Course: 2B — Securing & Attacking Harnesses and LLMs
Deep-Dive: SDD-B01 — OWASP Agentic AI Top 10: Offensive Expansion
Duration: ~30 minutes (spoken at ~140 wpm)
Format: Verbatim transcript with [SLIDE N] cues. Read aloud or use as speaker notes.
[SLIDE 1 — Title]
Welcome to deep-dive SDD-B-zero-one, the OWASP Agentic AI Top 10 read as an attacker. Module B9 handed you the defense checklist — ten rows, ASI zero-one through ASI ten, each with a control and a test. This deep-dive is the red-team playbook for every one of those rows. Same numbering, verified against the same OWASP primary source. Different artifact. For each row, instead of "here is the control and the test," you get four things the red team runs: the attack in depth, the real-world exploitation scenario, the evasion technique that defeats the standard defense, and the chaining that turns the single-row finding into compound impact.
This is the offensive companion to B9. Read both, in order, and the gap between "the control passed its test" and "the system holds under an adversary" becomes the entire engagement.
[SLIDE 2 — The thesis: same numbering, different artifact]
Here is the load-bearing distinction. B9 reads the Top 10 as a builder. One risk, one control, one test. Eight rows report PASS or FAIL, two report MEASURED. The scored report is honest — the deterministic rows are deterministic, the probabilistic rows are probabilistic.
This deep-dive reads the same ten rows as an attacker. One risk, one attack procedure, the evasion that defeats the control, and the chain across rows. The reproduced finding.
The gap between the two readings is the engagement. A control that PASSes its B9 test in isolation is not a control that survives an adversary who arrives on the indirect channel the test never exercised. The taint gate is tested against direct injection and bypassed by injection through a tool output the harness marked trusted. The capability enumeration proves minimality and misses the load-bearing capability a benign task required. The path normalization stops dot-dot-slash and misses the semantic-path confusion in the tool description. Every defense B2 through B8 builds has a gap between how it behaves on its per-row test and how it behaves under an adversary who chains. This deep-dive is that adversary's playbook.
[SLIDE 3 — The evasion pattern: why PASS is not closed]
This is the single most important pattern in the deep-dive, and it repeats for every row. Every OWASP defense has a known evasion, and the evasion is almost always the indirect channel the defense's per-row test does not exercise.
The B9 test verifies the direct surface. The taint gate is tested against a direct injection payload. The capability enumeration is tested against the agent having too many tools. The path normalization is tested against dot-dot-slash. The test passes. The vector the test names is closed.
The attacker arrives on the indirect surface. The injection comes inside a tool output the harness marked trusted, so the taint gate does not inspect it. The over-scope lives in the credential's scope, not the tool count, so the enumeration does not see it. The confusion lives in the tool-description selection layer, not the path, so normalization does not touch it. The test closed the vector. The attacker arrives on the class beneath.
This is why the two MEASURED rows — ASI zero-one and ASI zero-six — are not the only probabilistic surfaces. They are the only rows where the standard admits the residual. The eight PASS/FAIL rows each have a residual too; the PASS/FAIL result just cannot express it. Treating those eight rows as fully closed is the offense team's first opening.
[SLIDE 4 — The input and state surface: the semantic residuals]
Now the offensive expansion, surface by surface. First, the input and state surface — ASI zero-one, zero-two, zero-four, zero-six. Four rows where the semantic boundary makes every defense probabilistic.
ASI zero-one, Goal Hijacking. B9 builds a taint gate, an instruction hierarchy, and goal-reaffirmation checkpoints. The offensive expansion does not bother with direct injections — deployed agents resist "ignore previous instructions." The attack is drift. An indirect injection through a tool output or retrieved document shifts the agent's framing across turns, reinforced by a subsequent document, until the sub-goal has diverged with no single instruction having hijacked it. The evasion: the injection arrives in a tool output the harness marked trusted, so it bypasses the taint gate. Goal-reaffirmation fires every N turns, but N is longer than the drift's timescale.
ASI zero-two, Prompt Leakage. B9 defends with system-prompt canaries and egress verification. The attacker does not ask the agent to repeat its prompt — that triggers the canary. The attack is multi-turn rapport-building. Over five to ten turns the attacker elicits capabilities, constraints, and configuration in small pieces that feel like helpfulness. Each piece is paraphrased, so it never contains the canary string and passes egress verification. Capability disclosure is reconnaissance, not impact — it is the first link in a longer chain.
ASI zero-four, Memory Poisoning. B9 enforces harness-managed memory writes — the agent cannot write to durable memory directly. The attack is taint-laundering through a trusted sink. The agent is tricked into writing a poisoned entry through a legitimate, trusted memory tool — the save-preference function — and the entry inherits the trust of the tool rather than the taint of its origin. The write boundary tags provenance at the boundary; the origin of the write is upstream, so the write looks legitimately user-preference-shaped.
ASI zero-six, Cascading Hallucination. B9 builds verification — the agent must cite a source. The attack is unverified-claim propagation. The agent makes a claim that requires no citation under the policy — an inference, a summary, an opinion — and that claim propagates as a fact into downstream reasoning. The verifier inspects the citation layer; the hallucination enters as reasoning and propagates as fact. This is why ASI zero-six is MEASURED, not PASS/FAIL — hallucination detection has a miss rate, and the miss rate is the residual.
[SLIDE 5 — The permission and tool surface: the class beneath the vector]
Second surface: the permission and tool surface — ASI zero-three, zero-five, zero-eight, zero-ten. Four rows where the structural boundary looks deterministic, but the attacker finds the class beneath the vector.
ASI zero-three, Excessive Agency. B9 defends with capability enumeration — minimality is proven. The attack is the load-bearing capability that survived minimization because a benign task required it. A reporting agent needs billing-read to fetch usage data. The scoped credential granted for billing-read also grants billing-write against a different endpoint, because the cloud provider scopes credentials at the service level, not the method level. Minimality passed at the tool level; the over-privilege lives at the credential-scope level the enumeration treated as a property of the tool, not an inspectable surface.
ASI zero-five, Tool and Skill Abuse. B9 builds tool contracts — descriptions are namespaced, arguments are schema-validated, paths are normalized. The attack is semantic-path confusion and argument injection through the tool description. The attacker registers a tool whose description overlaps a privileged tool's, causing the dispatch layer to route to the wrong tool. Path normalization, schema validation, and the legitimate tool's contract all pass their B9 tests. The abuse happened in the selection logic — a semantic surface with no deterministic test.
ASI zero-eight, Supply Chain. B9 defends with signed tool manifests verified at registration. The attack is the typosquatted or evil-twin dependency that has a valid signature, because the signature verifies the publisher's identity, not the package's benignity. A malicious package signed by its malicious publisher passes signature verification. The signed-manifest test confirms the signature is valid and the publisher is known — validity and known-publisher are not the same as benign.
ASI ten, Broken Access Control. B9 defends with principal binding and tenant isolation. The attack is inter-agent trust escalation. A low-privilege sub-agent, compromised via a poisoned document, forges a message to a higher-privilege orchestrator. The orchestrator executes the requested action because it treats sub-agent messages as role-scoped authority rather than untrusted input. Principal binding passed at both ends — the message came from the sub-agent's valid principal. The escalation happened because the orchestrator trusted that principal beyond the sub-agent's actual authority.
[SLIDE 6 — The output and resource surface: the entry point and amplifier]
Third surface: the output and resource surface — ASI zero-seven and zero-nine. The two rows that are most often the entry point or the amplifier.
ASI zero-seven, Insecure Output Handling. B9 builds output sanitization. The attack is output-as-input to a downstream agent. The output is sanitized for a human reader — HTML-escaped, schema-valid — but consumed by a downstream agent that interprets a structurally-valid field as an instruction. Agent A emits JSON with a summary field reading "reply YES to confirm." The JSON is valid; the sanitizer passes it. Agent B, consuming the JSON, interprets the summary as an instruction and replies. The sanitizer escapes the output for HTML, shell, or SQL. The downstream agent's rendering context is natural language, which no sanitizer escapes — there is no escape syntax for "this string is data, not an instruction." ASI zero-seven is the entry point of the most common compound chain.
ASI zero-nine, Resource Exhaustion. B9 builds circuit breakers — per-tool budgets, per-session caps, rate limits. The attack is cost amplification via a tool loop where each call is under-threshold. The agent is goal-hijacked into querying a search tool for ten thousand terms, one at a time. Each call is under the per-call cost cap and within the rate limit. The circuit breaker sees ten thousand individually-legitimate calls. The breaker was tuned for a per-call threat model; the loop is a session-level threat model. A session-level cap would catch it, but session-level caps are the layer most harnesses omit.
[SLIDE 7 — The cross-row chains: the compound is the finding]
Now the centerpiece of the deep-dive. The offensive value of the Top 10 is the chaining across rows, not the exploitation of any single row. B9 tests rows in isolation and reports eight PASS. The attacker reads the same eight PASS and chains across the boundaries the isolation created. Three chains recur.
Chain one — the exfiltration chain. ASI zero-seven to zero-one to zero-five to zero-three. An unsanitized-as-instruction output drifts the receiving agent's goal, which invokes an attacker-targeted tool, which exercises an over-scoped capability to exfiltrate data or move laterally. Each row passed its B9 test; the chain crosses the input, goal, tool, and permission boundaries in sequence.
Chain two — the persistence-and-propagation chain. ASI zero-two to zero-four to zero-six. Capability disclosure reveals the memory-write path and the verification exemptions. The attacker poisons durable memory via the legitimate write tool — taint-laundered — and the poisoned entry propagates as an unverified inference that becomes a durable behavioral change. A persistent backdoor that survives session restarts.
Chain three — the supply-chain-to-escalation chain. ASI zero-eight to zero-five to zero-ten. A typosquatted, validly-signed MCP server is registered and trusted. Its dispatch is routed via description collision. The malicious tool, exercising the agent's legitimate credential, performs an action whose authority derives from the orchestrator's trust of the sub-agent. Signature verification, schema validation, and principal binding all passed. The chain escalated from a supply-chain entry to a privileged action.
The pattern across all three: each link individually passes its B9 control, and the chain is the finding. A row that PASSed B9 and FAILed the offensive expansion is not a contradiction — it is the definition of a residual the deterministic test cannot express.
[SLIDE 8 — MEASURED honesty vs PASS/FAIL illusion]
This slide resolves a misconception. B9 reports ASI zero-one and ASI zero-six as MEASURED, and the other eight rows as PASS or FAIL. The honesty is real. But the offensive expansion reveals that every row has a residual, and the eight PASS/FAIL rows are PASS/FAIL only because the deterministic test closed one vector, not the class.
ASI zero-two is PASS/FAIL on canary match, but paraphrased multi-turn disclosure is open. ASI zero-three is PASS/FAIL on enumeration, but the over-scoped credential is open. ASI zero-four is PASS/FAIL on managed writes, but taint-laundering through a trusted sink is open. ASI zero-five is PASS/FAIL on normalization, but selection-layer confusion is open. ASI zero-seven is PASS/FAIL on the sanitizer, but output-as-input to an agent is open. ASI zero-eight is PASS/FAIL on signatures, but signed-but-malicious is open. ASI zero-nine is PASS/FAIL on per-call breakers, but the under-threshold loop is open. ASI ten is PASS/FAIL on principal binding, but the inter-agent trust assumption is open.
This is not a criticism of B9. B9's Result-type column is honest about what the test can express. It is the offense team's opening: the eight PASS/FAIL rows are closed at the vector the test names, and the attacker arrives on the class beneath. The two MEASURED rows are where the standard admits the residual. The eight PASS/FAIL rows are where it does not — and that silence is the first thing an offense team exploits.
[SLIDE 9 — The B9 then SDD-B01 reading order]
Here is how the two artifacts compose in an engagement. Phase one is B9, read as a builder — per-row test, isolated execution, scored report. It proves the controls are present and passing. Phase two is this deep-dive, read as an attacker — per-row offensive procedure, chained execution, reproduced findings. It finds the residuals the deterministic tests cannot express.
The transition between them is load-bearing. A row that PASSed B9 and FAILed the offensive expansion is not a contradiction. It is the definition of a residual the deterministic test cannot express. That residual is what a B12 engagement must characterize. B12 packages both: the scored report from B9 and the chains from this deep-dive. Neither alone is sufficient. B9 alone misses every failure mode that lives between the rows. This deep-dive alone misses the missing taint gate, the absent canary, the unscoped credential that B9 catches with a single test. You need both, layered.
[SLIDE 10 — Anti-patterns]
Four anti-patterns.
First, "B9 passed all eight, so we are secure." The deterministic test closed the named vector, not the class. The over-scoped credential, the selection-layer ambiguity, the signed-but-malicious package, the inter-agent trust assumption — these are residuals the PASS/FAIL result cannot express. Cure: read every PASS/FAIL row as closed at the vector, open at the class, and run the offensive procedure.
Second, testing ASI rows in isolation. The offensive value is the chaining. A red team that reports ten separate row-results has missed the finding. Cure: design engagements as chains that cross rows. The ASI-zero-seven-to-zero-one-to-zero-five-to-zero-three chain is the finding, not four separate results.
Third, single-shot goal-hijack payloads. A deployed agent resists "ignore previous instructions." Testing single-shot payloads and reporting a low ASI-zero-one bypass rate is measuring the wrong thing. Cure: test multi-turn framing drift and score goal divergence against a baseline over five to ten turns.
Fourth, assuming the sanitizer covers the downstream agent. Output sanitization is tuned for a declared consumer — human, HTML, shell. When the consumer is a downstream agent, the natural-language field has no escape syntax for "data, not instruction." Cure: treat agent-to-agent outputs as untrusted at the receiving instruction boundary, regardless of sanitizer state.
[SLIDE 11 — What you can now do]
You can now state the full offensive procedure for each ASI row, zero-one through ten — the attack in depth, the scenario, the evasion that defeats the standard defense, and the chaining. You can explain why every defense has a known evasion and why the evasion is almost always the indirect channel the per-row test does not exercise. You can construct the three cross-row chains — exfiltration, persistence, escalation — and explain why the compound is the finding. You can distinguish the two MEASURED rows from the eight PASS/FAIL rows and explain why treating the eight as closed is the offense team's first opening. And you can articulate the gap between "the control passed its B9 test" and "the system holds under the offensive procedure."
The lab asks you to run the offensive expansion against a sample agent that passed its B9 checklist — one procedure per ASI row, confirming which rows produce findings despite the PASS, then the ASI-zero-seven-to-zero-one-to-zero-five-to-zero-three cross-row chain, confirming the compound is the finding.
Next, deep-dive SDD-B-zero-two: the Microsoft Failure Mode Taxonomy version two-point-zero. Where this deep-dive expanded the OWASP rows into offensive procedures, the next expands the Microsoft red-team framework's seven new agentic failure modes into full case studies — including the zero-click human-in-the-loop bypass chain that reframes how approvals work in deployed agents.
End of deep-dive SDD-B01. Duration: approximately thirty minutes at one-hundred-forty words per minute.
# Teaching Script — Deep-Dive SDD-B01: OWASP Agentic AI Top 10: Offensive Expansion **Course**: 2B — Securing & Attacking Harnesses and LLMs **Deep-Dive**: SDD-B01 — OWASP Agentic AI Top 10: Offensive Expansion **Duration**: ~30 minutes (spoken at ~140 wpm) **Format**: Verbatim transcript with `[SLIDE N]` cues. Read aloud or use as speaker notes. --- [SLIDE 1 — Title] Welcome to deep-dive SDD-B-zero-one, the OWASP Agentic AI Top 10 read as an attacker. Module B9 handed you the defense checklist — ten rows, ASI zero-one through ASI ten, each with a control and a test. This deep-dive is the red-team playbook for every one of those rows. Same numbering, verified against the same OWASP primary source. Different artifact. For each row, instead of "here is the control and the test," you get four things the red team runs: the attack in depth, the real-world exploitation scenario, the evasion technique that defeats the standard defense, and the chaining that turns the single-row finding into compound impact. This is the offensive companion to B9. Read both, in order, and the gap between "the control passed its test" and "the system holds under an adversary" becomes the entire engagement. [SLIDE 2 — The thesis: same numbering, different artifact] Here is the load-bearing distinction. B9 reads the Top 10 as a builder. One risk, one control, one test. Eight rows report PASS or FAIL, two report MEASURED. The scored report is honest — the deterministic rows are deterministic, the probabilistic rows are probabilistic. This deep-dive reads the same ten rows as an attacker. One risk, one attack procedure, the evasion that defeats the control, and the chain across rows. The reproduced finding. The gap between the two readings is the engagement. A control that PASSes its B9 test in isolation is not a control that survives an adversary who arrives on the indirect channel the test never exercised. The taint gate is tested against direct injection and bypassed by injection through a tool output the harness marked trusted. The capability enumeration proves minimality and misses the load-bearing capability a benign task required. The path normalization stops dot-dot-slash and misses the semantic-path confusion in the tool description. Every defense B2 through B8 builds has a gap between how it behaves on its per-row test and how it behaves under an adversary who chains. This deep-dive is that adversary's playbook. [SLIDE 3 — The evasion pattern: why PASS is not closed] This is the single most important pattern in the deep-dive, and it repeats for every row. Every OWASP defense has a known evasion, and the evasion is almost always the indirect channel the defense's per-row test does not exercise. The B9 test verifies the direct surface. The taint gate is tested against a direct injection payload. The capability enumeration is tested against the agent having too many tools. The path normalization is tested against dot-dot-slash. The test passes. The vector the test names is closed. The attacker arrives on the indirect surface. The injection comes inside a tool output the harness marked trusted, so the taint gate does not inspect it. The over-scope lives in the credential's scope, not the tool count, so the enumeration does not see it. The confusion lives in the tool-description selection layer, not the path, so normalization does not touch it. The test closed the vector. The attacker arrives on the class beneath. This is why the two MEASURED rows — ASI zero-one and ASI zero-six — are not the only probabilistic surfaces. They are the only rows where the standard admits the residual. The eight PASS/FAIL rows each have a residual too; the PASS/FAIL result just cannot express it. Treating those eight rows as fully closed is the offense team's first opening. [SLIDE 4 — The input and state surface: the semantic residuals] Now the offensive expansion, surface by surface. First, the input and state surface — ASI zero-one, zero-two, zero-four, zero-six. Four rows where the semantic boundary makes every defense probabilistic. ASI zero-one, Goal Hijacking. B9 builds a taint gate, an instruction hierarchy, and goal-reaffirmation checkpoints. The offensive expansion does not bother with direct injections — deployed agents resist "ignore previous instructions." The attack is drift. An indirect injection through a tool output or retrieved document shifts the agent's framing across turns, reinforced by a subsequent document, until the sub-goal has diverged with no single instruction having hijacked it. The evasion: the injection arrives in a tool output the harness marked trusted, so it bypasses the taint gate. Goal-reaffirmation fires every N turns, but N is longer than the drift's timescale. ASI zero-two, Prompt Leakage. B9 defends with system-prompt canaries and egress verification. The attacker does not ask the agent to repeat its prompt — that triggers the canary. The attack is multi-turn rapport-building. Over five to ten turns the attacker elicits capabilities, constraints, and configuration in small pieces that feel like helpfulness. Each piece is paraphrased, so it never contains the canary string and passes egress verification. Capability disclosure is reconnaissance, not impact — it is the first link in a longer chain. ASI zero-four, Memory Poisoning. B9 enforces harness-managed memory writes — the agent cannot write to durable memory directly. The attack is taint-laundering through a trusted sink. The agent is tricked into writing a poisoned entry through a legitimate, trusted memory tool — the save-preference function — and the entry inherits the trust of the tool rather than the taint of its origin. The write boundary tags provenance at the boundary; the origin of the write is upstream, so the write looks legitimately user-preference-shaped. ASI zero-six, Cascading Hallucination. B9 builds verification — the agent must cite a source. The attack is unverified-claim propagation. The agent makes a claim that requires no citation under the policy — an inference, a summary, an opinion — and that claim propagates as a fact into downstream reasoning. The verifier inspects the citation layer; the hallucination enters as reasoning and propagates as fact. This is why ASI zero-six is MEASURED, not PASS/FAIL — hallucination detection has a miss rate, and the miss rate is the residual. [SLIDE 5 — The permission and tool surface: the class beneath the vector] Second surface: the permission and tool surface — ASI zero-three, zero-five, zero-eight, zero-ten. Four rows where the structural boundary looks deterministic, but the attacker finds the class beneath the vector. ASI zero-three, Excessive Agency. B9 defends with capability enumeration — minimality is proven. The attack is the load-bearing capability that survived minimization because a benign task required it. A reporting agent needs billing-read to fetch usage data. The scoped credential granted for billing-read also grants billing-write against a different endpoint, because the cloud provider scopes credentials at the service level, not the method level. Minimality passed at the tool level; the over-privilege lives at the credential-scope level the enumeration treated as a property of the tool, not an inspectable surface. ASI zero-five, Tool and Skill Abuse. B9 builds tool contracts — descriptions are namespaced, arguments are schema-validated, paths are normalized. The attack is semantic-path confusion and argument injection through the tool description. The attacker registers a tool whose description overlaps a privileged tool's, causing the dispatch layer to route to the wrong tool. Path normalization, schema validation, and the legitimate tool's contract all pass their B9 tests. The abuse happened in the selection logic — a semantic surface with no deterministic test. ASI zero-eight, Supply Chain. B9 defends with signed tool manifests verified at registration. The attack is the typosquatted or evil-twin dependency that has a valid signature, because the signature verifies the publisher's identity, not the package's benignity. A malicious package signed by its malicious publisher passes signature verification. The signed-manifest test confirms the signature is valid and the publisher is known — validity and known-publisher are not the same as benign. ASI ten, Broken Access Control. B9 defends with principal binding and tenant isolation. The attack is inter-agent trust escalation. A low-privilege sub-agent, compromised via a poisoned document, forges a message to a higher-privilege orchestrator. The orchestrator executes the requested action because it treats sub-agent messages as role-scoped authority rather than untrusted input. Principal binding passed at both ends — the message came from the sub-agent's valid principal. The escalation happened because the orchestrator trusted that principal beyond the sub-agent's actual authority. [SLIDE 6 — The output and resource surface: the entry point and amplifier] Third surface: the output and resource surface — ASI zero-seven and zero-nine. The two rows that are most often the entry point or the amplifier. ASI zero-seven, Insecure Output Handling. B9 builds output sanitization. The attack is output-as-input to a downstream agent. The output is sanitized for a human reader — HTML-escaped, schema-valid — but consumed by a downstream agent that interprets a structurally-valid field as an instruction. Agent A emits JSON with a summary field reading "reply YES to confirm." The JSON is valid; the sanitizer passes it. Agent B, consuming the JSON, interprets the summary as an instruction and replies. The sanitizer escapes the output for HTML, shell, or SQL. The downstream agent's rendering context is natural language, which no sanitizer escapes — there is no escape syntax for "this string is data, not an instruction." ASI zero-seven is the entry point of the most common compound chain. ASI zero-nine, Resource Exhaustion. B9 builds circuit breakers — per-tool budgets, per-session caps, rate limits. The attack is cost amplification via a tool loop where each call is under-threshold. The agent is goal-hijacked into querying a search tool for ten thousand terms, one at a time. Each call is under the per-call cost cap and within the rate limit. The circuit breaker sees ten thousand individually-legitimate calls. The breaker was tuned for a per-call threat model; the loop is a session-level threat model. A session-level cap would catch it, but session-level caps are the layer most harnesses omit. [SLIDE 7 — The cross-row chains: the compound is the finding] Now the centerpiece of the deep-dive. The offensive value of the Top 10 is the chaining across rows, not the exploitation of any single row. B9 tests rows in isolation and reports eight PASS. The attacker reads the same eight PASS and chains across the boundaries the isolation created. Three chains recur. Chain one — the exfiltration chain. ASI zero-seven to zero-one to zero-five to zero-three. An unsanitized-as-instruction output drifts the receiving agent's goal, which invokes an attacker-targeted tool, which exercises an over-scoped capability to exfiltrate data or move laterally. Each row passed its B9 test; the chain crosses the input, goal, tool, and permission boundaries in sequence. Chain two — the persistence-and-propagation chain. ASI zero-two to zero-four to zero-six. Capability disclosure reveals the memory-write path and the verification exemptions. The attacker poisons durable memory via the legitimate write tool — taint-laundered — and the poisoned entry propagates as an unverified inference that becomes a durable behavioral change. A persistent backdoor that survives session restarts. Chain three — the supply-chain-to-escalation chain. ASI zero-eight to zero-five to zero-ten. A typosquatted, validly-signed MCP server is registered and trusted. Its dispatch is routed via description collision. The malicious tool, exercising the agent's legitimate credential, performs an action whose authority derives from the orchestrator's trust of the sub-agent. Signature verification, schema validation, and principal binding all passed. The chain escalated from a supply-chain entry to a privileged action. The pattern across all three: each link individually passes its B9 control, and the chain is the finding. A row that PASSed B9 and FAILed the offensive expansion is not a contradiction — it is the definition of a residual the deterministic test cannot express. [SLIDE 8 — MEASURED honesty vs PASS/FAIL illusion] This slide resolves a misconception. B9 reports ASI zero-one and ASI zero-six as MEASURED, and the other eight rows as PASS or FAIL. The honesty is real. But the offensive expansion reveals that every row has a residual, and the eight PASS/FAIL rows are PASS/FAIL only because the deterministic test closed one vector, not the class. ASI zero-two is PASS/FAIL on canary match, but paraphrased multi-turn disclosure is open. ASI zero-three is PASS/FAIL on enumeration, but the over-scoped credential is open. ASI zero-four is PASS/FAIL on managed writes, but taint-laundering through a trusted sink is open. ASI zero-five is PASS/FAIL on normalization, but selection-layer confusion is open. ASI zero-seven is PASS/FAIL on the sanitizer, but output-as-input to an agent is open. ASI zero-eight is PASS/FAIL on signatures, but signed-but-malicious is open. ASI zero-nine is PASS/FAIL on per-call breakers, but the under-threshold loop is open. ASI ten is PASS/FAIL on principal binding, but the inter-agent trust assumption is open. This is not a criticism of B9. B9's Result-type column is honest about what the test can express. It is the offense team's opening: the eight PASS/FAIL rows are closed at the vector the test names, and the attacker arrives on the class beneath. The two MEASURED rows are where the standard admits the residual. The eight PASS/FAIL rows are where it does not — and that silence is the first thing an offense team exploits. [SLIDE 9 — The B9 then SDD-B01 reading order] Here is how the two artifacts compose in an engagement. Phase one is B9, read as a builder — per-row test, isolated execution, scored report. It proves the controls are present and passing. Phase two is this deep-dive, read as an attacker — per-row offensive procedure, chained execution, reproduced findings. It finds the residuals the deterministic tests cannot express. The transition between them is load-bearing. A row that PASSed B9 and FAILed the offensive expansion is not a contradiction. It is the definition of a residual the deterministic test cannot express. That residual is what a B12 engagement must characterize. B12 packages both: the scored report from B9 and the chains from this deep-dive. Neither alone is sufficient. B9 alone misses every failure mode that lives between the rows. This deep-dive alone misses the missing taint gate, the absent canary, the unscoped credential that B9 catches with a single test. You need both, layered. [SLIDE 10 — Anti-patterns] Four anti-patterns. First, "B9 passed all eight, so we are secure." The deterministic test closed the named vector, not the class. The over-scoped credential, the selection-layer ambiguity, the signed-but-malicious package, the inter-agent trust assumption — these are residuals the PASS/FAIL result cannot express. Cure: read every PASS/FAIL row as closed at the vector, open at the class, and run the offensive procedure. Second, testing ASI rows in isolation. The offensive value is the chaining. A red team that reports ten separate row-results has missed the finding. Cure: design engagements as chains that cross rows. The ASI-zero-seven-to-zero-one-to-zero-five-to-zero-three chain is the finding, not four separate results. Third, single-shot goal-hijack payloads. A deployed agent resists "ignore previous instructions." Testing single-shot payloads and reporting a low ASI-zero-one bypass rate is measuring the wrong thing. Cure: test multi-turn framing drift and score goal divergence against a baseline over five to ten turns. Fourth, assuming the sanitizer covers the downstream agent. Output sanitization is tuned for a declared consumer — human, HTML, shell. When the consumer is a downstream agent, the natural-language field has no escape syntax for "data, not instruction." Cure: treat agent-to-agent outputs as untrusted at the receiving instruction boundary, regardless of sanitizer state. [SLIDE 11 — What you can now do] You can now state the full offensive procedure for each ASI row, zero-one through ten — the attack in depth, the scenario, the evasion that defeats the standard defense, and the chaining. You can explain why every defense has a known evasion and why the evasion is almost always the indirect channel the per-row test does not exercise. You can construct the three cross-row chains — exfiltration, persistence, escalation — and explain why the compound is the finding. You can distinguish the two MEASURED rows from the eight PASS/FAIL rows and explain why treating the eight as closed is the offense team's first opening. And you can articulate the gap between "the control passed its B9 test" and "the system holds under the offensive procedure." The lab asks you to run the offensive expansion against a sample agent that passed its B9 checklist — one procedure per ASI row, confirming which rows produce findings despite the PASS, then the ASI-zero-seven-to-zero-one-to-zero-five-to-zero-three cross-row chain, confirming the compound is the finding. Next, deep-dive SDD-B-zero-two: the Microsoft Failure Mode Taxonomy version two-point-zero. Where this deep-dive expanded the OWASP rows into offensive procedures, the next expands the Microsoft red-team framework's seven new agentic failure modes into full case studies — including the zero-click human-in-the-loop bypass chain that reframes how approvals work in deployed agents. --- *End of deep-dive SDD-B01. Duration: approximately thirty minutes at one-hundred-forty words per minute.*