InjecAgent: The Bridge Benchmark
The bridge from 2A to 2B. In 2A InjecAgent was the quality gate — is my harness injectable? In 2B it becomes the measurement instrument for every defense in the course — did this defense hold, and by how much? The ~50% baseline is where un-defended agents start; the defended delta is what every module from here on produces. This is the measurement layer for B2's injection defenses.
InjecAgent plays four roles across the two courses, and the role shift is what makes it the bridge. Quality gate (2A: is my harness injectable?), measurement instrument (2B: did this defense hold, and by how much?), regression gate (both: did this change open a surface?), and engagement scoper (B12: which chains do I run?). The code is identical; what changes is the question, the lens, and the authorization. A 2A graduate who only knows the first role under-uses the benchmark in 2B — this deep-dive upgrades it to the measurement layer for every defense.
The defense-effectiveness delta is the only honest effectiveness metric — every claim is a (before, after, configuration) triple. 'We added an egress gate and we're at 9%' is not a claim without the baseline. If the baseline was 14%, the gate did almost nothing; if it was 48%, it did serious work. You cannot tell from the defended number alone. The configuration — pinned model version, sampling params, defense settings — is what makes the triple reproducible. No triple, no claim. This is the discipline most often missed in practice.
The attack-type taxonomy is mandatory in 2B because it turns a score into a defense prescription. Credential exfil, disallowed-tool, scope escape, policy override, action redirection — each maps to a different defense (deterministic egress, tool-call policy, scope gate, instruction hierarchy, session-level intent detection). A tool failing 60% on credential-exfil needs a different defense than one failing 60% on action-redirection. The per-attack-type scorecard is the section of a B12 report that says here is what is broken, here is the attack type, here is the defense, here is the expected delta.
Every failure transcript is a partial attack chain — read it through the OWASP (SDD-B01) and Microsoft (SDD-B02) lenses and it becomes a cross-row chain finding. The injected output is ASI07, the agent following it is ASI01, the off-task action is ASI05/ASI03; if the action was a compound passing per-step approval individually, it is the zero-click HITL bypass (SDD-B02). The benchmark produces the raw chain material; the taxonomy produces the finding. The benchmark routes to the taxonomies; it does not replace them. A B12 engagement that skips the InjecAgent pass scopes blind.