Module C1 — Build a Full Bug Bounty or AppSec Harness

Build a Full Bug Bounty or AppSec Harness

Design, build, and benchmark a complete security harness — scope enforcement, persistent memory, five tools, evidence chain, and a publishable client report.

120
minutes
8
artifacts
3
sub-sections
Capstone one integrates the offensive (Pillar 1), AppSec (Pillar 2), and design/security (Pillar 0) modules into one working harness. Three sub-sections: the design document (domain choice, scope architecture, memory schema, tool suite, evidence schema, autonomy level, and an OWASP Agentic threat model for the harness itself); the build (scope middleware, persistent target-state memory, five tools with Pydantic schemas and scope-check wrappers, evidence logger, signal/noise triage, report generator, structured logging with trace IDs); and evaluate/harden/benchmark (run against a known-vuln lab, attempt out-of-scope calls, serve an injection payload, run InjecAgent, produce a client report, publish the benchmark).
Key Claims
Load-Bearing Claims

The harness is the deliverable. A bug bounty submission or an AppSec gate is only as trustworthy as the harness that produced it. Scope enforcement, evidence chains, and adversarial-output defense are the three properties that separate a real harness from a prompt wrapper.

Scope enforcement is a middleware, not a prompt. Out-of-scope tool calls must be blocked by code, not by asking the LLM nicely. The scope middleware intercepts every tool invocation and rejects any that fall outside the engagement boundary — and you prove it by trying to break it.

Persistent memory is what makes a harness cumulative. Each finding enriches the target-state model; the next tool call reasons over what was already found, not just raw input. Without persistence, every scan is a cold start.

An unscored harness is a hypothesis. InjecAgent and the OOS-call and injection-payload tests convert the claim 'my harness is safe and effective' into falsifiable, publishable evidence. The benchmark is the portfolio asset.

After This Module
01
Produce a design document covering domain choice, scope architecture, memory schema, tool suite (minimum five tools), evidence schema, autonomy level, and an OWASP Agentic Top 10 threat model for the harness itself.
02
Implement scope enforcement middleware that blocks every out-of-scope tool call and verify it by attempting OOS calls during evaluation.
03
Implement persistent target-state memory so each tool call reasons over accumulated findings rather than cold-starting.
04
Register five tools with Pydantic schemas, scope-check wrappers, and rate limiting; implement evidence logger middleware and a signal/noise triage filter.
05
Implement a report generator that emits HTML and JSON client-ready output with full evidence-chain linkage and trace IDs.
06
Benchmark the harness: run against a known-vulnerability lab, serve a prompt injection payload from the target, run the InjecAgent test suite, and publish the scored results.
Artifacts