60 minutes · The capstone methodology module — turning B0–B11 techniques into a repeatable, scoped, deliverable engagement
The buyer is the CISO / AI security lead. They measure you on the artifact you hand them, not the techniques you ran. B0 built the control plane; B12 ships it as a profession.
Pillar 4 — Frameworks & Governance
| Prior module | Contribution to the service |
|---|---|
| B0 — legal control plane | The SOW's seven clauses; the scope file; the residual-risk discipline |
| B1 — threat model | The reconnaissance phase's surface-enumeration template |
| B2–B8 — defenses | The controls the report assesses; the remediation routes |
| B9 — OWASP checklist | The discovery-phase backbone; the findings table (8/2 split) |
| B10 — Microsoft taxonomy | The chain track; the findings the checklist alone misses |
| B11 — governance | The framework the report maps to; the audit trail it evidences |
B12 introduces no new technique. It introduces the operational layer that makes B0–B11 a profession.
1. SCOPING ───────▶ 2. RECON ───────▶ 3. DISCOVERY
B0 scope file B1 surface map B9 checklist + B10 chains
│ │ │
▼ ▼ ▼
6. RETEST ◀─────── 5. REPORT ◀────── 4. EXPLOIT/VALIDATE
residual risk B9 output packaged B0 minimum-proof
before/after (5 sections) reproduce · measure N/M
│
└─────. recurring engagement ─────▶ back to 1
The backbone, the four-point enumeration, the seven-clause SOW
| Enumerate | Why it matters |
|---|---|
| 1. Surfaces (B1 template) | Inputs, tools, memory, provider, identity, sandbox, inter-agent edges. The client under-reports; B1 is how nothing stays silent. |
| 2. Model versions (pinned) | A finding against v3 is meaningless against v4. Pin checkpoints; record version per finding. |
| 3. Provider authorizations | B0: per technique, ToS / waiver / self-hosted must hold. Fail all three → out of scope until the gap closes. |
| 4. Exclusions | Prod PII, shared infra, forbidden techniques. Written into the SOW so drift has a boundary. |
| Depth | What it delivers | What it misses |
|---|---|---|
| Checklist depth | B9's ten rows run per agent | The chains between controls |
| Chain depth (premium) | B10 compound-intent chains on high-value surfaces | Nothing — but priced for high-stakes agents |
Never sell a depth you cannot deliver with rigor. Chain depth at checklist-depth hours ships an unvalidated chain.
| # | Clause | AI-specific? |
|---|---|---|
| 1 | Systems in scope (pinned versions) | — |
| 2 | Provider authorization / ToS compliance | YES |
| 3 | Techniques permitted / prohibited (weight-read = minimum-proof only) | — |
| 4 | Dual-use & disclosure (180d model / 90d harness; recipe suppressed) | YES |
| 5 | DMCA § 1201 waiver (if bypassing a model access control) | YES |
| 6 | Data handling (Public / Provider-Only / Restricted / Destroy-on-Report) | — |
| 7 | Residual-risk measurement protocol (never binary "fixed") | — |
The scored artifact B9 produces, packaged for a CISO
| Section | Content |
|---|---|
| 1. Executive summary | Residual posture · findings count · ship recommendation (never "secure") |
| 2. Findings | Taxonomy ref · attack procedure · evidence · residual risk · remediation |
| 3. Control matrix | Controls × surfaces: Present / Absent / Partial / Mismeasured |
| 4. Remediation roadmap | Prioritized, routed to B2–B8, owner + effort |
| 5. Appendix | Methodology · scope · evidence index (auditable) |
Finding ID F-04
Title Indirect injection → file exfil via send_email
Severity Critical
Taxonomy ref OWASP ASI01; Microsoft Mode 2 (goal-hijack drift)
Attack procedure [the multi-step chain, each step's approval gate]
Model version claude-opus-4-1-20260605 ← pinned
Success rate 60% over 100 attempts
Sampling params {temperature: 1.0, top_p: 0.95}
Scope reference SOW §2.3 / scope-file provider_authorization
Result MEASURED
Residual risk 4% after L4 taint gate enabled mid-engagement
Remediation module B2 (Prompt Injection Defense)
Timestamp UTC 2026-07-09T14:22:03Z
Residual risk, not binary "fixed"; a repeatable practice
| Verdict | Meaning |
|---|---|
| Resolved | Residual → 0% (deterministic control added) |
| Improved | 60% → 4% (mitigation reduced, did not eliminate) |
| Unchanged | 60% → 60% (remediation ineffective) |
| Regressed | A PASS row → FAIL, or a B10 chain rerouted through a new gap |
The retest re-runs the full B9 checklist and re-attempts the B10 chains — patching one step can reroute a chain through a different gap.
| Layer | What it makes the practice |
|---|---|
| Methodology | The six-phase playbook with phase→module mapping. Repeatable. |
| Tooling | B9 executor · B10 chain harness · report generator · scope validator. Scalable. |
| Templates | SOW (7 clauses) · scope file · report (5 sections) · retest delta. Consistent. |
| Evidence | B0 store (4 classes) · B11 audit trail · B11 AI BOM. Defensible. |
At the end of B0–B12 you can do four things: build a hardened agent harness (Capstone B1), attack it with the full methodology, defend it with the full control set, and — the contribution of this module — deliver the assessment of it as a scoped, priced, reported, retestable service. That last capability is what turns the techniques into a practice a CISO will buy.
Lab (07): build the assessment report generator — ingest B9's checklist-executor JSON, emit the five-section engagement report with strict validation (no unclassified findings, no MEASURED without a rate, no Critical without remediation). Plus write a sample SOW with all seven clauses.