Module SDD-B03 — InjecAgent: The Bridge Benchmark

InjecAgent: The Bridge Benchmark

The bridge from 2A to 2B. In 2A InjecAgent was the quality gate — is my harness injectable? In 2B it becomes the measurement instrument for every defense in the course — did this defense hold, and by how much? The ~50% baseline is where un-defended agents start; the defended delta is what every module from here on produces. This is the measurement layer for B2's injection defenses.

45
minutes
8
artifacts
3
sub-sections
The benchmark code does not change between Course 2A and Course 2B; what changes is the question asked of it. In 2A InjecAgent was a builder's quality gate run against your own harness — the number was the deliverable. In 2B it is the red-team's measurement instrument run against a hardened target — the (before, after, configuration) delta is the finding, and the per-attack-type scorecard is the defense prescription. The ~50% population baseline is the starting line, not a constant or a target. Every defense from SDD-B04 onward is evaluated against this benchmark: when we break CrabTrap's judge and IronCurtain's compilation, InjecAgent is the instrument that says the defense held at X% before the attack and Y% after. Without that pair, 'I broke the defense' is an opinion. This deep-dive upgrades the role.
Key Claims
Load-Bearing Claims

InjecAgent plays four roles across the two courses, and the role shift is what makes it the bridge. Quality gate (2A: is my harness injectable?), measurement instrument (2B: did this defense hold, and by how much?), regression gate (both: did this change open a surface?), and engagement scoper (B12: which chains do I run?). The code is identical; what changes is the question, the lens, and the authorization. A 2A graduate who only knows the first role under-uses the benchmark in 2B — this deep-dive upgrades it to the measurement layer for every defense.

The defense-effectiveness delta is the only honest effectiveness metric — every claim is a (before, after, configuration) triple. 'We added an egress gate and we're at 9%' is not a claim without the baseline. If the baseline was 14%, the gate did almost nothing; if it was 48%, it did serious work. You cannot tell from the defended number alone. The configuration — pinned model version, sampling params, defense settings — is what makes the triple reproducible. No triple, no claim. This is the discipline most often missed in practice.

The attack-type taxonomy is mandatory in 2B because it turns a score into a defense prescription. Credential exfil, disallowed-tool, scope escape, policy override, action redirection — each maps to a different defense (deterministic egress, tool-call policy, scope gate, instruction hierarchy, session-level intent detection). A tool failing 60% on credential-exfil needs a different defense than one failing 60% on action-redirection. The per-attack-type scorecard is the section of a B12 report that says here is what is broken, here is the attack type, here is the defense, here is the expected delta.

Every failure transcript is a partial attack chain — read it through the OWASP (SDD-B01) and Microsoft (SDD-B02) lenses and it becomes a cross-row chain finding. The injected output is ASI07, the agent following it is ASI01, the off-task action is ASI05/ASI03; if the action was a compound passing per-step approval individually, it is the zero-click HITL bypass (SDD-B02). The benchmark produces the raw chain material; the taxonomy produces the finding. The benchmark routes to the taxonomies; it does not replace them. A B12 engagement that skips the InjecAgent pass scopes blind.

After This Module
01
Restate InjecAgent's benchmark methodology from the offensive side (task set, injected tool outputs, success criteria) and explain precisely what the ~50% vulnerability finding measures and does not — it is a population baseline for un-defended harnesses, not a constant, not a target.
02
Distinguish the four roles InjecAgent plays (quality gate, measurement instrument, regression gate, engagement scoper) and explain why the role shift from 2A to 2B is what makes it the bridge.
03
Run InjecAgent against a hardened harness (the Capstone B1 output), interpret the per-tool scorecard with attack-type taxonomy, and identify which defense each failing tool needs.
04
Design the before/after measurement that turns a defense into a quantified effectiveness claim (the (before, after, configuration) triple) and reject defense claims made without a measured delta.
05
Wire InjecAgent as the regression gate that catches a new tool, a prompt edit, or a model swap opening an injection surface, and articulate why the gate is the only honest enforcement of an injection-resistance threshold.
06
Map InjecAgent failure transcripts to the OWASP (SDD-B01) and Microsoft (SDD-B02) attack chains and use the benchmark to scope a B12 engagement — routing high-score tools to the matching chain procedures.
Artifacts
01
Teaching Document
~3,400 words; 3 sub-sections — the methodology read from the offensive side (vector, what the ~50% is/is not, four roles), measuring defense effectiveness (the delta triple, attack-type taxonomy, deterministic-vs-probabilistic), the gate/transcript/engagement (regression gate, transcript-as-chain, B12 scoping); with anti-patterns, key terms, references
READ
02
Diagrams
5 Mermaid diagrams — the four roles of one benchmark (the bridge), the defense-effectiveness delta (before/after/configuration), the attack-type taxonomy (score to prescription router), the transcript read as a chain finding (OWASP + Microsoft lenses), the regression gate (three changes that open surfaces)
READ
03
Slide Deck
12 slides — reveal.js, dark theme, design-system teal; covers the bridge thesis, what the ~50% is/is not, four roles, the delta triple, attack-type taxonomy, transcript-as-chain, regression gate, the three discipline rules
READ
04
Teaching Script
Verbatim teaching transcript with [SLIDE N] cues, ~2,900 words spoken at ~140 wpm across 13 slide cues
READ
05
Flashcards
19 flashcards (TSV) — mix of recall and analysis; covers the ~50% reading, four roles, the delta triple, attack-type taxonomy, transcript-as-chain, the gate, deterministic-vs-probabilistic deltas, B12 scoping
TEST
06
Exam
15 questions, 20/40/40 Bloom distribution (3 recall / 6 application / 6 analysis), 70% pass; validated JSON with rationale per question
TEST
07
Lab Spec
Run InjecAgent Against a Hardened Harness — runnable simulation (Python 3.10+, type hints, no GPU, no external deps): measure baseline vs defended under a pinned config, compute per-tool per-attack-type delta, read two transcripts as chain findings, wire the regression gate (~45-60 min)
DO
08
Module Web Page
Single-file HTML hub
HERE