Threat Model of Agentic Systems
Module B1 · Course 2B — Securing & Attacking Harnesses and LLMs
60 minutes · B0 gave you the scope file. This module turns it into the surface map every subsequent module attacks.
An agentic system is not one target — it is seven distinct surfaces, each with its own trust boundary, canonical attack, and defense. The model is 1.6%; the harness is 98.4%.
Pillar 0 — Foundations
The inversion from B0
B0 defined what you are allowed to test (the scope file, the provider/deployer split). B1 defines what there is to attack.
B0 — the legal boundary
Scope file, provider_authorization check, deployer vs provider surfaces. Tells you the legal cover. Does NOT enumerate the attack surface.
B1 — the surface map
Seven surfaces, seven trust boundaries, seven canonical attacks. Turns the scope file into the map every subsequent module (B2–B12) tests within.
The 1.6% / 98.4% framing
The model is 1.6% of the system; the harness is 98.4%. Of the OWASP ASI Top 10, only ASI02 (leakage) and the refusal-bypass flavor of ASI01 are purely model-layer. The other eight are harness-layer.
A red-team that tests only the model (jailbreaks, prompt leakage) has covered 1.6%. A defender who hardens only the model's refusal training has defended 1.6%. The other 98.4% — loop, tools, memory, identity, sandbox, inter-agent edges — is where every serious agentic compromise lands.
B1.1 — The seven surfaces
Each surface: trust boundary · canonical attack · defense · destination module
The seven attack surfaces
1 · LOOP
reasoning cycle
ASI01 goal hijack
2 · TOOLS
contracts + output
ASI05 · ASI01
3 · MEMORY
long-term + context
ASI04 · ASI06
4 · PROVIDER
model API boundary
ASI02 (the 1.6%)
5 · IDENTITY
non-human creds
ASI03 · ASI10
6 · SANDBOX
execution isolation
ASI07 · ASI09
7 · INTER-AGENT EDGES — mesh comms + cascade · ASI06 · ASI08 · blast radius = mesh-wide
Six are harness-layer (98.4%). One (the provider) is model-layer (1.6%). Each gets its own module from B2 onward.
Surface 1 — The loop & Surface 2 — Tools
1 · The loop (ASI01). The reasoning cycle crosses a boundary every iteration between consuming untrusted context and selecting an action. Attack: goal hijacking — injected content rewrites the objective mid-loop. Multi-step variant: the attack spans tool calls, each benign. Defense: instruction isolation, untrusted tagging, session-level intent tracking → B2.
2 · Tools (ASI05/ASI01). Two boundaries: the tool contract (does it do only what its schema claims?) and the tool output (return values flow into the context). Attack: indirect injection via tool output — fetch_url returns an attacker page, untagged, the model obeys it. InjecAgent: ~50% of tasks vulnerable. Defense: least-privilege schemas, output tagging, MCP identity verification → B4.
Surface 3 — Memory & Surface 4 — Provider
3 · Memory (ASI04/ASI06). Long-term store + context window. Boundary: what gets written, and is retrieved content trusted? Attack: the sleeper — poison memory in session 1, activates in session 2. Context contamination accumulates across turns. Defense: harness-managed writes, signed entries, retrieval-time tagging, TTL decay → B3.
4 · The provider (ASI02). The model API is a third party: opaque, shared, updated without your control. Attack: prompt leakage — the model emits its system prompt (the agent's full tool map). Provider logs hold your context data. Defense: treat as untrusted boundary, DLP on outbound context, pin model version, self-host for high-sensitivity → B2 / B11.
Surface 5 — Identity & Surface 6 — Sandbox
5 · Identity (ASI03/ASI10). The agent runs under a non-human identity with real credentials. Boundary: what the task needs vs what the credential permits — the gap is excessive agency. Attack: a compromised summarization agent, holding a broad S3 role, exfiltrates the bucket. Agent creds are long-lived, no MFA. Defense: least privilege, ephemeral/task-scoped creds, per-tool isolation, JIT elevation → B5.
6 · Sandbox (ASI07/ASI09). The isolation primitive (container, VM, V8 isolate). Attack: escape — agent code reaches the host, reads creds/memory/prompt, pivots. Resource exhaustion — induced to run indefinitely (cost/DoS). Defense: hardened isolation, syscall allowlist, CPU/mem/time/budget limits, egress filtering, kill switch → B7.
Surface 7 — Inter-agent edges (highest blast radius)
7 · Inter-agent edges (ASI06/ASI08). Every message channel between agents in a mesh. Boundary: agent A's trust domain vs agent B's. Attack: inter-agent trust escalation — forge a supervisor message, the worker complies (no authentication). Cascading hallucination — one bad output propagates as fact across the mesh. Blast radius: mesh-wide.
Defense: HMAC-signed messages per edge, replay protection (nonces), per-agent identity isolation, output verification at every edge, cascade-depth limits → B6. ZeroClaw's (DD-16) HMAC receipts are the precursor — open gap: ephemeral keys, not yet durable.
B1.2 — The unified surface map
STRIDE-for-agents + OWASP ASI mapping + blast-radius scoring
STRIDE-for-agents (the seventh category)
| Surface | STRIDE category | Agent-specific note |
| The loop | Goal Subversion (NEW) | Hijacked objective; loop runs correctly toward the wrong goal — no STRIDE analogue |
| Tools | Tampering + Info Disclosure | Output tampering injects; tool abuse discloses |
| Memory | Tampering | Persisted state modified by an attacker |
| Provider | Information Disclosure | Prompt/context leaked to or via the provider |
| Identity | Spoofing + Elevation of Privilege | Stolen or over-scoped credentials |
| Sandbox | EoP + Denial of Service | Escape = EoP; exhaustion = DoS |
| Inter-agent edges | Spoofing + Goal Subversion | Forged sender; cascaded bad goal |
The seventh category (Goal Subversion) is the agent-specific addition: a perfectly authenticated, untampered, auditable agent can still do the wrong thing because its objective was hijacked.
Blast-radius prioritization
| Surface | Worst-case blast radius |
| Inter-agent edges | Mesh-wide — cascade propagates to all peers |
| Sandbox | Host-wide — escape reaches creds, memory, pivot |
| Identity | Credential-scope-wide |
| Provider | Cross-tenant (if shared) |
| Memory | Cross-session, cross-user |
| Tools | Tool-scope-wide |
| The loop | Session-wide (lowest, if halted) |
Prioritize containment-failure surfaces (sandbox, identity, inter-agent edges) over single-session compromise (the loop). A contained compromise is a finding; an uncontained one is an incident.
B1.3 — Offense meets defense
Where CrabTrap and IronCurtain sit on the map — and where each fails
CrabTrap (DD-19) vs IronCurtain (DD-20)
CrabTrap — probabilistic. LLM-as-judge egress filter on the tools surface. Fails when: the judge is a model (injection fools it), the response-side gap (inbound tool returns unfiltered), latency budget (check skipped when busy).
IronCurtain — deterministic. Compiled policies + credential quarantine + V8 sandbox. Fails when: compilation fidelity (poisoned compile → wrong rule enforced), V8 isolate escape, escalation fatigue (flood approvals).
Neither is sufficient alone. A defense on one surface does not protect the others. The thesis: defense in depth across all seven surfaces, each with its own module, control, and red-team test.
The load-bearing principle
If you cannot enumerate the surfaces, you cannot defend the system. A red-team that treats "the agent" as one target misses six of seven surfaces. A defender who hardens one and leaves the rest open has secured 1.6% and left 98.4% exposed. The seven-surface map is the structure every subsequent module attacks and defends within.
The lab builds this map as a JSON threat model — every surface, trust boundary, untrusted-content entry point, and blast-radius score — plus a classify_untrusted_content() function. That JSON is the input to every B2–B12 module's scope and testing.
Lab & what's next
Lab (07): build the agent surface map as a JSON threat model (seven surfaces, trust boundaries, entry points, blast radius) and implement classify_untrusted_content(). No GPU required; ~60–75 min.
Next — B2: Prompt Injection Defense Engineering. The loop and the tools surface (ASI01) get the full treatment: instruction isolation, untrusted tagging, session-level intent tracking, and the offensive tests that break each. B2 attacks CrabTrap directly.