# Teaching Script — Module B1: Threat Model of Agentic Systems

**Course**: Course 2B — Securing & Attacking Harnesses and LLMs
**Module**: B1 — Threat Model of Agentic Systems
**Duration**: ~35 minutes (spoken at ~140 wpm)
**Format**: Verbatim transcript with `[SLIDE N]` cues. Read aloud or use as speaker notes.

---

[SLIDE 1 — Title]

Welcome to Module B1. B0 gave you the legal control plane — the scope file, the provider-versus-deployer split, the authorization chain. That told you what you are allowed to test. This module tells you what there is to attack. An agentic system is not one target. It is seven distinct surfaces, each with its own trust boundary, its own canonical attack, and its own defense. By the end of this hour you will be able to enumerate all seven, and you will understand why the framing that runs through this course is: the model is one point six percent of the system; the harness is ninety-eight point four percent.

[SLIDE 2 — The inversion from B0]

If you came from B0, you have a scope file separating deployer-controlled surfaces from provider-controlled surfaces, and a provider-authorization-check gate. That is the legal boundary. It is necessary, but it is not sufficient, because it does not enumerate the attack surface. A scope file tells you you are allowed to test the agent. It does not tell you that the agent has a reasoning loop, a tool surface, a memory store, a provider boundary, an identity, a sandbox, and inter-agent edges — each of which is a distinct attack target. This module turns the scope file into a map.

[SLIDE 3 — The 1.6% / 98.4% framing]

Here is the framing that recurs. The model is one point six percent of the system. The harness is ninety-eight point four percent. Look at the OWASP Agentic AI Top Ten — ASI01 through ASI10. Only ASI02, prompt leakage, and the refusal-bypass flavor of ASI01 are purely model-layer. The other eight risks are harness-layer. A red-team that tests only the model — jailbreaks, prompt leakage — has covered one point six percent of the system. A defender who hardens only the model's refusal training has defended one point six percent. The other ninety-eight point four percent is where every serious agentic compromise actually lands. That is the harness, and that is what this course attacks.

[SLIDE 4 — B1.1 The seven surfaces]

Sub-section one. The seven surfaces and their trust boundaries. Loop, tools, memory, provider, identity, sandbox, inter-agent edges. For each: what it is, where untrusted content enters, the canonical attack, the defense, and the module that covers it in depth.

[SLIDE 5 — The seven attack surfaces]

Here are the seven. Surface one, the loop — the reasoning cycle itself. Surface two, tools — the contracts and the output. Surface three, memory — long-term and context-window. Surface four, the provider — the model API boundary, the one point six percent. Surface five, identity — non-human credentials. Surface six, the sandbox — execution isolation. Surface seven, inter-agent edges — mesh communication and cascade. Six of these are harness-layer. One, the provider, is model-layer. Each gets its own module from B2 onward. Memorize the seven; everything else in this course is variation on them.

[SLIDE 6 — Surface 1 the loop & Surface 2 tools]

Surface one, the loop. The agent's core control loop: observe, reason, decide an action, execute, observe the result, repeat. The trust boundary is crossed on every iteration, between consuming untrusted context and selecting an action. The canonical attack is goal hijacking — ASI01. Injected content in the context rewrites the objective mid-loop. The user asked to summarize a document; an instruction in the document redirects the loop to email the SSH key. The loop does not crash. It runs correctly toward the wrong goal. The more dangerous variant is multi-step injection: the attack spans multiple tool calls, each individually benign. Step one reads a file, step two reads another, step three combines and exfiltrates. No single turn looks malicious. This is the Microsoft failure-mode taxonomy's zero-click bypass chain finding — per-step approvals are insufficient. The defense is instruction isolation, untrusted-content tagging, and session-level intent tracking that compares the agent's current goal against the user's original goal and halts on divergence. Module B2 implements this.

Surface two, tools. The tool surface is every function the agent can call, its schema, and the dispatch layer. Two trust boundaries here. First, the tool contract: does the tool do what its schema claims, and only that? A tool documented as read-weather that also accepts an exec parameter is an excessive-agency bug. Second, the tool output boundary: return values flow back into the context window and the model consumes them as content. If the tool fetches attacker-controlled data — a web page, an email, an API response — the return value is an injection vector. This is indirect prompt injection, and per Course 1 Module 11 it is the most common and most dangerous vector. The InjecAgent benchmark measured that about fifty percent of agentic tasks are vulnerable to indirect injection via tool outputs. Not a theoretical risk. The defense is least-privilege schemas, output sanitization and untrusted-tagging on every tool return, path and host allowlists, and MCP server identity verification. Module B4 covers this.

[SLIDE 7 — Surface 3 memory & Surface 4 provider]

Surface three, memory. Two stores: long-term memory that persists across sessions, and context-window memory, the live token budget of the current turn. Both are state, and state is an attack target. The trust boundary is between the user's session and the persistent store. The canonical attack is memory poisoning — ASI04. In session one, the attacker injects a payload the agent persists to memory: a note that the user has authorized transferring funds. In session two, a different, legitimate user asks the agent to handle finances. The agent retrieves the poisoned memory, treats it as a fact about the world, and acts on it. This is the sleeper attack. The injection survives the session boundary because memory persists. The delay between write and activation defeats per-session detection. The defense is harness-managed memory writes — the agent proposes, the harness decides what to persist, never let the model write raw memory — plus signed entries with provenance, retrieval-time untrusted-tagging, and TTL decay so poisoned entries do not live forever. Module B3 implements this.

Surface four, the provider. The model API — OpenAI, Anthropic, a self-hosted deployment. The provider is a trust boundary because the model is a third party: opaque, shared, updated without your control, its outputs consumed as authoritative by the loop. The boundary is between the deployer's harness and the provider's model. The canonical attack is prompt leakage — ASI02. The model is induced to emit its system prompt, which often contains the full tool list and guardrail instructions. Leaking it hands the attacker the map. The provider also logs every prompt. If the agent sends customer data or credentials in its context, that data is in a third-party log store the deployer does not control. The defense is to treat the provider as an untrusted boundary: minimize what is sent, use a data-loss-prevention layer on outbound context, pin the model version — silent provider updates change the attack surface — and for high-sensitivity workloads, self-host.

[SLIDE 8 — Surface 5 identity & Surface 6 sandbox]

Surface five, identity. The agent runs under a non-human identity — a service account, a workload identity, an API key — and that identity has real credentials granting access to real systems. The trust boundary is between what the task needs and what the credential permits. The gap is excessive agency — ASI03. An agent that needs to read one table should not hold a database credential that can read every table and drop schemas. The canonical attack: a compromised agent, holding an over-privileged credential, uses it to do things the task never required. A compromised summarization agent, holding a broad S3 role, exfiltrates the bucket. Agent credentials are often long-lived, embedded in config, rotated rarely, and have no MFA. The defense is least privilege — scope every credential to the minimum, use ephemeral task-scoped credentials, per-tool credential isolation, and just-in-time elevation with human approval for high-impact actions. Module B5 implements this. IronCurtain's credential quarantine is the reference architecture.

Surface six, the sandbox. The execution environment for any tool that runs code — the code-interpreter sandbox, the shell sandbox, the browser-use environment. The trust boundary is the isolation primitive itself: the container, the VM, the V8 isolate, the seccomp filter. If the boundary holds, a malicious code-execution tool is contained. If it fails, the agent escapes onto the host. The canonical attack is sandbox escape — ASI07. Agent-executed code exploits a sandbox vulnerability and reaches the host, where it can read credentials, memory, the system prompt, and pivot. The variant is resource exhaustion — ASI09 — the agent induced to run indefinitely, a denial of service on the agent's own infrastructure or a cost-exhaustion attack against the API budget. The defense is defense in depth: a hardened isolation primitive, a syscall allowlist, CPU, memory, time, and budget limits, network egress filtering, and a kill switch. Module B7 implements this. NemoClaw's OpenShell is the sandbox under test.

[SLIDE 9 — Surface 7 inter-agent edges]

Surface seven, inter-agent edges. When the system is a mesh of agents — a planner delegating to executors, a supervisor reviewing sub-agents, peers exchanging messages — each communication channel is a surface. The trust boundary is between agent A's trust domain and agent B's. The canonical attack is inter-agent trust escalation. An attacker forges a message from a high-privilege agent to a low-privilege one to escalate privileges or redirect work. Because messages are unauthenticated, the recipient cannot verify the sender. The second attack is cascading hallucination — ASI06. One agent produces a hallucinated or poisoned result; downstream agents consume it as fact and act on it. The cascade amplifies: one bad output becomes ten decisions across five agents. The blast radius here is mesh-wide — the worst case on the surface map. The defense is signed, authenticated inter-agent messages — HMAC per edge — replay protection with nonces and timestamps, per-agent identity isolation, output verification at every edge, and cascade-depth limits. Module B6 implements this. ZeroClaw's HMAC tool receipts are the precursor, though Course 1 flags its keys as ephemeral and not yet durable — an open gap this course must close.

[SLIDE 10 — B1.2 The unified surface map]

Sub-section two. The unified surface map. STRIDE-for-agents, the OWASP ASI mapping, and blast-radius scoring.

[SLIDE 11 — STRIDE-for-agents]

Microsoft's STRIDE — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege — was built for client-server systems. Agents stretch it, but the categories still map. The adaptation: add a seventh, agent-specific category — Goal Subversion. Because an agent can be perfectly authenticated, untampered, and auditable, and still do the wrong thing because its objective was hijacked. Goal subversion has no STRIDE analogue. The loop maps to Goal Subversion. Tools map to Tampering and Information Disclosure. Memory to Tampering. The provider to Information Disclosure. Identity to Spoofing and Elevation of Privilege. The sandbox to Elevation of Privilege and Denial of Service. Inter-agent edges to Spoofing and Goal Subversion. The value is not academic. STRIDE gives a defender a checklist: for each surface, ask the six-plus-one questions. If the answer is we did not consider it, that is a finding.

[SLIDE 12 — Blast-radius prioritization]

Not all surfaces are equal. Score each surface's worst case to prioritize remediation. Inter-agent edges — mesh-wide, cascade propagates to all peers. Sandbox — host-wide, escape reaches credentials, memory, pivot. Identity — credential-scope-wide. Provider — cross-tenant if shared. Memory — cross-session, cross-user. Tools — tool-scope-wide. The loop — session-wide, lowest, if halted. The principle: prioritize the surfaces whose worst case is containment failure — sandbox, identity, inter-agent edges — over those whose worst case is single-session compromise. A contained compromise is a finding. An uncontained one is an incident.

[SLIDE 13 — B1.3 Offense meets defense]

Sub-section three. Offense meets defense. Where CrabTrap and IronCurtain sit on this map, and where each fails under offensive pressure.

[SLIDE 14 — CrabTrap vs IronCurtain]

CrabTrap is Course 1's LLM-as-judge egress governance layer. It is probabilistic defense. It sits on the tools surface as an output filter. Where it fails: the judge is a model — the same indirect-injection techniques that hijack the agent can fool the judge. The response-side gap — inbound tool returns historically entered the context unfiltered. And the latency budget — under load, the check gets skipped or runs on a weaker model. IronCurtain is Course 1's deterministic-enforcement layer. Compiled policies, credential quarantine, a V8 sandbox. It is deterministic defense. Where it fails: compilation fidelity — if an attacker influences the policy text or the build-time LLM's context, the compiled rule may not match the intended rule, and the deterministic enforcer faithfully enforces the wrong thing. V8 isolate escape — a direct sandbox-escape path. And escalation fatigue — flood the human approval queue until a malicious request slips through. Here is the synthesis. CrabTrap is probabilistic. IronCurtain is deterministic. Neither is sufficient alone. The seven-surface map shows why: a defense on one surface does not protect the others. CrabTrap on the tools surface does not stop a sandbox escape. IronCurtain on the identity surface does not stop an indirect injection via tool output if the inbound response is not filtered. The course's thesis, developed across B2 through B12, is defense in depth across all seven surfaces, with each surface getting its own module, its own controls, and its own red-team tests.

[SLIDE 15 — The load-bearing principle]

The load-bearing principle, restated. If you cannot enumerate the surfaces, you cannot defend the system. A red-team that treats the agent as one target misses six of seven surfaces. A defender who hardens one and leaves the rest open has secured one point six percent and left ninety-eight point four percent exposed. The seven-surface map is the structure every subsequent module attacks and defends within. The lab builds this map as a JSON threat model — every surface, trust boundary, untrusted-content entry point, and blast-radius score — plus a classify-untrusted-content function that the harness uses to tag content crossing any boundary. That JSON is the input to every B2 through B12 module's scope and testing.

[SLIDE 16 — Lab and what's next]

The lab has you build the agent surface map as a JSON threat model — the seven surfaces, the trust boundaries, the untrusted-content entry points, and a blast-radius score per surface — and implement a classify-untrusted-content function. No GPU required, about sixty to seventy-five minutes. Next: B2, Prompt Injection Defense Engineering. The loop and the tools surface — ASI01 — get the full treatment: instruction isolation, untrusted tagging, session-level intent tracking, and the offensive tests that break each. B2 attacks CrabTrap directly. Let's build the map.
