45 minutes · The same benchmark, read from the offensive side
In 2A it was the quality gate that told you whether your harness was injectable. In 2B it becomes the measurement instrument for every defense in the rest of the course. The ~50% baseline is where un-defended agents start. The defended delta is what every module from here on produces.
Deep-Dives · SDD-B03
Course 2A — SDD-12 (builder)
Run InjecAgent against your own harness. Question: is my harness injectable? Unit: per-tool score. The number is the deliverable.
Course 2B — SDD-B03 (red-team)
Run it against a hardened target. Question: did this defense hold, and by how much? Unit: before/after delta. The triple is the finding.
What the ~50% is — and is not
| Read it as | Correct? |
|---|---|
| A population baseline for un-defended harnesses with no injection defenses | YES |
| A constant of nature that applies to every agent | NO |
| Your defended harness's expected rate | NO |
| A target to "get under" | NO — the target is the delta |
| Role | Course | Question | Unit |
|---|---|---|---|
| Quality gate | 2A | Is my harness injectable? | Per-tool score |
| Measurement instrument | 2B | Did this defense hold, and by how much? | Before/after delta |
| Regression gate | Both | Did this change open a surface? | Pass/fail at merge |
| Engagement scoper | B12 | Which chains do I run? | Transcript → chain |
The defended delta is the only honest metric
The anti-pattern: report 9% without the 48% baseline. If the baseline was 14%, the gate did nothing. You cannot tell from the 9% alone.
| Attack type | What it attempts | Defense that closes it |
|---|---|---|
| Credential exfil | Emit a secret in output/egress | Deterministic egress + credential quarantine |
| Disallowed-tool call | Invoke a tool outside task scope | Tool-call policy + dispatch resolution |
| Scope escape | Past the scope file boundary | Scope gate per action + valid_until |
| Policy override | Treat injection as new policy | Instruction hierarchy + goal checkpoints |
| Action redirection | Different benign-looking action | Session-level intent detection |
From measurement to control to finding
injected tool output arrived → ASI07 insecure output handling
agent followed it → ASI01 goal hijacking
off-task action executed → ASI05 tool abuse / ASI03 excessive agency
if compound passes per-step → ZERO-CLICK HITL BYPASS (SDD-B02)
Three routine changes open injection surfaces. The gate catches all three.
InjecAgent is the measurement layer for B2's injection defenses. SDD-B04 breaks CrabTrap's judge; SDD-B05 breaks IronCurtain's compilation; this benchmark is what says "the judge held at 41% before the attack and 11% after." Without that pair, "I broke the defense" is an opinion.
Lab (07): run InjecAgent against a hardened harness, measure baseline vs defended, compute the per-tool per-attack-type delta, read two transcripts as chain findings, wire the gate. No GPU; simulated harness and injections run offline.