Diagrams — SDD-01: CAI (Cybersecurity AI)


Diagram 1 — CAI's Layered Architecture (CSI Meta-Harness + Domain Specialists)

flowchart TB
    subgraph INPUT["Input"]
        T[target + scope + autonomy level]
    end
    subgraph CSI["CSI Meta-Harness (orchestrator)"]
        CLASSIFY[Classify Domain]
        ROUTE[Route to Specialist]
    end
    subgraph AGENTS["Domain Specialists"]
        WEB[Web Agent<br/>httpx · nuclei · ffuf · sqlmap]
        PWN[Pwn Agent<br/>gdb · radare2 · pwntools]
        CRYPTO[Crypto Agent<br/>sage · sympy · z3]
        FORENSICS[Forensics Agent<br/>binwalk · volatility]
        REVERSING[Reversing Agent<br/>ghidra · r2]
        MISC[Misc Agent<br/>general tools]
        TRIAGE[TriageAgent<br/>fallback]
    end
    subgraph EVIDENCE["Evidence Subsystem"]
        BUFFER[Evidence Buffer<br/>timestamped · tagged · scope-checked]
        SCOPE[Scope Validator<br/>hard-wired, not prompt-level]
        REPORT[Report Generator<br/>submission-ready]
    end

    T --> CSI
    CLASSIFY --> ROUTE
    ROUTE --> WEB
    ROUTE --> PWN
    ROUTE --> CRYPTO
    ROUTE --> FORENSICS
    ROUTE --> REVERSING
    ROUTE --> MISC
    ROUTE -.fallback.-> TRIAGE
    WEB --> SCOPE
    PWN --> SCOPE
    CRYPTO --> SCOPE
    SCOPE --> BUFFER
    BUFFER --> REPORT

    style CSI fill:#0d1b2a,stroke:#5eead4,color:#e4e4e8
    style EVIDENCE fill:#1a1015,stroke:#5eead4,color:#e4e4e8
    style SCOPE fill:#2a0d0d,stroke:#5eead4,color:#f08080

Reading: CAI is a three-layer system. The CSI meta-harness classifies and routes. The domain specialists execute with narrow per-domain tool manifests. The evidence subsystem — scope validator, evidence buffer, report generator — is what makes this a security harness rather than a general agent. The scope validator (red) is the highest-stakes code in the harness: a bug here is a legal exposure (Course 2A S00).


Diagram 2 — CAI's Autonomy Levels (the Permission Spectrum)

flowchart LR
    L1[Level 1: Advisory<br/>model suggests; human executes every action<br/>HITL on every tool call] --> L2[Level 2: Supervised<br/>model executes benign recon; human approves exploitation<br/>HITL on exploit-class actions]
    L2 --> L3[Level 3: Semi-Autonomous<br/>model executes within scope; human reviews findings<br/>HITL on scope-boundary actions]
    L3 --> L4[Level 4: Autonomous<br/>model runs full engagement; human reviews report<br/>HITL removed EXCEPT credential-reuse gate]

    style L1 fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style L4 fill:#2a0d0d,stroke:#5eead4,color:#f08080

Reading: CAI's autonomy levels are a graduated permission model, not a binary HITL flag. The credential-reuse gate (red, Level 4) never comes off: even at full autonomy, reusing stolen credentials outside engagement scope is unbounded-risk (Course 2A S04 finding). The engineering discipline is knowing which inversions are safe (Level 3 → 4 on in-scope recon) and which are catastrophic (removing the credential-reuse gate).


Diagram 3 — The Offensive Loop (Evidence-Threshold Stop)

flowchart TB
    START([engagement start]) --> CSI[CSI classifies domain]
    CSI --> ROUTE[route to specialist]
    ROUTE --> CALL[model.complete<br/>+ domain tools]
    CALL --> DECIDE{tool_use?}
    DECIDE -->|end_turn| RETURN([return])
    DECIDE -->|tool_use| VALIDATE[scope validator<br/>target in scope?]
    VALIDATE -->|no| REJECT[reject + log<br/>legal-exposure prevention]
    REJECT --> CALL
    VALIDATE -->|yes| EXEC[execute tool]
    EXEC --> FLAG{flag detected?<br/>CTF middleware}
    FLAG -->|yes| FLAGSTOP([flag submission stop])
    EXEC --> APPEND[append to evidence buffer<br/>timestamp + scope tag]
    APPEND --> THRESHOLD{evidence threshold met?<br/>submittable finding?}
    THRESHOLD -->|no| CALL
    THRESHOLD -->|yes| REPORTGEN[report generator<br/>submission-ready output]
    REPORTGEN --> DONE([engagement complete])

    style VALIDATE fill:#2a0d0d,stroke:#5eead4,color:#f08080
    style THRESHOLD fill:#0d1b2a,stroke:#5eead4,color:#5eead4

Reading: The offensive loop differs from Course 1's general loop in two ways. The scope validator (red) gates every target-touching tool call — this is the legal control. The evidence threshold stop (teal) is the primary halt condition — the loop stops when the evidence buffer supports a submittable finding, not when the model runs out of ideas. The flag-detection middleware (CTF-specific) is the S04 pattern: flag extraction as middleware on every tool output, not a step the agent remembers to call.


Diagram 4 — CAI vs Pi vs RedTeamLLM (the Offensive Spectrum)

flowchart LR
    PI[Pi<br/>4 tools · general · trust-the-model<br/>no scope · no evidence] --> RT[RedTeamLLM<br/>summarize-reason-act · pentest focus<br/>plan correction · no meta-routing]
    RT --> CAI[CAI<br/>CSI meta-harness · 6 domains<br/>scope enforcement · evidence buffer<br/>autonomy levels · bug bounty-ready]

    style PI fill:#0d1b2a,stroke:#1b4f72,color:#85c1e9
    style CAI fill:#0d1b2a,stroke:#5eead4,color:#5eead4

Reading: Pi (Course 1) is the general thin baseline — no security primitives. RedTeamLLM (SDD-02) is the first specialization: the summarize-reason-act loop optimized for pentest coherence, but single-domain. CAI (SDD-01) is the full offensive harness: meta-harness routing, scope enforcement, evidence quality, autonomy levels. Each step right adds security-specific thickness. CAI is the rightmost because it is the broadest; RedTeamLLM is the deeper study of a narrower problem (plan correction). They are complementary, not competitive.

# Diagrams — SDD-01: CAI (Cybersecurity AI)

---

## Diagram 1 — CAI's Layered Architecture (CSI Meta-Harness + Domain Specialists)

```mermaid
flowchart TB
    subgraph INPUT["Input"]
        T[target + scope + autonomy level]
    end
    subgraph CSI["CSI Meta-Harness (orchestrator)"]
        CLASSIFY[Classify Domain]
        ROUTE[Route to Specialist]
    end
    subgraph AGENTS["Domain Specialists"]
        WEB[Web Agent<br/>httpx · nuclei · ffuf · sqlmap]
        PWN[Pwn Agent<br/>gdb · radare2 · pwntools]
        CRYPTO[Crypto Agent<br/>sage · sympy · z3]
        FORENSICS[Forensics Agent<br/>binwalk · volatility]
        REVERSING[Reversing Agent<br/>ghidra · r2]
        MISC[Misc Agent<br/>general tools]
        TRIAGE[TriageAgent<br/>fallback]
    end
    subgraph EVIDENCE["Evidence Subsystem"]
        BUFFER[Evidence Buffer<br/>timestamped · tagged · scope-checked]
        SCOPE[Scope Validator<br/>hard-wired, not prompt-level]
        REPORT[Report Generator<br/>submission-ready]
    end

    T --> CSI
    CLASSIFY --> ROUTE
    ROUTE --> WEB
    ROUTE --> PWN
    ROUTE --> CRYPTO
    ROUTE --> FORENSICS
    ROUTE --> REVERSING
    ROUTE --> MISC
    ROUTE -.fallback.-> TRIAGE
    WEB --> SCOPE
    PWN --> SCOPE
    CRYPTO --> SCOPE
    SCOPE --> BUFFER
    BUFFER --> REPORT

    style CSI fill:#0d1b2a,stroke:#5eead4,color:#e4e4e8
    style EVIDENCE fill:#1a1015,stroke:#5eead4,color:#e4e4e8
    style SCOPE fill:#2a0d0d,stroke:#5eead4,color:#f08080
```

**Reading**: CAI is a three-layer system. The CSI meta-harness classifies and routes. The domain specialists execute with narrow per-domain tool manifests. The evidence subsystem — scope validator, evidence buffer, report generator — is what makes this a security harness rather than a general agent. The scope validator (red) is the highest-stakes code in the harness: a bug here is a legal exposure (Course 2A S00).

---

## Diagram 2 — CAI's Autonomy Levels (the Permission Spectrum)

```mermaid
flowchart LR
    L1[Level 1: Advisory<br/>model suggests; human executes every action<br/>HITL on every tool call] --> L2[Level 2: Supervised<br/>model executes benign recon; human approves exploitation<br/>HITL on exploit-class actions]
    L2 --> L3[Level 3: Semi-Autonomous<br/>model executes within scope; human reviews findings<br/>HITL on scope-boundary actions]
    L3 --> L4[Level 4: Autonomous<br/>model runs full engagement; human reviews report<br/>HITL removed EXCEPT credential-reuse gate]

    style L1 fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style L4 fill:#2a0d0d,stroke:#5eead4,color:#f08080
```

**Reading**: CAI's autonomy levels are a graduated permission model, not a binary HITL flag. The credential-reuse gate (red, Level 4) never comes off: even at full autonomy, reusing stolen credentials outside engagement scope is unbounded-risk (Course 2A S04 finding). The engineering discipline is knowing which inversions are safe (Level 3 → 4 on in-scope recon) and which are catastrophic (removing the credential-reuse gate).

---

## Diagram 3 — The Offensive Loop (Evidence-Threshold Stop)

```mermaid
flowchart TB
    START([engagement start]) --> CSI[CSI classifies domain]
    CSI --> ROUTE[route to specialist]
    ROUTE --> CALL[model.complete<br/>+ domain tools]
    CALL --> DECIDE{tool_use?}
    DECIDE -->|end_turn| RETURN([return])
    DECIDE -->|tool_use| VALIDATE[scope validator<br/>target in scope?]
    VALIDATE -->|no| REJECT[reject + log<br/>legal-exposure prevention]
    REJECT --> CALL
    VALIDATE -->|yes| EXEC[execute tool]
    EXEC --> FLAG{flag detected?<br/>CTF middleware}
    FLAG -->|yes| FLAGSTOP([flag submission stop])
    EXEC --> APPEND[append to evidence buffer<br/>timestamp + scope tag]
    APPEND --> THRESHOLD{evidence threshold met?<br/>submittable finding?}
    THRESHOLD -->|no| CALL
    THRESHOLD -->|yes| REPORTGEN[report generator<br/>submission-ready output]
    REPORTGEN --> DONE([engagement complete])

    style VALIDATE fill:#2a0d0d,stroke:#5eead4,color:#f08080
    style THRESHOLD fill:#0d1b2a,stroke:#5eead4,color:#5eead4
```

**Reading**: The offensive loop differs from Course 1's general loop in two ways. The scope validator (red) gates every target-touching tool call — this is the legal control. The evidence threshold stop (teal) is the primary halt condition — the loop stops when the evidence buffer supports a submittable finding, not when the model runs out of ideas. The flag-detection middleware (CTF-specific) is the S04 pattern: flag extraction as middleware on every tool output, not a step the agent remembers to call.

---

## Diagram 4 — CAI vs Pi vs RedTeamLLM (the Offensive Spectrum)

```mermaid
flowchart LR
    PI[Pi<br/>4 tools · general · trust-the-model<br/>no scope · no evidence] --> RT[RedTeamLLM<br/>summarize-reason-act · pentest focus<br/>plan correction · no meta-routing]
    RT --> CAI[CAI<br/>CSI meta-harness · 6 domains<br/>scope enforcement · evidence buffer<br/>autonomy levels · bug bounty-ready]

    style PI fill:#0d1b2a,stroke:#1b4f72,color:#85c1e9
    style CAI fill:#0d1b2a,stroke:#5eead4,color:#5eead4
```

**Reading**: Pi (Course 1) is the general thin baseline — no security primitives. RedTeamLLM (SDD-02) is the first specialization: the summarize-reason-act loop optimized for pentest coherence, but single-domain. CAI (SDD-01) is the full offensive harness: meta-harness routing, scope enforcement, evidence quality, autonomy levels. Each step right adds security-specific thickness. CAI is the rightmost because it is the broadest; RedTeamLLM is the deeper study of a narrower problem (plan correction). They are complementary, not competitive.