InjecAgent: The Bridge Benchmark

SDD-B03 · Course 2B — Securing & Attacking Harnesses and LLMs

45 minutes · The same benchmark, read from the offensive side

In 2A it was the quality gate that told you whether your harness was injectable. In 2B it becomes the measurement instrument for every defense in the rest of the course. The ~50% baseline is where un-defended agents start. The defended delta is what every module from here on produces.

Deep-Dives · SDD-B03

What changes across the bridge

The benchmark code does not change. What changes is the question you ask of it, the lens you read it through, and the authorization under which you run it.

Course 2A — SDD-12 (builder)

Run InjecAgent against your own harness. Question: is my harness injectable? Unit: per-tool score. The number is the deliverable.

Course 2B — SDD-B03 (red-team)

Run it against a hardened target. Question: did this defense hold, and by how much? Unit: before/after delta. The triple is the finding.

B03.1 — The methodology, read from the offensive side

What the ~50% is — and is not

What the ~50% actually measures

Read it asCorrect?
A population baseline for un-defended harnesses with no injection defensesYES
A constant of nature that applies to every agentNO
Your defended harness's expected rateNO
A target to "get under"NO — the target is the delta
The honest reading: an out-of-the-box harness, no defenses, fails roughly half its tasks when a tool output is adversarial. That is the starting line. Everything from B2 onward drives it down — and InjecAgent is how you know whether you moved it.

Four roles of one benchmark

RoleCourseQuestionUnit
Quality gate2AIs my harness injectable?Per-tool score
Measurement instrument2BDid this defense hold, and by how much?Before/after delta
Regression gateBothDid this change open a surface?Pass/fail at merge
Engagement scoperB12Which chains do I run?Transcript → chain
A 2A graduate who only knows the first role will under-use the benchmark in 2B. This deep-dive upgrades the role.

B03.2 — Measuring defense effectiveness

The defended delta is the only honest metric

The delta: before / after / configuration

BASELINE (defenses OFF)
48% injection success
Same task set · pinned model · temp 0.0
DEFENDED (defenses ON)
9% injection success
Same task set · SAME model · SAME sampling
The delta (48% → 9%) is the effectiveness claim. "We added an egress gate" is not a claim. "We added an egress gate and the rate dropped from 48% to 9% under a pinned config" is. No triple, no claim.

The anti-pattern: report 9% without the 48% baseline. If the baseline was 14%, the gate did nothing. You cannot tell from the 9% alone.

Attack-type taxonomy: score → prescription

Attack typeWhat it attemptsDefense that closes it
Credential exfilEmit a secret in output/egressDeterministic egress + credential quarantine
Disallowed-tool callInvoke a tool outside task scopeTool-call policy + dispatch resolution
Scope escapePast the scope file boundaryScope gate per action + valid_until
Policy overrideTreat injection as new policyInstruction hierarchy + goal checkpoints
Action redirectionDifferent benign-looking actionSession-level intent detection
A tool failing 60% on credential-exfil needs a different defense than one failing 60% on action-redirect. The taxonomy is the prescription.

B03.3 — The gate, the transcript, the engagement

From measurement to control to finding

The transcript is a chain finding

Every InjecAgent failure transcript is a partial attack chain. Read it through the SDD-B01 / SDD-B02 lenses and it becomes a cross-row finding.
injected tool output arrived   →  ASI07 insecure output handling
agent followed it              →  ASI01 goal hijacking
off-task action executed       →  ASI05 tool abuse / ASI03 excessive agency
if compound passes per-step    →  ZERO-CLICK HITL BYPASS (SDD-B02)
The benchmark produces the raw chain material. The taxonomy produces the finding. B12 routes: credential-exfil → CrabTrap/IronCurtain attacks; action-redirect → Microsoft chain recon; scope-escape → OWASP ASI03/05.

The regression gate

Three routine changes open injection surfaces. The gate catches all three.

New tool — new injection point; did they wrap the output?
Prompt edit — wording weakened resistance; author won't notice
Model swap — new model parses outputs more naively; silent provider updates are the worst case
Threshold = policy (5%? 10%?). Enforcement = mechanical. A measured-but-not-gated threshold is a documented vulnerability. The gate turns a measurement into a control.

The load-bearing discipline

Three rules, carried forward from B0:
1. Every defense claim is a (before, after, configuration) triple.
2. Every transcript is a sensitive artifact — classify at capture time.
3. Every threshold is a policy, enforced by the gate.

InjecAgent is the measurement layer for B2's injection defenses. SDD-B04 breaks CrabTrap's judge; SDD-B05 breaks IronCurtain's compilation; this benchmark is what says "the judge held at 41% before the attack and 11% after." Without that pair, "I broke the defense" is an opinion.

Lab & what's next

Lab (07): run InjecAgent against a hardened harness, measure baseline vs defended, compute the per-tool per-attack-type delta, read two transcripts as chain findings, wire the gate. No GPU; simulated harness and injections run offline.

Next — SDD-B04: CrabTrap Offensive Analysis. The primary attack target. CrabTrap's LLM-as-judge is a model reading text — and a model reading text is injectable. We break the judge, expose the response-side gap, and show what IronCurtain's deterministic enforcement fixes. InjecAgent measures whether it held.