# Teaching Script — SDD-B10: Academic Offensive Harnesses

**Course**: Course 2B — Securing & Attacking Harnesses and LLMs
**Module**: SDD-B10 — Academic Offensive Harnesses (Adapted for AI-Target Attacks)
**Duration**: ~30 minutes (spoken at ~140 wpm)
**Format**: Verbatim transcript with `[SLIDE N]` cues. Read aloud or use as speaker notes.

---

[SLIDE 1 — Title]

Welcome to SDD-B10. Academic Offensive Harnesses, adapted for AI-target attacks. This is the course-closing offensive deep-dive. In Course 2A, you met the academic offensive harnesses — PentestGPT, HPTSA, VulnBot, APT-Agent, CAI — as tools you USE for security work. LLM-driven agents that automate the tedious, multi-step reasoning of penetration testing. In 2B, we invert the lens. The same harnesses are methodologies for attacking AI systems. The techniques they pioneered — hierarchical planning, multi-agent task decomposition, automated reasoning over an attack surface — transfer directly to the AI-target attack surface. HPTSA's hierarchical planning is the blueprint for the zero-click chain. This deep-dive surveys the academic landscape, maps the technique transfer, and closes the course's offensive material with a forecast of where the offensive frontier is heading.

[SLIDE 2 — The 2A-to-2B inversion]

The inversion. In 2A, the target is traditional infrastructure — a network, a web app, a contract. The architecture is a reasoning loop, hierarchy, multi-agent collaboration, rectification, scale. The result: you find vulnerabilities faster. The LLM is the defender's assistant.

In 2B, the target is the AI system itself — the agent, the model, the harness. The architecture is identical. The result: automated multi-step injection chains. The LLM is the attacker.

Here is the load-bearing point. The transfer is structural, not analogical. These harnesses solve a general problem: automated, multi-step, reasoning-heavy exploration of an attack surface. The AI-system attack surface is one such surface. Swap the target from "web server with a zero-day" to "agent with an injection surface," and the same machinery runs. The code is target-agnostic; the architecture is target-agnostic. This is why the academic offensive literature matters to an AI red-team: it is the blueprint for the attacks you must defend against.

[SLIDE 3 — B10.1 section title]

Sub-section one. The academic landscape. Five papers, five contributions, with arXiv identifiers for the primary sources.

[SLIDE 4 — Five papers, five contributions]

PentestGPT, USENIX Security twenty-twenty-four. The foundational reference. Its contribution is a three-module architecture that automates the penetration-testing reasoning loop: a parsing module that interprets the target's state, a reasoning module that generates the next attack step, and a generation module that produces the concrete command. The modules self-interact — the loop continues until the objective is met. The architectural contribution is the reasoning loop externalized. A human pentester holds the attack state in their head and decides the next step; PentestGPT holds it in the LLM's context and prompts the LLM to decide. Retargeted, this is the loop that drives an automated injection chain: parse the agent's state, reason about the next injection step, generate the payload.

HPTSA, arXiv twenty-four-zero-six-point-zero-one-six-three-seven. "Teams of LLM Agents can Exploit Zero-Day Vulnerabilities." This is the paper most directly relevant to the zero-click chain. Its contribution is hierarchical planning and task-specific agents: a planner agent explores the target and decomposes the objective into sub-tasks, then dispatches each to a specialized sub-agent that performs the exploit. The key finding: teams of LLM agents can exploit real-world zero-day vulnerabilities, outperforming single-agent approaches. The reason is the hierarchy. A single agent asked to "exploit this target" gets lost in the state space; a planner that breaks the objective into reconnaissance, identification, exploitation, post-exploitation, and dispatches each to a focused agent, navigates efficiently.

VulnBot, arXiv twenty-five-zero-one-point-one-three-four-one-one. Extends the multi-agent theme. A collaborative framework that simulates a human pentest team: separate LLM agents handle reconnaissance, vulnerability analysis, and exploitation, coordinating through shared state. The contribution over single-agent is specialization — each agent is prompted for a specific phase, reducing context burden and improving per-phase quality.

APT-Agent, arXiv twenty-six-zero-five-point-two-four-nine-four-nine. Adds a rectification mechanism: when an attack step fails, the agent reasons about the failure and generates a corrected approach, rather than retrying blindly. This is the automated analogue of a human pentester who reads an error message and adjusts.

CAI, arXiv twenty-five-zero-four-point-zero-six-zero-one-seven. "CAI: An Open, Bug Bounty-Ready Cybersecurity AI." Pushes the speed frontier — one hundred fifty-six times faster than traditional approaches at expert-human-level quality. An agent-centric, lightweight architecture optimized for throughput.

No single paper is an integrated AI-target offensive harness. But each contributed a component, the components are open-source, and the barrier to composing them is falling. That is the trajectory.

[SLIDE 5 — B10.2 section title]

Sub-section two. Technique transfer to AI-target attacks. How each academic contribution maps to a specific AI-target vector.

[SLIDE 6 — HPTSA's hierarchy is the zero-click chain]

This is the most important transfer in the deep-dive. HPTSA's planner-dispatches-to-sub-agents architecture is the blueprint for the zero-click injection chain. The chain is a multi-step attack where no single step is sufficient: poison the retrieval store, wait for the agent to retrieve the payload, manipulate the tool call, exfiltrate. Each step's success is conditioned on the prior. A human scripting this by hand is slow and brittle. An HPTSA-style planner that decomposes the objective and dispatches each step to a focused sub-agent automates it.

Here is how it maps. The planner maintains the global strategy: achieve exfiltration via the agent's tool surface. It decomposes into sub-goals. Sub-agent one: plant an indirect-injection payload in a document the agent will retrieve — SDD-B03, retrieval poisoning. Sub-agent two: trigger the retrieval via a benign-seeming query. Sub-agent three: the retrieved payload manipulates the agent into calling the exfiltration tool with the sensitive path — SDD-B04, function-call manipulation. Sub-agent four: the tool call executes, sensitive data leaves. Each sub-agent is informed by the prior step's result. The hierarchy is what makes the chain navigable — a single agent trying to hold the entire chain in context gets lost; the planner-sub-agent decomposition keeps each step focused.

This is why the zero-click chain is no longer a hypothetical that requires a human to script each step. The planning machinery exists — HPTSA, twenty-twenty-four. The injection techniques exist — SDD-B03 through SDD-B06. The combination is an automated, multi-step attack on an AI system. And the defense, which we will reach, is the harness scope gate — the deterministic floor that blocks the final action even when every model-based layer has been evaded.

[SLIDE 7 — APT-Agent's rectification → adaptive evasion]

APT-Agent's rectification is the bridge to SDD-B09. APT-Agent reads a failure mode and generates a corrected approach. Retargeted to the AI-target surface: probe the detector, observe that it flagged the payload, craft a variant that sits in the detector's false-negative region while still compromising the primary model. The dual-injection problem, automated.

This is the engine of the cat-and-mouse dynamic from SDD-B09. A static injection is defeated by a static defense. An adaptive injection that reads the defense's response and refines is the threat that makes model-based defenses — guardrails, detectors, refusal layers — have a residual. The defender who measures only against static, in-distribution traffic is measuring against an adversary who no longer exists. The adversary has rectification machinery; the detector's out-of-distribution accuracy decays under adaptive pressure. This is why SDD-B09's measurement thesis — measure the out-of-distribution, false-positive-constrained, adversarially-adapted rate — is not academic rigor for its own sake. It is the only measurement that reflects the adversary the academic literature has built.

[SLIDE 8 — B10.3 section title]

Sub-section three. The offensive frontier and what it means for defense. The convergence, the forecast, and the course's defense thesis as the response.

[SLIDE 9 — The offensive frontier is converging]

The offensive frontier is converging. The academic offensive harnesses were built for traditional targets, but their architectures are target-agnostic. As AI systems become a larger share of the attack surface — every enterprise now deploys agents — the offensive tooling retargets. The same PentestGPT-style reasoning loop that automates attacking a web server automates attacking the agent behind it. The same HPTSA-style hierarchy that exploits a web zero-day exploits an injection chain.

This convergence means the defender of an AI system faces an adversary with mature, published, open-source offensive machinery. The HPTSA code is on GitHub — uiuc-kang-lab/HPTSA. VulnBot is public. CAI is open-source. An attacker does not need to invent the multi-step planning architecture. They need to retarget it. The barrier to a sophisticated, automated, multi-step AI attack is dropping from "research lab" to "script kiddie with a GitHub repo."

The forecast. Automated, multi-step injection chains become the default attack against deployed agents. The components exist: HPTSA for planning, InjecAgent-style techniques for the injection steps, APT-Agent-style rectification for adaptation, CAI-style speed for volume. The composition is an attacker that plans a zero-click chain, dispatches the steps to specialized crafters, refines on failure, and runs at scale. And LLM-driven evasion of detection models — SDD-B09 — becomes a standard attack, not a research curiosity. The rectification machinery applied to the detector's surface is the automated evasion engine.

[SLIDE 10 — The defense thesis as the response]

The adversary now has: hierarchical planning from HPTSA, multi-agent collaboration from VulnBot, adaptive rectification from APT-Agent, and scale from CAI. The defenses that hold against this adversary are the ones this course built.

B0 — the scope file and the provider-authorization gate. The legal and engineering control plane that bounds what the agent is permitted to do. The scope gate is deterministic; the adversary's planning cannot talk it out of a rule. B2 — defense-in-depth. No single layer suffices; every model-based layer has a residual; the composition bounds the residual. SDD-B05 — IronCurtain, the deterministic boundary. The layer with no evasion surface. The adversary's adaptive machinery finds nothing to adapt against, because there is no decision boundary to probe. SDD-B08 — NeMo Guardrails, externally evaluated. The rails run regardless of agent state; external enforcement stops DISABLE. The residual — EVADE — is bounded by the deterministic layers behind it. SDD-B09 — the detection model, measured. The detector catches the bulk of unsophisticated traffic; its out-of-distribution residual is measured, not assumed; and it is composed with deterministic layers that bound the worst case.

And the harness scope gate — the floor. Even when the chain succeeds, the disallowed action is blocked. This is the layer that makes the architecture hold. The adversary can plan, dispatch, rectify, and scale, and the final action is still gated by a rule the model cannot reach. The deterministic layers — the boundary and the scope gate — are what hold when every model-based layer's residual is exploited, because they have no evasion surface for the adversary's adaptive machinery to find.

[SLIDE 11 — The course closes here]

This is where the course's offensive material closes. The offensive frontier is automating: hierarchical planning, multi-agent collaboration, adaptive rectification, and scale are now the adversary's toolkit. The defense is deterministic boundaries, composed with model-based layers whose residuals are measured, enforced externally, and floored by a scope gate the adversary cannot disable.

B0 built the legal control plane. B2 built the defense-in-depth thesis. SDD-B03 through B06 built the attack surface. SDD-B05 built the deterministic boundary. SDD-B08 and B09 built the guardrail and detector layers. This deep-dive closed the offensive material. The architecture that holds is the one this course built. The deep-dives are complete. Next is the Course 2B index. The reference deployments, the governance, and the measurement methodology are the deliverables you carry forward. Let's close it out.
