Module B1 — Threat Model of Agentic Systems

Threat Model of Agentic Systems

An agentic system is not one target — it is seven distinct surfaces (loop, tools, memory, provider, identity, sandbox, inter-agent edges), each with its own trust boundary, canonical attack, and defense. The model is 1.6%; the harness is 98.4%. This module turns B0's scope file into the surface map every subsequent module (B2–B12) attacks and defends within.

60
minutes
8
artifacts
3
sub-sections
B0 gave you the legal control plane and the scope file. This module turns that scope file into a map. Every surface an agentic system exposes is an attack target. The seven surfaces — the loop, tools, memory, the provider, identity, the sandbox, and inter-agent edges — are the structure every subsequent module attacks and defends within. If you cannot enumerate the surfaces, you cannot defend the system. A red-team that treats 'the agent' as one target misses six of seven.
Key Claims
Load-Bearing Claims

An agentic system exposes seven distinct attack surfaces, not one. The loop (goal hijacking), tools (indirect injection via output), memory (the sleeper), the provider (leakage), identity (excessive agency), the sandbox (escape), and inter-agent edges (cascade). Six are harness-layer (98.4%); only the provider is model-layer (1.6%). A red-team that tests only the model has covered 1.6% and left 98.4% exposed. Every surface gets its own module from B2 onward.

Indirect prompt injection via tool output is the most common and most dangerous vector, and it is a harness failure, not a model failure. The tool faithfully returns attacker-controlled content; the harness inserts it into the context window without an untrusted tag; the model treats it as instruction. InjecAgent measured ~50% of agentic tasks vulnerable to exactly this. The fix is output tagging and instruction isolation (B2, B4) — the 98.4%, not the model's refusal training (the 1.6%).

Blast radius is what prioritizes remediation, and containment-failure surfaces come first. The sandbox (host-wide), identity (credential-scope-wide), and inter-agent edges (mesh-wide) have containment-failure worst cases — an uncontained compromise is an incident, not a finding. The loop (session-wide, if halted) is contained. Prioritize the surfaces whose compromise escapes the boundary over those whose compromise stays within a session.

CrabTrap (probabilistic, DD-19) and IronCurtain (deterministic, DD-20) each defend a subset of surfaces, and neither is sufficient alone. A defense on one surface does not protect the others: CrabTrap on the tools surface does not stop a sandbox escape; IronCurtain on identity does not stop an unfiltered inbound tool return. The thesis across B2–B12 is defense in depth across all seven surfaces, each with its own module, control, and red-team test.

After This Module
01
Enumerate the seven attack surfaces of an agentic system — loop, tools, memory, provider, identity, sandbox, inter-agent edges — and state the trust boundary, canonical attack, and canonical defense for each.
02
Model untrusted content flow through an agent: identify every entry point where attacker-controlled data crosses a trust boundary into the context window, and predict the downstream tool call that converts injection into impact.
03
Apply an adapted STRIDE-for-agents framework to a deployed agent, mapping each surface to a Microsoft STRIDE category and to an OWASP Agentic AI Top 10 (ASI01–ASI10) risk.
04
Connect offense to defense per surface: for each attack, name the mitigation and the Course 2B module (B2–B12) that implements it in depth, and the Course 1 defense architecture (DD-19 CrabTrap, DD-20 IronCurtain) it attacks.
05
Score blast radius per surface — distinguish a contained sandbox escape from a cascade that compromises every agent in a mesh — and prioritize remediation accordingly.
Artifacts