Academic Offensive Harnesses

SDD-B10 · Course 2B — Securing & Attacking Harnesses and LLMs

45 minutes · The course-closing offensive frontier deep-dive

In 2A, PentestGPT, HPTSA, VulnBot, APT-Agent, CAI were tools FOR security work. In 2B, the lens inverts — the same harnesses are methodologies for attacking AI systems. HPTSA's hierarchy is the zero-click chain blueprint.

Deep-Dives

The 2A-to-2B inversion

2A — tools FOR security work
Target: network / web app. Architecture: reasoning loop, hierarchy, multi-agent, rectification, scale. Result: find vulns faster. The LLM is the defender's assistant.
2B — methodologies for ATTACKING AI
Target: the agent / model / harness. Architecture: identical. Result: automated multi-step injection chains. The LLM is the attacker.
The transfer is structural, not analogical. Swap the target from "web server with a zero-day" to "agent with an injection surface" and the same machinery runs. The architecture is target-agnostic.

B10.1 — The academic landscape

Five papers, five contributions, arXiv IDs

Five papers, five contributions

PaperContributionAI-target transfer
PentestGPT (USENIX '24)Three-module reasoning loop (parse · reason · generate)Injection-chain planning: reason over agent state, decide next step
HPTSA (arXiv:2406.01637)Hierarchical planning: planner → specialized sub-agentsThe zero-click chain blueprint
VulnBot (arXiv:2501.13411)Multi-agent collaboration (recon · vuln · exploit)Distributed multi-surface probing (retrieval · tool · guardrail)
APT-Agent (arXiv:2605.24949)Rectification: read failure → refineAdaptive detector evasion (SDD-B09 cat-and-mouse, automated)
CAI (arXiv:2504.06017)Speed: 156x faster than traditionalHigh-volume attack + measurement; sweep the residual fast
No single paper is an integrated AI-target harness. But each contributed a component, the components are open-source, and the barrier to composing them is falling.

B10.2 — Technique transfer to AI-target attacks

HPTSA's hierarchy → the zero-click chain

HPTSA's hierarchy is the zero-click chain

HPTSA PLANNER (orchestrator)
  global strategy: exfiltration via the tool surface
        │ dispatch
        ▼
  ┌ SUB-AGENT 1: plant indirect injection in a doc
  │   (SDD-B03 retrieval poisoning)
  ├ SUB-AGENT 2: trigger retrieval (benign-seeming query)
  ├ SUB-AGENT 3: payload manipulates tool call
  │   (SDD-B04 function-call manipulation)
  └ SUB-AGENT 4: exfiltrate (tool call executes)

  Each step informed by the prior's result.
  The hierarchy is what makes the chain NAVIGABLE —
  a single agent holding the whole chain gets lost.

  DEFENSE: harness scope gate blocks the final action —
  no evasion surface for the planner to adapt against.
This is why the zero-click chain is no longer hypothetical. The planning machinery exists (HPTSA, 2024); the injection techniques exist (SDD-B03–B06); the combination is an automated, multi-step attack.

APT-Agent's rectification → adaptive evasion

The bridge to SDD-B09. APT-Agent reads a failure mode and generates a corrected approach. Retargeted: probe the detector, observe it flagged the payload, craft a variant that sits in the detector's false-negative region while still compromising the primary. The dual-injection problem, automated.
This is the engine of the cat-and-mouse dynamic. A static injection is defeated by a static defense; an adaptive injection that reads the defense's response and refines is the threat that makes model-based defenses have a residual. The defender who measures only against static traffic is measuring against an adversary who no longer exists.

B10.3 — The offensive frontier & defense

Convergence, forecast, and the course's defense thesis as the response

The offensive frontier is converging

The components are commoditized; the architectures are published; the barrier to composition is falling. HPTSA code is on GitHub. VulnBot is public. CAI is open-source. An attacker need not invent the multi-step planning architecture — they retarget it.
Forecast: automated multi-step injection chains become the default attack against deployed agents. LLM-driven evasion of detection models (SDD-B09) becomes standard. The barrier drops from "research lab" to "script kiddie with a GitHub repo."

The defense thesis as the response

LayerPropertySurface
B0 scope gate + provider-authLegal/engineering control planeDeterministic
B2 defense-in-depthComposition bounds the residualArchitecture
SDD-B05 IronCurtainThe deterministic boundaryNo evasion surface
SDD-B08 NeMo guardrailsExternal evaluation (stops DISABLE)Model — residual: EVADE
SDD-B09 detection modelCatches bulk · residual measuredModel — decays under adaptation
Harness scope gateThe floorDeterministic — adversary finds nothing to adapt against
The adversary can plan, dispatch, rectify, and scale — and the final action is still gated by a rule the model cannot reach. The deterministic layers are what hold when every model-based residual is exploited.

The course closes here

The offensive frontier is automating: hierarchical planning, multi-agent collaboration, adaptive rectification, and scale are now the adversary's toolkit. The defense is deterministic boundaries, composed with model-based layers whose residuals are measured, enforced externally, and floored by a scope gate the adversary cannot disable.

B0 built the legal control plane. B2 built the defense-in-depth thesis. SDD-B03–B06 built the attack surface. SDD-B05 built the deterministic boundary. SDD-B08–B09 built the guardrail and detector layers. This deep-dive closed the offensive material. The architecture that holds is the one this course built.

Next: the Course 2B index. The deep-dives are complete. The reference deployments, the governance, and the measurement methodology are the deliverables you carry forward.