Course 2A — Security Harnesses
Security
Harnesses
Building AI harnesses for cybersecurity: bug bounty, pentest, CTF, code review, threat modeling, cloud security, and smart contract auditing. Thirteen modules, thirteen deep-dives, two capstones. The tau-security reference harness runs through every module.
~29
hours
13
modules
13
deep-dives
2
capstones
0 — Security Harness Foundations
2 modules
S00
Legal, Ethics, and Rules of Engagement
Non-optional. You are building attack tools. The authorization chain, the disclosure obligations, and the four legal risks unique to autonomous harnesses.
S01
Security Harness Architecture
The offensive state machine, scope enforcement as hard-wired middleware, and the adversarial tool output problem. Three architectural changes that make a general harness into a security harness.
1 — Offensive Harnesses
4 modules
S02
Bug Bounty Harness Engineering
Persistent engagement memory, the offensive tool suite, evidence chain engineering, and the signal/noise triage pipeline.
S03
Pentest and Red Team Harnesses
Kill chain state as an attack graph, plan correction when exploits fail, the sandbox inversion problem, and the report as the actual deliverable.
S04
CTF Harness Engineering
Speed, domain routing, and benchmark-validated performance.
S05
Meta-Harness Architecture for Offensive Operations
Routing between specialized offensive harnesses. The Alias Robotics CSI model.
2 — AppSec and SDLC
3 modules
S06
Secure Code Review Harnesses
Layered pipeline, false positive triage, semantic codebase memory, and approval-gated autofix.
S07
Threat Modeling Harnesses
Architecture ingestion, STRIDE analysis engine, and mitigation generation with issue tracking.
S08
SDLC Gate Harnesses
Control plane shift, multi-scanner orchestration, trend analysis and risk scoring, vulnerability triage at scale.
3 — Cloud Security
2 modules
S09
Cloud Posture Harnesses
Asset discovery, attack-path analysis, continuous posture monitoring, and approval-gated remediation across AWS, Azure, and GCP.
S10
Cloud Red Team Harnesses
API-first offensive architecture, IAM privilege escalation path-finding, and evidence-backed findings mapped to SOC 2, ISO 27001, and PCI DSS.
4 — Smart Contract Security
2 modules
S11
Smart Contract Audit Harnesses
The EVM audit architecture, business-logic vulnerability detection, exploit chain construction, and patch generation with cascaded verification.
S12
Advanced Smart Contract Harnesses
Benchmarking against EVMbench, Solana and cross-chain security, and the audit as a client-ready deliverable.
Capstones
2 capstones
C1
Build a Full Bug Bounty or AppSec Harness
Design, build, and benchmark a complete security harness — scope enforcement, persistent memory, five tools, evidence chain, and a publishable client report.
C2
Build a Smart Contract or Cloud Security Harness
Design, build, run, and benchmark a domain-specific harness — EVMbench-aligned smart contract audit or cloud posture + red team — with a publishable one-page results summary.
Deep-Dives
13 studies
SDD-01
CAI (Cybersecurity AI)
The primary offensive case study: autonomy levels, bug bounty architecture, CTF benchmarks, and the CSI meta-harness.
SDD-02
RedTeamLLM
Plan correction, memory management, and context-window constraints via the summarize-reason-act loop.
SDD-03
Bug Bounty Reference Stack
nmap, amass, httpx, nuclei, ffuf, Playwright, CVE enrichment — the canonical offensive tool registry, studied as schema-first harness wrappers.
SDD-04
Prowler
The canonical open-source multi-cloud CSPM: provider-agnostic check engine, attack-path correlation, three-tier layering, GitHub Action integration.
SDD-05
Scout Suite
The point-in-time multi-cloud auditing baseline: offline HTML reporting, full configuration collection, assessment-artifact delivery.
SDD-06
Cloud Attack-Path Tooling
Graph-based reasoning for IAM escalation, reachable assets, and lateral movement — pmapper, CloudFox/FoxMapper, BloodHound, Cartography.
SDD-07
Secure Code Review Stack
The layered AppSec pipeline: AST for structure, Semgrep for patterns, CodeQL for data-flow, LLM triage for false-positive suppression, autofix-with-approval for remediation.
SDD-08
Threat Modeling Harness Stack
The continuous, design-time threat-modeling pipeline: Terraform/OpenAPI/draw.io ingestion, ground-truth DFD generation in Mermaid, STRIDE automation with LLM enrichment.
SDD-09
Heimdallr
The reference agent harness for smart contract auditing: function-level reorganization, cascaded verification, 92.45% detection at $2.31/10K LOC, 17/20 real attack reconstructions.
SDD-10
EVMbench
The benchmark that makes smart contract audit harnesses measurable: 117 vulnerabilities across 40 repos, scored in three modes — Detect, Patch, Exploit.
SDD-11
Purpose-Built DeFi AI Systems
Domain-specific agents vs general LLMs: the 92% vs 34% detection gap on DeFi vulnerabilities, the three pillars of specificity, and the build-vs-buy decision.
SDD-12
InjecAgent
The indirect prompt injection benchmark as a quality gate: ~50% of agentic tasks vulnerable to injection via tool outputs, measured per-tool, regression-gated in CI.
SDD-13
tau — A Minimalist Coding Agent Harness
The base harness for Course 2A: how a three-layer coding agent architecture becomes a security agent.
Prerequisite: Course 1 or equivalent production harness experience. Status: complete.