Module SDD-01 — CAI (Cybersecurity AI)

CAI (Cybersecurity AI)

The primary offensive case study: autonomy levels, bug bounty architecture, CTF benchmarks, and the CSI meta-harness.

90
minutes
8
artifacts
4
sub-sections
An MIT-licensed, open-source offensive harness that treats security work as a first-class harness problem. Alias Robotics' CAI orchestrates six CTF domains behind a CSI meta-harness, hard-wires scope enforcement, and produces bug-bounty-ready evidence. This is the baseline every other deep-dive compares against.
Key Claims
Load-Bearing Claims

CAI is the most complete open-source offensive harness available. CSI meta-harness routing, six domain specialists, hard-wired scope enforcement, autonomy levels, and an evidence buffer that produces submission-ready findings — no other public project covers this breadth.

Scope enforcement must be hard-wired, not prompt-level. The single highest-stakes decision. A bug in the scope validator is a legal exposure (CFAA / Computer Misuse Act). Prompt-level scope is a liability; code-level scope validation on every target-touching tool call is the control.

Autonomy levels are a graduated spectrum, not a binary HITL flag. The credential-reuse gate never comes off — even at full autonomy, reusing stolen credentials outside engagement scope is unbounded-risk. This is the one inversion that is never safe.

The evidence threshold stop is what makes this a security loop. The harness halts when the evidence buffer supports a submittable finding, not when the model runs out of ideas. This is the Course 2A inversion of verification: can I prove it to a client?

After This Module
01
Apply the 6-phase deep-dive methodology to CAI and produce a scored analysis card (46/60).
02
Map CAI's layered architecture: CSI meta-harness, domain specialists, tool registry, and the evidence subsystem (scope validator, buffer, report generator).
03
Distinguish CAI's autonomy levels and defend when each is correct, and identify the credential-reuse gate as the one that never comes off.
04
Score CAI on the 12-module rubric with evidence, noting the weak trio (context, memory, observability) common across the roster.
05
Use CAI as the offensive baseline for SDD-02 through SDD-06.
Artifacts