InjecAgent
The indirect prompt injection benchmark as a quality gate: ~50% of agentic tasks vulnerable to injection via tool outputs, measured per-tool, regression-gated in CI.
Indirect injection via tool outputs is the defining agentic attack surface. The agent cannot structurally distinguish a tool's output (data) from its instructions (policy) — both arrive as text in the context window. Security harnesses read target data constantly; every read is an injection opportunity. This is the S01 inversion made measurable.
The ~50% is a population baseline, not your number. It describes un-defended, out-of-the-box agentic harnesses. A defended harness (structured tool outputs, deterministic egress) should be dramatically lower. The metric that justifies a defense's cost is the before/after defense-effectiveness delta, not the absolute rate.
The operational payoff is the per-tool scorecard and the CI gate. The 50% is a headline; the per-tool scorecard (which tools are injectable) plus the failure transcript (exactly how each injection steered the agent) is the defense-design surface. The CI gate catches any change that opens an injection surface — turning resistance from an opinion into an enforced build-pipeline property.
InjecAgent is the bridge to Course 2B. The defenses it implies (treat tool outputs as untrusted data, enforce structure, gate egress deterministically — DD-19 CrabTrap, DD-20 IronCurtain) are exactly what Course 2B's offensive techniques attack. A measured-but-indefended injection rate is a documented vulnerability — the starting point for 2B's red-teaming.