{
  "module": "SDD-B01 — OWASP Agentic AI Top 10: Offensive Expansion",
  "course": "2B — Securing & Attacking Harnesses and LLMs",
  "version": "1.0.0",
  "duration_minutes": 30,
  "total_questions": 15,
  "bloom_distribution": {
    "target": "20% recall / 40% application / 40% analysis",
    "actual": { "recall": 3, "application": 6, "analysis": 6 }
  },
  "passing_score_percent": 70,
  "questions": [
    {
      "id": "Q01", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What is the relationship between SDD-B01 and Module B9?",
      "options": [
        "SDD-B01 replaces B9 with a newer, more accurate version of the OWASP Top 10.",
        "SDD-B01 is the offensive companion to B9: B9 reads the OWASP ASI Top 10 as a builder (one risk, one control, one test); SDD-B01 reads the same ten rows as an attacker (one risk, one attack procedure, the evasion, the chain). Same numbering, different artifact.",
        "SDD-B01 covers a different set of risks than B9, complementing the OWASP list with Microsoft-specific threats.",
        "SDD-B01 is the lab manual for B9 and adds no conceptual content."
      ],
      "answer_index": 1,
      "rationale": "B9 reads the OWASP Agentic Top 10 (ASI01–ASI10) as a defense checklist — each row names a risk, a control, and a test, producing a scored report. SDD-B01 reads the SAME ten rows as an attacker — for each row it gives the attack in depth, the evasion that defeats the standard defense, and the chaining. Same canonical numbering, different artifact. The gap between 'the control passed its B9 test' and 'the system holds under the offensive procedure' is the entire engagement. SDD-B01 does not replace or re-scope B9; it reads it from the other side."
    },
    {
      "id": "Q02", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What is the load-bearing evasion pattern that recurs across the OWASP ASI rows?",
      "options": [
        "Every OWASP defense can be defeated by sending a larger volume of attack payloads until one slips through.",
        "Every OWASP defense has a known evasion, and the evasion is almost always the indirect channel the defense's per-row test does not exercise — the test verifies the direct surface; the attacker arrives on the indirect surface (the class beneath the vector).",
        "Every OWASP defense fails because the underlying language model is susceptible to adversarial suffix attacks.",
        "Every OWASP defense fails because the controls are optional and most teams do not implement them."
      ],
      "answer_index": 1,
      "rationale": "The recurring pattern: the B9 test verifies the DIRECT surface (taint gate tested against direct injection; enumeration tested against extra tools; normalization tested against ../). The attacker arrives on the INDIRECT surface (injection inside a trusted tool output; over-scoped credential beneath enumeration; semantic confusion in the selection layer). The test closed the vector it names; the attacker arrives on the class beneath. This is why B9's per-row tests can all PASS while a real engagement still produces findings — the gap is between the test and the adversary."
    },
    {
      "id": "Q03", "bloom": "recall", "type": "multiple_choice",
      "prompt": "Which two OWASP ASI rows does B9 report as MEASURED (probabilistic), and what is the residual each admits?",
      "options": [
        "ASI03 (capability enumeration miss rate) and ASI08 (signature forgery rate).",
        "ASI01 (injection detector + model compliance bypass rate) and ASI06 (hallucination-detection miss rate).",
        "ASI02 (canary collision rate) and ASI10 (principal forgery rate).",
        "ASI05 (path normalization miss rate) and ASI09 (circuit breaker trip rate)."
      ],
      "answer_index": 1,
      "rationale": "B9 reports ASI01 Goal Hijacking and ASI06 Cascading Hallucination as MEASURED because their controls are semantic and open: ASI01's detector + model compliance have a bypass rate; ASI06's hallucination-detection has a miss rate. The other eight rows report PASS/FAIL because their controls are structural and enumerable. Critically (per SDD-B01), the two MEASURED rows are NOT the only probabilistic surfaces — they are the only rows where the standard ADMITS the residual. The eight PASS/FAIL rows each have a residual too; the PASS/FAIL result just cannot express it."
    },
    {
      "id": "Q04", "bloom": "application", "type": "multiple_choice",
      "prompt": "A deployed research agent has a taint gate that tags the user's goal as trusted and retrieved content as untrusted, plus goal-reaffirmation every 8 turns. Your red team reports a 'low ASI01 bypass rate' after testing direct 'Ignore previous instructions' payloads. What is wrong with this assessment?",
      "options": [
        "Nothing — a low direct-injection bypass rate is the correct measure of ASI01 resistance.",
        "You measured resistance to an attack no real adversary uses. Deployed agents resist single direct injections; the deployed attack is DRIFT — an indirect injection through a trusted tool output that shifts framing across turns. You should test multi-turn framing drift and score goal divergence against a baseline over 5–10 turns, not single-shot success rate.",
        "You should test with longer direct-injection payloads; length is the determinant of bypass.",
        "You should increase the goal-reaffirmation frequency and re-test; the control is the problem, not the test."
      ],
      "answer_index": 1,
      "rationale": "The single-shot anti-pattern. Deployed agents resist 'Ignore previous instructions.' The deployed ASI01 attack is drift: an indirect injection (via a trusted tool output that bypasses the taint gate) shifts framing across turns, reinforced by a subsequent document, until the sub-goal diverges — no single instruction hijacked. Goal-reaffirmation every 8 turns reconciles against the already-contaminated state if N exceeds the drift's timescale. The correct test is multi-turn framing drift scored against a baseline over 5–10 turns. Reporting a low direct-injection bypass rate measures the wrong surface."
    },
    {
      "id": "Q05", "bloom": "application", "type": "multiple_choice",
      "prompt": "An agent's capability enumeration PASSED its B9 ASI03 test — the toolset is minimal. Yet during a chain, the agent executed a billing:write call it should never have made. Which offensive evasion explains a write action despite a PASSing minimality test?",
      "options": [
        "The capability enumeration was run against the wrong agent and must be re-run.",
        "The load-bearing capability that survived minimization: the scoped credential granted for billing:read also grants billing:write against a different endpoint because the cloud provider scopes credentials at the service level, not the method level. Enumeration proved minimality at the tool-name/schema level; the over-privilege lives at the credential-scope level, which the test treated as a property of the tool, not an inspectable surface.",
        "The agent has a hidden tool the enumeration did not find — enumeration is unreliable.",
        "The billing:write call was made by a different principal than the one enumerated."
      ],
      "answer_index": 1,
      "rationale": "ASI03's offensive evasion is the load-bearing capability that survived minimization because a benign task required it. Capability enumeration proves minimality at the tool-name and schema level. The over-privilege lives at the credential-scope level — the credential the agent legitimately needs for billing:read also authorizes billing:write because the cloud provider scopes at the service level. The enumeration treated the credential's scope as a property of the tool rather than an inspectable surface. The test closed 'agent has too many tools'; it did not close 'agent's credential has too many permissions.' This is 'closed at the vector, open at the class.'"
    },
    {
      "id": "Q06", "bloom": "application", "type": "multiple_choice",
      "prompt": "An agent's tool layer PASSED B9's ASI05 test: paths are normalized and arguments are schema-validated. Yet during an engagement, a request to 'send a summary' routed to an attacker-controlled tool that forwarded the message externally. Which evasion defeated the ASI05 control?",
      "options": [
        "A path-traversal payload in the tool argument that normalization should have caught — the test was run incorrectly.",
        "Semantic path confusion in the selection layer: the attacker registered a tool whose description overlapped the privileged tool's, and the dispatch layer resolved the ambiguity in the attacker's favor. Path normalization and schema validation PASS, but the abuse happened in the selection logic — a semantic surface with no deterministic test.",
        "The schema validation was bypassed by a type-confusion attack on the JSON argument.",
        "The privileged tool's contract was malformed, allowing direct invocation."
      ],
      "answer_index": 1,
      "rationale": "ASI05's offensive evasion is semantic-path confusion. B9 tests path normalization (../ stripped) and schema validation (arguments type-check). Both PASS. The evasion is in the selection layer — the attacker registers a tool (e.g., send_email_safe) whose description overlaps the privileged tool's (send_email), and the dispatch layer, asked to 'send a summary,' resolves the ambiguity toward the colliding tool. The B9 test confirms paths normalize and schemas validate; it does not confirm that two tools with overlapping descriptions are disambiguated unambiguously, because that is a semantic property the deterministic test cannot express. The abuse is in selection, not in path or schema."
    },
    {
      "id": "Q07", "bloom": "application", "type": "multiple_choice",
      "prompt": "An agent's ASI08 control PASSED: all registered tools have valid signatures from known publishers. During an engagement, a typosquatted 'pdf_summary' MCP server (registered by an attacker with a valid account) exfiltrated documents. Why did the ASI08 control not catch this?",
      "options": [
        "The signature verification was misconfigured and must be re-tested.",
        "Signature verification verifies the publisher's identity, not the package's benignity. The attacker's package was signed by the attacker's valid account, so it passed. The registry did not enforce name uniqueness, so the evil-twin 'pdf_summary' was trusted alongside the legitimate 'pdf-summarizer.' The signed-manifest test closed the 'unsigned package' vector; it did not close the 'signed-but-malicious' class.",
        "The agent SBOM was incomplete and missed the dependency.",
        "The MCP server exploited a zero-day in the registration protocol."
      ],
      "answer_index": 1,
      "rationale": "ASI08's offensive evasion is signed-but-malicious. The signed-manifest test verifies that the signature is valid and the publisher is known. Validity and known-publisher are not the same as benign. A malicious package signed by its malicious publisher passes signature verification. An evil-twin MCP server with a confusingly-similar name is registered and trusted because the registry does not enforce uniqueness. The agent SBOM enumerates dependencies but cannot certify each is benign. The deterministic test closed the 'unsigned package' vector; it did not close the 'signed-but-malicious' class — the residual signature verification cannot express."
    },
    {
      "id": "Q08", "bloom": "application", "type": "multiple_choice",
      "prompt": "An agent's ASI04 control PASSED: the harness manages all memory writes and tags provenance at the write boundary. Yet a poisoned 'user preference' persisted in durable memory and was re-injected every turn. How did the poisoning survive the managed-write control?",
      "options": [
        "The harness-managed write layer has a bug that skipped provenance tagging for this entry.",
        "Taint-laundering through a trusted sink: the agent was tricked (via an indirect injection) into writing the poisoned entry through a LEGITIMATE, TRUSTED memory tool (save_preference). The entry inherited the tool's trust, not the injection's taint. The origin of the write (the injected instruction) was upstream of the write boundary, so the write looked legitimately user-preference-shaped and the taint that should have propagated from the retrieved document was laundered.",
        "The durable memory store was directly writable via an unauthenticated API.",
        "The provenance tag was overwritten by a race condition between two concurrent writes."
      ],
      "answer_index": 1,
      "rationale": "ASI04's offensive evasion is taint-laundering through a trusted sink. The harness blocks direct writes to durable memory and tags provenance at the write boundary. The evasion: the attacker does not write to memory through a forbidden path — the agent is tricked into writing via its OWN legitimate, trusted write tool (save_preference / remember_preference). The entry inherits the tool's trust level. The origin of the write (the injected instruction in a retrieved document) is upstream of the write boundary, so the write itself looks legitimately user-preference-shaped. Taint that should propagate from the retrieved document to the memory entry is laundered because the write went through the agent's reasoning, not the retrieval path the taint gate instrumented."
    },
    {
      "id": "Q09", "bloom": "application", "type": "multiple_choice",
      "prompt": "Agent A emits sanitized JSON consumed by Agent B. Agent B interprets a 'summary' field as an instruction and acts on it. Agent A's output sanitizer PASSED its B9 ASI07 test. Why did the injection cross the agent boundary?",
      "options": [
        "The sanitizer has a bug that allowed the injection through for JSON specifically.",
        "Output-as-input: the sanitizer was tuned for a HUMAN consumer (HTML-escaped, schema-valid), but Agent B is a downstream AGENT whose rendering context is natural language. No escape syntax exists for 'this string is data, not an instruction' in a natural-language field. The B9 test confirmed the output is sanitized for its DECLARED consumer; the attack arrived because the consumer was an agent, not the consumer the sanitizer assumed.",
        "Agent B has a weaker taint gate than Agent A and should be upgraded.",
        "The JSON schema was invalid, which Agent B misinterpreted."
      ],
      "answer_index": 1,
      "rationale": "ASI07's offensive evasion is output-as-input to a downstream agent. The sanitizer escapes the output for its rendering context (HTML, shell, SQL). The downstream agent's rendering context is natural language, which no sanitizer escapes — there is no escape syntax for 'this string is data, not an instruction' in a natural-language field. The B9 test confirms the output is sanitized for its declared consumer. The attack arrives because the actual consumer was a downstream agent, a consumer the sanitizer did not assume. The sanitizer's PASS proves nothing about the agent-consumer threat model. This is why ASI07 is the entry point of the most common compound chain (07→01→05→03)."
    },
    {
      "id": "Q10", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why does SDD-B01 claim that 'the offensive value of the Top 10 is the chaining across rows, not the exploitation of any single row'? What does a red team that tests rows in isolation miss?",
      "options": [
        "It misses nothing — each row is independently exploitable and the per-row result is the complete finding.",
        "B9 tests rows in isolation and reports eight PASS; the attacker reads the same eight PASS and CHAINS across the boundaries the isolation created. Each link individually passes its B9 control, but the compound is malicious. A team testing rows in isolation reports ten separate results and misses that the modes compose into chains (e.g., ASI07→01→05→03). The chain is the finding; the row is the entry point.",
        "It misses that OWASP under-counts the risks and there are actually more than ten.",
        "It misses that the rows should be tested in reverse order (ASI10 first) for maximum impact."
      ],
      "answer_index": 1,
      "rationale": "The central offensive claim. B9's methodology tests each row in isolation — necessary to prove each control is present and passing. But an attacker does not test rows in isolation; an attacker chains across rows, exploiting the gap between 'the control works on its test' and 'the controls compose under an adversary.' Each link in a chain like ASI07→ASI01→ASI05→ASI03 passes its B9 control individually, but the compound (unsanitized output drifts the goal, invokes the tool, exercises the over-scoped capability) exfiltrates data. A red team that reports ten separate row-results has missed the finding — the modes compose, and the compound is the finding."
    },
    {
      "id": "Q11", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why does SDD-B01 argue that treating the eight PASS/FAIL rows as fully closed is the offense team's first opening? What is the distinction between 'the two MEASURED rows' and 'the eight PASS/FAIL rows'?",
      "options": [
        "The eight PASS/FAIL rows are genuinely closed; only the two MEASURED rows have residuals. The offense team's opening is the MEASURED rows.",
        "Every row has a residual. The two MEASURED rows (ASI01, ASI06) are where the standard ADMITS the residual; the eight PASS/FAIL rows are where it does not — they are closed at the VECTOR the test names but open at the CLASS beneath (ASI03's over-scoped credential, ASI05's selection ambiguity, ASI08's signed-but-malicious, ASI10's trust assumption). The PASS/FAIL result cannot express the class beneath, and that silence is the opening.",
        "The eight PASS/FAIL rows are probabilistic too, but B9 mislabeled them; the offense team should re-classify them as MEASURED.",
        "The distinction is administrative — PASS/FAIL and MEASURED are interchangeable labels for the same kind of residual."
      ],
      "answer_index": 1,
      "rationale": "This is not a criticism of B9 — B9's Result-type column is honest about what its tests CAN express. ASI01 and ASI06 are MEASURED because their controls are semantic and openly probabilistic (bypass rate, miss rate). The eight PASS/FAIL rows are PASS/FAIL because their deterministic tests closed one specific VECTOR — but each has a CLASS beneath that the deterministic test cannot express: ASI03's over-scoped credential, ASI05's selection-layer confusion, ASI08's signed-but-malicious package, ASI10's inter-agent trust assumption. The two MEASURED rows are where the standard is honest about the residual; the eight PASS/FAIL rows are where it is silent. That silence is the offense team's first opening — treating them as closed mistakes 'closed at the vector' for 'closed at the class.'"
    },
    {
      "id": "Q12", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "A client says: 'Our agent PASSED all eight PASS/FAIL rows in B9, so the system is secure.' Using SDD-B01's reasoning, what is the error, and what is the correct reframing?",
      "options": [
        "The client is correct — eight PASS/FAIL rows passing means the system is secure by definition.",
        "The error is equating 'closed at the vector' with 'closed at the class.' Each PASS/FAIL row closed the specific vector its deterministic test names, but each has a residual class beneath (over-scoped credential, selection ambiguity, signed-but-malicious, trust assumption) the test cannot express. Correct reframing: read every PASS/FAIL row as 'closed at the vector, open at the class,' run the offensive procedure against the class, and design engagements as cross-row chains — because the compound, not the row, is the finding.",
        "The error is that B9 is outdated and the client should adopt SDD-B01 instead.",
        "The error is that PASS/FAIL rows should be re-tested as MEASURED rows to be honest."
      ],
      "answer_index": 1,
      "rationale": "The 'B9 PASSed all eight, so we are secure' anti-pattern. The error is mistaking 'closed at the vector the test names' for 'closed at the class beneath.' Each PASS/FAIL row's deterministic test closed a specific named vector, but each has a residual class the deterministic result cannot express. The correct reframing has two parts: (1) read every PASS/FAIL row as 'closed at the vector, open at the class,' and run the offensive procedure against the class; (2) design engagements as cross-row chains, because B9 tests rows in isolation while an attacker chains — the compound is the finding. A system can PASS all eight and still produce findings under the offensive expansion."
    },
    {
      "id": "Q13", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Construct the ASI07→ASI01→ASI05→ASI03 cross-row chain. Why does each link pass its B9 control, and why is the compound the finding?",
      "options": [
        "Each link fails its B9 control, and the compound is just the sum of four failures.",
        "ASI07: the output is sanitized for its declared (human) consumer, so it PASSES — but it is consumed by a downstream agent as an instruction (no NL escape). ASI01: the taint gate tags the user goal trusted — but the injection arrived in the (now-trusted) agent output, so it drifts the goal. ASI05: paths normalize and schemas validate — but the selection layer routes to the attacker's colliding tool. ASI03: the toolset is minimal — but the invoked tool exercises an over-scoped credential. Each control PASSES its test; the compound exfiltrates. The chain crosses four boundaries the isolation created.",
        "The chain only works if all four controls are absent; if any one is present, the chain breaks.",
        "The chain is theoretical — in practice, a single strong control (e.g., the taint gate) stops it."
      ],
      "answer_index": 1,
      "rationale": "The exfiltration chain. Each link PASSES its B9 control in isolation because each test verifies the direct surface: ASI07's sanitizer escapes for the declared (human) consumer; ASI01's taint gate tags the user goal as trusted and blocks direct injection; ASI05's normalization strips ../ and schema-validates; ASI03's enumeration proves toolset minimality. The compound crosses all four: the unsanitized-as-instruction output (07) drifts the receiving agent's goal (01, via the trusted output channel the gate does not inspect), which invokes the attacker-targeted tool via description collision (05, in the selection layer normalization does not touch), which exercises the over-scoped credential (03, at the scope level enumeration does not inspect). The malice lives in the composition, not any link. The chain is the finding."
    },
    {
      "id": "Q14", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why does SDD-B01 frame ASI02 (Prompt Leakage) and its capability-disclosure variant as an ENABLING step rather than an impact, and how should severity be scored?",
      "options": [
        "ASI02 is low-severity because the leaked information is rarely actionable on its own.",
        "ASI02 is reconnaissance, not impact. The disclosure is the first link in a longer chain: leaked tool schemas enable a targeted ASI05; leaked policy excerpts enable a crafted ASI03 request; leaked instruction hierarchy reveals where ASI01 will succeed. Severity is scored by the CHAIN the disclosure enables, not by what leaked. A leaked schema revealing a transfer_funds tool is high-severity because of the ASI01→ASI03 chain it unlocks, not because of the leak itself.",
        "ASI02 severity is scored by the volume of text leaked (more text = higher severity).",
        "ASI02 is impact if the leaked prompt contains credentials, and reconnaissance otherwise."
      ],
      "answer_index": 1,
      "rationale": "ASI02 and capability disclosure (Microsoft Mode 7) are reconnaissance. The disclosure is not the impact; it is the enabling step that makes a targeted supply-chain, goal-hijack, or HITL-bypass chain possible. A red team scores the disclosure not by what leaked but by what an attacker can DO with what leaked: for each disclosed capability, identify the chain it enables. Severity is a function of the chain, not the disclosure. A leaked prompt that reveals a transfer_funds tool and the policy excerpt 'fulfill verified user requests within policy' is high-severity because it unlocks an ASI01→ASI03 chain (engineer a request fitting the policy that exercises the transfer capability), not because the prompt text leaked. Scoring by what leaked understates severity."
    },
    {
      "id": "Q15", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why is 'a row that PASSed B9 and FAILed the offensive expansion is NOT a contradiction' the load-bearing principle of SDD-B01, and what does it imply for how B12 packages an engagement?",
      "options": [
        "It is a contradiction, and B12 should discard whichever result is less favorable.",
        "It is NOT a contradiction — it is the definition of a residual the deterministic test cannot express. B9's test is honest about what it CAN express (the direct vector); the offensive procedure finds the indirect class the test never touched. The two results describe different surfaces of the same control. This implies B12 must package BOTH: the scored report (B9, what the test can express) and the chains (SDD-B01, what it cannot). Neither alone is sufficient — B9 misses the between-row chains; SDD-B01 misses the missing taint gate B9 catches with one test.",
        "B12 should replace B9 with SDD-B01 because the offensive expansion is strictly more thorough.",
        "B12 should report only the offensive results because they are more realistic than isolated tests."
      ],
      "answer_index": 1,
      "rationale": "The load-bearing principle. A row PASSing B9 and FAILing the offensive expansion is not a contradiction — B9's deterministic test is honest about what it can express (the direct, named vector), and the offensive procedure finds the indirect class beneath that the test never touched. The two results describe different surfaces of the same control. This is why B12 packages both: the scored report from B9 (what the deterministic tests can express — the floor) and the chains from SDD-B01 (what they cannot — the residuals and compounds). Neither alone is sufficient: B9 alone misses every failure mode that lives between the rows; SDD-B01 alone misses the missing taint gate, the absent canary, the unscoped credential that B9 catches with a single test. B9 is the floor; SDD-B01 is the chains; B12 is the complete engagement."
    }
  ]
}
