Threat Model of Agentic Systems
An agentic system is not one target — it is seven distinct surfaces (loop, tools, memory, provider, identity, sandbox, inter-agent edges), each with its own trust boundary, canonical attack, and defense. The model is 1.6%; the harness is 98.4%. This module turns B0's scope file into the surface map every subsequent module (B2–B12) attacks and defends within.
An agentic system exposes seven distinct attack surfaces, not one. The loop (goal hijacking), tools (indirect injection via output), memory (the sleeper), the provider (leakage), identity (excessive agency), the sandbox (escape), and inter-agent edges (cascade). Six are harness-layer (98.4%); only the provider is model-layer (1.6%). A red-team that tests only the model has covered 1.6% and left 98.4% exposed. Every surface gets its own module from B2 onward.
Indirect prompt injection via tool output is the most common and most dangerous vector, and it is a harness failure, not a model failure. The tool faithfully returns attacker-controlled content; the harness inserts it into the context window without an untrusted tag; the model treats it as instruction. InjecAgent measured ~50% of agentic tasks vulnerable to exactly this. The fix is output tagging and instruction isolation (B2, B4) — the 98.4%, not the model's refusal training (the 1.6%).
Blast radius is what prioritizes remediation, and containment-failure surfaces come first. The sandbox (host-wide), identity (credential-scope-wide), and inter-agent edges (mesh-wide) have containment-failure worst cases — an uncontained compromise is an incident, not a finding. The loop (session-wide, if halted) is contained. Prioritize the surfaces whose compromise escapes the boundary over those whose compromise stays within a session.
CrabTrap (probabilistic, DD-19) and IronCurtain (deterministic, DD-20) each defend a subset of surfaces, and neither is sufficient alone. A defense on one surface does not protect the others: CrabTrap on the tools surface does not stop a sandbox escape; IronCurtain on identity does not stop an unfiltered inbound tool return. The thesis across B2–B12 is defense in depth across all seven surfaces, each with its own module, control, and red-team test.