandboxed; pentest targets are authorized but not owned) and success metric (CTF = flags/hour; pentest = coverage + evidence). Together these determine which constraints can be safely inverted and which cannot." }
  ]
}
