Module SDD-B10 — Academic Offensive Harnesses

Academic Offensive Harnesses

Academic Offensive Harnesses (Adapted for AI-Target Attacks)

45
minutes
8
artifacts
3
sub-sections
In Course 2A, the academic offensive harnesses (PentestGPT, APT-Agent, HPTSA, VulnBot, CAI) were tools FOR security work — LLM-driven agents automating pentests against traditional targets. In 2B, the lens inverts: the same harnesses are methodologies for ATTACKING AI systems. The transfer is structural, not analogical — the architectures (hierarchical planning, multi-agent task decomposition, automated reasoning, rectification, scale) are target-agnostic. This deep-dive surveys the academic landscape with arXiv IDs (PentestGPT USENIX Security 2024; HPTSA arXiv:2406.01637; VulnBot arXiv:2501.13411; APT-Agent arXiv:2605.24949; CAI arXiv:2504.06017), maps each technique to an AI-target attack vector (HPTSA's hierarchy is the zero-click chain blueprint; APT-Agent's rectification is the SDD-B09 cat-and-mouse engine; VulnBot's collaboration is distributed multi-surface probing; CAI's speed is high-volume attack/measurement), and forecasts the offensive frontier: automated multi-step injection chains and LLM-driven detection-model evasion become standard. The course's defense thesis is the response: deterministic boundaries (SDD-B05) composed with measured model-based layers (SDD-B08, SDD-B09), floored by a scope gate (B0) the adversary's automated, hierarchical, adaptive, high-volume machinery cannot disable. This is the course-closing offensive deep-dive.
Key Claims
Load-Bearing Claims

The 2A-to-2B technique transfer is structural, not analogical. The academic offensive harnesses solve a general problem — automated, multi-step, reasoning-heavy exploration of an attack surface — and the architecture is target-agnostic. Swap the target from 'web server with a zero-day' to 'agent with an injection surface' and the same machinery runs. The same code, retargeted, attacks the AI surface. AI-target defenses must be assessed against the academic offensive state of the art, not a hypothetical static adversary.

HPTSA's hierarchical planning (arXiv:2406.01637) is the blueprint for the zero-click chain. The planner maintains the global strategy, decomposes the objective into sub-tasks, and dispatches each to a specialized sub-agent. The hierarchy is what makes the chain navigable — a single agent holding the whole chain gets lost; the decomposition keeps each step focused. The planning machinery exists (2024), the injection techniques exist (SDD-B03–B06), and the combination is an automated, multi-step attack that is no longer hypothetical.

APT-Agent's rectification is the bridge to SDD-B09's cat-and-mouse dynamic. An automated attacker that reads a defense's failure response and refines the payload is the engine that drives the detector's out-of-distribution accuracy to decay under adaptive pressure. The defender who measures only against static, in-distribution traffic is measuring against an adversary who no longer exists — the adversary has rectification machinery.

The offensive frontier is converging: components are commoditized (HPTSA, VulnBot, CAI are open-source), architectures are published, and the barrier to composition is falling. The forecast is automated multi-step injection chains as the default attack and LLM-driven detection-model evasion as standard. The defense that holds is deterministic boundaries (SDD-B05) composed with measured model-based layers (SDD-B08, SDD-B09), floored by a scope gate (B0) the adversary's automated, hierarchical, adaptive, high-volume machinery cannot disable — because it has no evasion surface.

After This Module
01
Survey the academic landscape of LLM-driven offensive agents — PentestGPT, APT-Agent, HPTSA, VulnBot, CAI — and articulate each paper's core architectural contribution, with arXiv identifiers.
02
Explain the inversion from 2A to 2B: the same harnesses that were tools FOR security work become methodologies for attacking AI systems, because the multi-step planning and task-decomposition techniques transfer structurally.
03
Map HPTSA's hierarchical planning (planner dispatches to specialized sub-agents) to the zero-click chain: the planner is the orchestrator, the sub-agents are the chain steps, and the architecture is why multi-step AI attacks are now automatable.
04
Analyze how each academic technique transfers to a specific AI-target attack vector: PentestGPT's reasoning loop to injection-chain planning, APT-Agent's rectification to adaptive injection refinement, VulnBot's collaboration to distributed agent-system probing, CAI's speed to high-volume red-team measurement.
05
Synthesize the academic state of the art into a forecast of the offensive frontier: automated multi-step injection chains, LLM-driven evasion of detection models, the convergence of traditional and AI-target automation.
06
Connect the offensive frontier to the course's defense thesis: the harness scope gate (B0), the deterministic boundary (SDD-B05), and defense-in-depth composition are the controls that hold against an adversary with automated, hierarchical, multi-agent offensive capability.
Artifacts