flowchart TB
subgraph INPUT["Input"]
T[target + scope + autonomy level]
end
subgraph CSI["CSI Meta-Harness (orchestrator)"]
CLASSIFY[Classify Domain]
ROUTE[Route to Specialist]
end
subgraph AGENTS["Domain Specialists"]
WEB[Web Agent<br/>httpx · nuclei · ffuf · sqlmap]
PWN[Pwn Agent<br/>gdb · radare2 · pwntools]
CRYPTO[Crypto Agent<br/>sage · sympy · z3]
FORENSICS[Forensics Agent<br/>binwalk · volatility]
REVERSING[Reversing Agent<br/>ghidra · r2]
MISC[Misc Agent<br/>general tools]
TRIAGE[TriageAgent<br/>fallback]
end
subgraph EVIDENCE["Evidence Subsystem"]
BUFFER[Evidence Buffer<br/>timestamped · tagged · scope-checked]
SCOPE[Scope Validator<br/>hard-wired, not prompt-level]
REPORT[Report Generator<br/>submission-ready]
end
T --> CSI
CLASSIFY --> ROUTE
ROUTE --> WEB
ROUTE --> PWN
ROUTE --> CRYPTO
ROUTE --> FORENSICS
ROUTE --> REVERSING
ROUTE --> MISC
ROUTE -.fallback.-> TRIAGE
WEB --> SCOPE
PWN --> SCOPE
CRYPTO --> SCOPE
SCOPE --> BUFFER
BUFFER --> REPORT
style CSI fill:#0d1b2a,stroke:#5eead4,color:#e4e4e8
style EVIDENCE fill:#1a1015,stroke:#5eead4,color:#e4e4e8
style SCOPE fill:#2a0d0d,stroke:#5eead4,color:#f08080
Reading: CAI is a three-layer system. The CSI meta-harness classifies and routes. The domain specialists execute with narrow per-domain tool manifests. The evidence subsystem — scope validator, evidence buffer, report generator — is what makes this a security harness rather than a general agent. The scope validator (red) is the highest-stakes code in the harness: a bug here is a legal exposure (Course 2A S00).
flowchart LR
L1[Level 1: Advisory<br/>model suggests; human executes every action<br/>HITL on every tool call] --> L2[Level 2: Supervised<br/>model executes benign recon; human approves exploitation<br/>HITL on exploit-class actions]
L2 --> L3[Level 3: Semi-Autonomous<br/>model executes within scope; human reviews findings<br/>HITL on scope-boundary actions]
L3 --> L4[Level 4: Autonomous<br/>model runs full engagement; human reviews report<br/>HITL removed EXCEPT credential-reuse gate]
style L1 fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style L4 fill:#2a0d0d,stroke:#5eead4,color:#f08080
Reading: CAI's autonomy levels are a graduated permission model, not a binary HITL flag. The credential-reuse gate (red, Level 4) never comes off: even at full autonomy, reusing stolen credentials outside engagement scope is unbounded-risk (Course 2A S04 finding). The engineering discipline is knowing which inversions are safe (Level 3 → 4 on in-scope recon) and which are catastrophic (removing the credential-reuse gate).
flowchart TB
START([engagement start]) --> CSI[CSI classifies domain]
CSI --> ROUTE[route to specialist]
ROUTE --> CALL[model.complete<br/>+ domain tools]
CALL --> DECIDE{tool_use?}
DECIDE -->|end_turn| RETURN([return])
DECIDE -->|tool_use| VALIDATE[scope validator<br/>target in scope?]
VALIDATE -->|no| REJECT[reject + log<br/>legal-exposure prevention]
REJECT --> CALL
VALIDATE -->|yes| EXEC[execute tool]
EXEC --> FLAG{flag detected?<br/>CTF middleware}
FLAG -->|yes| FLAGSTOP([flag submission stop])
EXEC --> APPEND[append to evidence buffer<br/>timestamp + scope tag]
APPEND --> THRESHOLD{evidence threshold met?<br/>submittable finding?}
THRESHOLD -->|no| CALL
THRESHOLD -->|yes| REPORTGEN[report generator<br/>submission-ready output]
REPORTGEN --> DONE([engagement complete])
style VALIDATE fill:#2a0d0d,stroke:#5eead4,color:#f08080
style THRESHOLD fill:#0d1b2a,stroke:#5eead4,color:#5eead4
Reading: The offensive loop differs from Course 1's general loop in two ways. The scope validator (red) gates every target-touching tool call — this is the legal control. The evidence threshold stop (teal) is the primary halt condition — the loop stops when the evidence buffer supports a submittable finding, not when the model runs out of ideas. The flag-detection middleware (CTF-specific) is the S04 pattern: flag extraction as middleware on every tool output, not a step the agent remembers to call.
flowchart LR
PI[Pi<br/>4 tools · general · trust-the-model<br/>no scope · no evidence] --> RT[RedTeamLLM<br/>summarize-reason-act · pentest focus<br/>plan correction · no meta-routing]
RT --> CAI[CAI<br/>CSI meta-harness · 6 domains<br/>scope enforcement · evidence buffer<br/>autonomy levels · bug bounty-ready]
style PI fill:#0d1b2a,stroke:#1b4f72,color:#85c1e9
style CAI fill:#0d1b2a,stroke:#5eead4,color:#5eead4
Reading: Pi (Course 1) is the general thin baseline — no security primitives. RedTeamLLM (SDD-02) is the first specialization: the summarize-reason-act loop optimized for pentest coherence, but single-domain. CAI (SDD-01) is the full offensive harness: meta-harness routing, scope enforcement, evidence quality, autonomy levels. Each step right adds security-specific thickness. CAI is the rightmost because it is the broadest; RedTeamLLM is the deeper study of a narrower problem (plan correction). They are complementary, not competitive.
# Diagrams — SDD-01: CAI (Cybersecurity AI)
---
## Diagram 1 — CAI's Layered Architecture (CSI Meta-Harness + Domain Specialists)
```mermaid
flowchart TB
subgraph INPUT["Input"]
T[target + scope + autonomy level]
end
subgraph CSI["CSI Meta-Harness (orchestrator)"]
CLASSIFY[Classify Domain]
ROUTE[Route to Specialist]
end
subgraph AGENTS["Domain Specialists"]
WEB[Web Agent<br/>httpx · nuclei · ffuf · sqlmap]
PWN[Pwn Agent<br/>gdb · radare2 · pwntools]
CRYPTO[Crypto Agent<br/>sage · sympy · z3]
FORENSICS[Forensics Agent<br/>binwalk · volatility]
REVERSING[Reversing Agent<br/>ghidra · r2]
MISC[Misc Agent<br/>general tools]
TRIAGE[TriageAgent<br/>fallback]
end
subgraph EVIDENCE["Evidence Subsystem"]
BUFFER[Evidence Buffer<br/>timestamped · tagged · scope-checked]
SCOPE[Scope Validator<br/>hard-wired, not prompt-level]
REPORT[Report Generator<br/>submission-ready]
end
T --> CSI
CLASSIFY --> ROUTE
ROUTE --> WEB
ROUTE --> PWN
ROUTE --> CRYPTO
ROUTE --> FORENSICS
ROUTE --> REVERSING
ROUTE --> MISC
ROUTE -.fallback.-> TRIAGE
WEB --> SCOPE
PWN --> SCOPE
CRYPTO --> SCOPE
SCOPE --> BUFFER
BUFFER --> REPORT
style CSI fill:#0d1b2a,stroke:#5eead4,color:#e4e4e8
style EVIDENCE fill:#1a1015,stroke:#5eead4,color:#e4e4e8
style SCOPE fill:#2a0d0d,stroke:#5eead4,color:#f08080
```
**Reading**: CAI is a three-layer system. The CSI meta-harness classifies and routes. The domain specialists execute with narrow per-domain tool manifests. The evidence subsystem — scope validator, evidence buffer, report generator — is what makes this a security harness rather than a general agent. The scope validator (red) is the highest-stakes code in the harness: a bug here is a legal exposure (Course 2A S00).
---
## Diagram 2 — CAI's Autonomy Levels (the Permission Spectrum)
```mermaid
flowchart LR
L1[Level 1: Advisory<br/>model suggests; human executes every action<br/>HITL on every tool call] --> L2[Level 2: Supervised<br/>model executes benign recon; human approves exploitation<br/>HITL on exploit-class actions]
L2 --> L3[Level 3: Semi-Autonomous<br/>model executes within scope; human reviews findings<br/>HITL on scope-boundary actions]
L3 --> L4[Level 4: Autonomous<br/>model runs full engagement; human reviews report<br/>HITL removed EXCEPT credential-reuse gate]
style L1 fill:#0d1b2a,stroke:#5eead4,color:#5eead4
style L4 fill:#2a0d0d,stroke:#5eead4,color:#f08080
```
**Reading**: CAI's autonomy levels are a graduated permission model, not a binary HITL flag. The credential-reuse gate (red, Level 4) never comes off: even at full autonomy, reusing stolen credentials outside engagement scope is unbounded-risk (Course 2A S04 finding). The engineering discipline is knowing which inversions are safe (Level 3 → 4 on in-scope recon) and which are catastrophic (removing the credential-reuse gate).
---
## Diagram 3 — The Offensive Loop (Evidence-Threshold Stop)
```mermaid
flowchart TB
START([engagement start]) --> CSI[CSI classifies domain]
CSI --> ROUTE[route to specialist]
ROUTE --> CALL[model.complete<br/>+ domain tools]
CALL --> DECIDE{tool_use?}
DECIDE -->|end_turn| RETURN([return])
DECIDE -->|tool_use| VALIDATE[scope validator<br/>target in scope?]
VALIDATE -->|no| REJECT[reject + log<br/>legal-exposure prevention]
REJECT --> CALL
VALIDATE -->|yes| EXEC[execute tool]
EXEC --> FLAG{flag detected?<br/>CTF middleware}
FLAG -->|yes| FLAGSTOP([flag submission stop])
EXEC --> APPEND[append to evidence buffer<br/>timestamp + scope tag]
APPEND --> THRESHOLD{evidence threshold met?<br/>submittable finding?}
THRESHOLD -->|no| CALL
THRESHOLD -->|yes| REPORTGEN[report generator<br/>submission-ready output]
REPORTGEN --> DONE([engagement complete])
style VALIDATE fill:#2a0d0d,stroke:#5eead4,color:#f08080
style THRESHOLD fill:#0d1b2a,stroke:#5eead4,color:#5eead4
```
**Reading**: The offensive loop differs from Course 1's general loop in two ways. The scope validator (red) gates every target-touching tool call — this is the legal control. The evidence threshold stop (teal) is the primary halt condition — the loop stops when the evidence buffer supports a submittable finding, not when the model runs out of ideas. The flag-detection middleware (CTF-specific) is the S04 pattern: flag extraction as middleware on every tool output, not a step the agent remembers to call.
---
## Diagram 4 — CAI vs Pi vs RedTeamLLM (the Offensive Spectrum)
```mermaid
flowchart LR
PI[Pi<br/>4 tools · general · trust-the-model<br/>no scope · no evidence] --> RT[RedTeamLLM<br/>summarize-reason-act · pentest focus<br/>plan correction · no meta-routing]
RT --> CAI[CAI<br/>CSI meta-harness · 6 domains<br/>scope enforcement · evidence buffer<br/>autonomy levels · bug bounty-ready]
style PI fill:#0d1b2a,stroke:#1b4f72,color:#85c1e9
style CAI fill:#0d1b2a,stroke:#5eead4,color:#5eead4
```
**Reading**: Pi (Course 1) is the general thin baseline — no security primitives. RedTeamLLM (SDD-02) is the first specialization: the summarize-reason-act loop optimized for pentest coherence, but single-domain. CAI (SDD-01) is the full offensive harness: meta-harness routing, scope enforcement, evidence quality, autonomy levels. Each step right adds security-specific thickness. CAI is the rightmost because it is the broadest; RedTeamLLM is the deeper study of a narrower problem (plan correction). They are complementary, not competitive.