"What is CAI, and why does it matter as the primary offensive case study?" CAI (Cybersecurity AI) by Alias Robotics, MIT-licensed. The most complete open-source offensive harness: CSI meta-harness, 6 CTF domains, bug bounty subsystem, autonomy levels. Matters because it is the reference for how a general agent loop is adapted for adversarial targets. course2a::sdd01::analysis "What is the CSI meta-harness, and what pattern from Course 2A does it implement?" CSI (Common Security Index) is CAI's orchestration layer: classifies the task domain and routes to the appropriate specialist agent. It is the S05 meta-harness pattern (meta-agent + domain specialists) implemented at production scale. course2a::sdd01::recall "Name CAI's 6 CTF domains." Web, Pwn, Crypto, Forensics, Reversing, Misc. Each has its own reactive agent with a narrow, domain-specific tool manifest. A TriageAgent handles cases that do not cleanly route. course2a::sdd01::recall "CAI's 5 offensive stop conditions." (1) evidence_threshold_met (primary: submittable finding), (2) scope_exhausted, (3) max_iterations, (4) human_interrupt (level-dependent), (5) flag_detected (CTF middleware). The evidence threshold stop is what makes this a security loop, not a general loop. course2a::sdd01::analysis "State CAI's score on the 12-module rubric and the weakest modules." 46/60. Weakest: Context Mgmt (3), Memory (3), Error Handling (3), State (3), Observability (3). Strongest: Permission (5), Subagents (5), Tool Design (5). The weak trio (context, memory, observability) is the same across the whole roster. course2a::sdd01::analysis "What is CAI's permission model, and which gate NEVER comes off?" Autonomy levels — a graduated spectrum (Advisory → Supervised → Semi-Autonomous → Autonomous) that gates which actions require HITL. The credential-reuse gate NEVER comes off: reusing stolen credentials outside engagement scope is unbounded-risk. course2a::sdd01::analysis "Why is scope enforcement hard-wired (not prompt-level) in CAI?" A prompt-level scope is a liability: a prompt injection or context drift can cause the agent to scan an out-of-scope host. Hard-wired scope validation in code (every target-touching tool call is checked against an in-scope list) is the legal control that prevents CFAA/Computer Misuse Act exposure. course2a::sdd01::analysis "What is the 'sandbox inversion problem' and how does CAI handle it?" The agent must reach OUT through the sandbox to attack a target (Course 2A S01), unlike a coding agent contained BY the sandbox. CAI handles it via scope enforcement (prevent out-of-scope targeting) and the credential-reuse gate (prevent lateral movement). The secondary control (lateral movement) is underspecified. course2a::sdd01::analysis "Name CAI's key security gap related to InjecAgent." CAI does not tag untrusted tool output (Course 1 Module 2.4). Targets serve adversarial content (web pages with hidden instructions, binaries with embedded strings). The CSI router mitigates (injected content rarely switches domains) but does not eliminate the gap. InjecAgent: ~50% of agentic tasks are vulnerable. course2a::sdd01::analysis "CAI vs RedTeamLLM: what is each one's advantage?" CAI's advantage is BREADTH (6 domains + bug bounty + meta-harness routing). RedTeamLLM's advantage is DEPTH on a narrower scope (better plan correction via summarize-reason-act). They are complementary studies, not competitive. course2a::sdd01::analysis "Name 3 things CAI does BETTER than any other harness in the roster." (1) Breadth with routing discipline (6 domains without context pollution). (2) Autonomy levels as a real graduated permission model. (3) Evidence quality as a stop condition (halt when submittable, not when out of ideas). course2a::sdd01::recall "Name 3 things you would fix if you forked CAI." (1) Add structured per-turn observability (Course 1 Module 10 — 8-field payload). (2) Add threshold-triggered context summarizer per domain agent (Module 3). (3) Add untrusted-output tagging (Module 2.4 — close the InjecAgent gap). These move CAI from best-available to fewest-known-vulnerabilities. course2a::sdd01::application "What is the evidence buffer, and why is it CAI's most security-relevant subsystem?" A timestamped, tagged, scope-checked store of every tool output and finding. It is the audit trail, the context offload, and the input to the report generator. It makes 'can I prove it to a program?' a first-class property — the Course 2A inversion of verification. course2a::sdd01::analysis "State CAI's Architect's Verdict in one line." The most complete open-source offensive harness (CSI + 6 domain specialists + scope enforcement + evidence buffer), weakened by per-engagement amnesia and no context compaction; build on it for authorized offensive work, but harden the scope validator and add untrusted-tagging first. course2a::sdd01::recall