"Name the six states of the offensive state machine." "Recon → Hypothesis → Exploit Attempt → Evidence Capture → Triage → Report. Cycles back to Recon for next finding; stops when scope exhausted or evidence threshold met." c2a::s01::recall "Is the offensive state machine a replacement for ReAct or a specialization? Explain." "A SPECIALIZATION. Same underlying machinery (Thought-Action-Observation), different named states, different stop conditions (evidence-driven, not model-driven), evidence built into the loop." c2a::s01::analysis "Three structural differences between the offensive loop and a general ReAct loop?" "(1) Adversarial inputs (tool outputs may contain injection). (2) Evidence-driven stop conditions (externally defined, not model-determined). (3) Domain-specific evidence collection (schema-validated, scope-referenced, legal weight — not just debug logging)." c2a::s01::recall "In the offensive loop, who decides when to stop?" "NOT the model. The stop condition is externally defined: evidence threshold met OR scope exhausted. The model proposes; the harness decides based on evidence and scope." c2a::s01::analysis "What is the kill chain state management problem, and what is the solution?" "Problem: multi-step attacks lose intermediate state when the context window compacts. Solution: attack-graph state — a persistent structure (separate from context) tracking each step's state (unexplored/attempts/succeeded/failed/out_of_scope). Lives in engagement memory, survives compaction." c2a::s01::analysis "Name the six CAI autonomy levels and which are appropriate for production." "L0 Manual, L1 Assisted, L2 Guided, L3 Supervised, L4 Highly autonomous, L5 Fully autonomous. PRODUCTION = Level 2–3. L4 = lab/CTF/benchmark only. L5 = research; NEVER real engagements." c2a::s01::recall "Why do production offensive harnesses sit at Level 2–3? What is the approval gate's function?" "The approval gate (L2) or scope enforcement (L3) is a LEGAL CONTROL — a human decision is recorded for every legally sensitive action. L4–5 removes human decisions from legally sensitive actions; appropriate only where there are no legal consequences." c2a::s01::analysis "What is the bounded-autonomy pattern?" "Propose → approve → execute. Harness proposes action (with scope check, evidence plan); human approves (L2) or auto-approves if scope-compliant (L3); harness executes with evidence capture. Removing the approval for speed is the most common production failure." c2a::s01::recall "What are the three components of a scope file, each enforced independently?" "(1) Authorized targets (in_scope — exhaustive, exact match, exclusions override). (2) Rules of engagement (behavioral: rate caps, forbidden actions). (3) Evidence constraints (minimum proof, classification, retention from S00.2)." c2a::s01::recall "Where does scope enforcement middleware sit in the harness architecture?" "BETWEEN the agent and every network/filesystem action. It wraps the tool executor below the model's control layer. The model proposes any call; the middleware decides if it reaches the network. Cannot be bypassed by the model." c2a::s01::analysis "Why does scope enforcement return blocked calls as structured results, not errors?" "So the model LEARNS it was blocked and adjusts its plan to stay in scope. A crash/error would be opaque; a structured result saying 'out_of_scope' lets the model reason about the boundary." c2a::s01::application "Scope enforcement vs code-execution sandboxing — what are the two control planes?" "Sandbox (Course 1 M5) = what the agent can do LOCALLY (files, processes, network-at-all). Scope enforcement (S01.2) = WHERE the agent can REACH (is this host/action authorized?). BOTH required." c2a::s01::analysis "A team has a strong sandbox but no scope enforcement. What is the gap?" "They contained the agent but let it attack the world. The agent can reach any network endpoint the sandbox permits, authorized or not. Need BOTH control planes: sandbox for local containment + scope for network authorization." c2a::s01::application "What is the scope_ref stamp and why does it exist?" "A field stamped on every permitted tool call recording: target::action::ISO_timestamp. It records which scope entry authorized this call. It is the evidence chain's legal anchor — produces 'authorization to the atom' in the runtime log." c2a::s01::recall "What is adversarial tool output (indirect prompt injection via tool outputs)?" "In offensive harnesses, the target is an adversary. Every HTTP response, HTML, JSON, header may contain a payload designed to manipulate the model. The target content is an attack surface pointed back at your harness." c2a::s01::recall "What is the InjecAgent finding?" "~50% of agentic tasks are vulnerable to indirect prompt injection via tool outputs. Half the time, an injected instruction in a tool output causes the model to deviate from intended behavior." c2a::s01::recall "Name five things an injected instruction in a target response can cause the model to do." "Exfiltrate findings to attacker · Suppress real vulnerabilities · Propose out-of-scope actions · Corrupt engagement memory · Generate misleading evidence." c2a::s01::recall "Name the five layers of the adversarial tool output mitigation stack." "(1) Untrusted-content tagging (wrap target reads as data). (2) Output sanitization (strip injection patterns). (3) Reader-actor separation (separate models). (4) InjecAgent as quality gate (>20% fail = not ready). (5) Evidence cross-validation (never single-observation)." c2a::s01::recall "What is untrusted-content tagging?" "Wrapping every target read in tags () before placing in context. The model is instructed to treat tagged content as DATA only, never instructions. Defense-in-depth, not sufficient alone — InjecAgent shows models can be tricked past it." c2a::s01::application "What is the reader-actor separation, and why is it the strongest defense?" "A separate Reader Model ingests raw target output → produces structured summary (data only). The Actor Model sees only the summary, never raw adversarial content. Injection can affect the reader's summary but cannot DIRECTLY instruct the actor. Recommended by InjecAgent." c2a::s01::analysis "Why does an offensive harness need a STRICTER trust model than a general one?" "Three reasons: (1) every external read is potentially hostile (not just untrusted — adversarial). (2) The model must NEVER act on instructions in target content. (3) Findings from adversarial content need cross-validation — the target can lie; verify independently." c2a::s01::analysis "What is the reader-actor collapse anti-pattern?" "Using the SAME model instance to read target content AND decide actions. An injection in target content directly controls the action-deciding model. Cure: separate reader and actor models; actor sees only structured summaries." c2a::s01::analysis "A harness runs at Level 4 against a production bug bounty 'because the scope is well-defined.' What is wrong?" "Scope enforcement handles authorization, but NOT judgment calls — ambiguous findings, unexpected exploit effects, contradictory evidence. Level 4 is for lab/CTF/benchmark only (no legal consequences). Production needs Level 2–3 where human decisions are recorded." c2a::s01::application "Why does the offensive state machine build evidence into the loop rather than bolting it on?" "Because each observation has LEGAL WEIGHT. In a general harness, logs are for debugging. In an offensive harness, logs are evidence — schema-validated, scope-referenced, with retention rules. Building it in ensures every observation is capture-ready, not retrofitted." c2a::s01::analysis "What does the attack-graph node track, and where does it live?" "Tracks: id, step, hypothesis, action, result (unexplored/attempting/succeeded/failed/out_of_scope), evidence_ref, children, parent, session_id. Lives in ENGAGEMENT MEMORY (S02.1), NOT the context window — survives compaction and session boundaries." c2a::s01::recall "An attack-graph node transitions to 'Failed.' What happens next?" "Plan correction (S03.2 / RedTeamLLM pattern): the harness re-hypothesizes and selects an alternative exploit. The node stays in the graph as 'failed' — the harness does not retry the same path blindly. Failed nodes inform future hypothesis generation." c2a::s01::application