# Teaching Script — Module B12: Harness Security Assessments as a Service

**Course**: Course 2B — Securing & Attacking Harnesses and LLMs
**Module**: B12 — Harness Security Assessments as a Service
**Duration**: ~35 minutes (spoken at ~140 wpm)
**Format**: Verbatim transcript with `[SLIDE N]` cues. Read aloud or use as speaker notes.

---

[SLIDE 1 — Title]

Welcome to the capstone methodology module. B twelve. Harness Security Assessments as a Service. This is the module where everything from B zero through B eleven stops being a collection of techniques and becomes a profession. The legal control plane, the threat model, the defenses, the checklist, the chains, the governance layer — none of that is a service until you can scope it, price it, deliver it, and retest it. This module turns the techniques into that engagement. And the buyer matters. From the course spec: the buyer is the CISO or the AI security lead. They will measure you on the artifact you hand them, not on the techniques you ran.

[SLIDE 2 — From techniques to a service]

Every prior module gave you a technique, a control, or a framework. None of them gave you an engagement. Look at the table. B zero's legal control plane becomes the statement of work. B one's threat model becomes the reconnaissance phase. B two through B eight's defenses become the controls the report assesses. B nine's OWASP checklist becomes the discovery-phase backbone and the findings table. B ten's Microsoft taxonomy becomes the chain track that finds what the checklist misses. B eleven's governance layer becomes the framework the report maps to. B twelve introduces no new technique. It introduces the operational layer that makes B zero through B eleven a profession.

[SLIDE 3 — The six-phase methodology]

The methodology adapts the pentest standards — PTES and NIST Special Publication 800-115 — to the agentic surface. Six phases. Scoping. Reconnaissance. Discovery. Exploitation and validation. Reporting. Retesting. And here is the load-bearing point: only two of those six phases are the testing that B nine and B ten supply. Discovery and validation. Scoping is where the legal plane gets written into the contract. Reporting is where the output becomes a deliverable a board can read. Retesting is where the residual risk gets measured. An engagement that runs only the testing phases is the anti-pattern: run B nine's checklist and hand over the output. That is half an engagement. And note the dashed arrow at the bottom — a retest feeds back into scoping for the next engagement. The methodology is a loop, not a pipeline. That loop is the recurring value.

[SLIDE 4 — B12.1 section divider]

Sub-section one. The six-phase methodology, scoping, and pricing. The backbone, the four-point enumeration, and the seven-clause SOW.

[SLIDE 5 — Scoping: the four-point enumeration]

Scoping an agent assessment is harder than scoping a network pentest, because the surface is less legible. A network has IP addresses and ports. An agent has tools, memory, prompts, model versions, and inter-agent edges — most of which the client cannot point you to. The scoping conversation must enumerate four things. One: the surfaces, using B one's threat model as the template. Every input boundary, every tool, every persisted state, every external call, every identity, every sandbox, every inter-agent edge. The client will under-report; B one's template is how nothing stays silent. Two: the model versions, pinned. A finding against version three is meaningless if the client ships version four next week. Pin the checkpoints. Three: the provider authorizations. B zero's load-bearing point — the deployer cannot authorize what the provider forbids. For each provider-controlled surface, verify one of B zero's three conditions: the provider's terms permit it, a waiver is on file, or the model is self-hosted. Fail all three and the surface is out of scope until the gap closes. Four: the exclusions. Production PII, shared infrastructure, forbidden techniques. Written into the SOW so scope drift has a documented boundary. And the most common scoping mistake is right there at point three — a client who says jailbreak everything without checking their provider's terms.

[SLIDE 6 — Pricing: three cost drivers]

Pricing is driven by three factors. One: the number of agents. Each agent is a separate surface. Multi-agent systems add a chain-complexity premium, because B ten's inter-agent trust attacks only exist in multi-agent systems. Two: surface complexity. Count B one's elements — tools, persistent memory, retrieval, code execution, integrations, inter-agent edges. A retrieval-augmented agent with code execution and MCP integrations is an order of magnitude more surface than a stateless chatbot. Three: depth of testing. Two depths are sellable. Checklist depth runs B nine's ten rows against each agent. Chain depth constructs B ten's compound-intent chains against the highest-value surfaces. Checklist depth is the baseline. Chain depth is the premium engagement for high-stakes agents — financial, healthcare, autonomous. And the honest pricing rule: never sell a depth you cannot deliver with rigor. A chain-depth engagement priced at checklist-depth hours will ship a B ten chain that has not been validated end-to-end. Underpriced assessments produce under-rigored reports.

[SLIDE 7 — The SOW: seven clauses]

The statement of work is where B zero's clauses get written into the engagement contract. A traditional pentest SOW covers scope, duration, and deliverables. An AI red-team SOW must additionally carry seven clauses — and three of them are AI-specific. Clause two: provider authorization and terms-of-service compliance. Clause four: dual-use and disclosure — one hundred eighty days for model-level findings, ninety for harness-level, recipe suppressed by default. Clause five: the DMCA section 1201 waiver, if the test bypasses a model access control. Those three red clauses are the AI-specific additions. An SOW without them fails at the moment a serious finding appears — there is no agreed rule for whether to publish, share with the provider, or suppress. The decision is made in the contract before testing begins, not in the moment.

[SLIDE 8 — B12.2 section divider]

Sub-section two. The engagement report. The scored artifact B nine produces, packaged for a CISO.

[SLIDE 9 — The report: five sections]

The report has five sections. One: the executive summary — the residual posture in plain language, findings count, and a ship recommendation that is never the word secure. It is ship with characterized residuals at X and Y percent, conditional on remediating the two Critical findings, or do not ship. Two: the findings. One entry per finding, each with the same field set. Three: the control matrix — the controls that exist against the surfaces they cover, each cell marked Present, Absent, Partial, or Mismeasured. This is the gap analysis a regulator reads. Four: the remediation roadmap — findings prioritized and routed to the module that builds the control. Five: the appendix — methodology, scope, evidence index. The reproducibility layer. And here is the structural connection: B nine's checklist executor output is the findings section's backbone. B twelve does not re-test. It packages. B nine rows become findings F-01 through F-10. B ten chains become the additional findings the checklist alone misses. The B nine risk-to-module mapping becomes the control matrix.

[SLIDE 10 — The finding field set]

Every finding carries the same field set, and the report generator enforces it. Look at the example. Finding F-04. Indirect injection leading to file exfiltration via send email. Severity Critical. Taxonomy reference: OWASP ASI-01, Microsoft Mode 2. The attack procedure. The pinned model version — claude-opus-4-1-20260605. The success rate — sixty percent over one hundred attempts. The sampling parameters. The scope reference. The result — MEASURED. The residual risk — four percent after the L4 taint gate was enabled mid-engagement. The remediation module — B two. The timestamp. And the report generator rejects three things: a finding with no taxonomy reference, a MEASURED finding without a success rate, a Critical finding without a remediation route. The strictness is the honesty. A report generator that emits whatever it is given produces the ten-out-of-ten PASS lie that B nine refuses.

[SLIDE 11 — B12.3 section divider]

Sub-section three. Retesting and packaging the service. Residual risk, not binary fixed; a repeatable practice.

[SLIDE 12 — Retesting: residual, not fixed]

This is the B zero point-two principle made operational, and it is the single most common point of failure in AI assessment engagements. The client who has remediated a finding will ask: is it fixed? The answer is never yes. The answer is: the injection success rate moved from sixty percent to four percent over one hundred attempts, under the same harness, the same sampling parameters, the same pinned model version. The residual is characterized at four percent. The retest protocol is a strict before-and-after comparison. Pin the test harness. Pin the model version. Re-run discovery — because a remediation that closes the original finding may open a new one, and B ten's chains are especially prone to rerouting. Measure the residual. And produce the verdict: Resolved, Improved, Unchanged, or Regressed. Never the word fixed. The Regressed verdict at the bottom is why the retest re-runs the full B nine checklist and re-attempts the B ten chains — patching one step of a chain can reroute it through a different gap. A retest that checks only the original finding misses regressions.

[SLIDE 13 — Packaging the service: four layers]

The difference between a one-off assessment and a repeatable assessment practice is packaging. Four layers. The methodology layer — the six-phase playbook with the phase-to-module mapping. A new assessor reads it and runs an engagement the same way the senior assessor does. The tooling layer — B nine's checklist executor, B ten's chain harness, the report generator from this module's lab, the scope-file validator from B zero's lab. The templates layer — the SOW with seven clauses, the scope file, the report with five sections, the retest delta, the CVD timeline. And the evidence layer — B zero's store with four retention classes, B eleven's audit trail, B eleven's AI BOM. The evidence layer is the foundation. It is what makes every finding trace to scoped, authorized, minimum-proof evidence that survives a regulator's review. And the long-term value a CISO buys is comparable artifacts across releases — the injection-success-rate trend line over six releases. Drift in any layer breaks the comparability, and comparability is the long-term value.

[SLIDE 14 — The capstone synthesis]

Here is the synthesis. B zero becomes the SOW. B one becomes reconnaissance. B two through B eight become the controls the report assesses. B nine and B ten become discovery. B eleven becomes the framework and the audit trail. B zero point two becomes the retest. None of it is new. All of it is synthesized. At the end of B zero through B twelve, you can do four things: build a hardened agent harness, attack it with the full methodology, defend it with the full control set, and — the contribution of this module — deliver the assessment of it as a scoped, priced, reported, retestable service. That last capability is what turns the course's techniques into a practice a CISO will buy.

[SLIDE 15 — Lab and what's next]

The lab has you build the assessment report generator — ingest B nine's checklist-executor JSON and emit the five-section engagement report with strict validation. No unclassified findings. No MEASURED without a rate. No Critical without a remediation route. And you write a sample SOW with all seven clauses for a realistic client. Next: Capstone B one, Build a Hardened Agent Harness. The synthesis module you have earned. B twelve's methodology is the lens. Capstone B one is the system you assess. The report generator you build here is the artifact you would run against it. Let's build it.
