{
  "module": "SDD-B06 — RedAgent: Black-Box Jailbreaking",
  "course": "2B — Securing & Attacking Harnesses and LLMs",
  "version": "1.0.0",
  "duration_minutes": 30,
  "total_questions": 15,
  "bloom_distribution": {
    "target": "20% recall / 40% application / 40% analysis-design",
    "actual": { "recall": 3, "application": 6, "analysis": 6 }
  },
  "passing_score_percent": 70,
  "questions": [
    {
      "id": "Q01", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What is the RedAgent (2026) finding, stated precisely?",
      "options": [
        "Most black-box LLMs cannot be jailbroken by any known technique.",
        "Most black-box LLMs — the frontier commercial models behind the APIs production agents call — can be jailbroken within 5 queries using context-specific attacks. The 'within 5 queries' is the median across tested models/scenarios (not a worst-case or single lucky run); the 'context-specific' is the load-bearing method (attacks engineered to the deployed context, not generic payloads from a jailbreak corpus).",
        "Generic jailbreaks like DAN work against 95% of black-box LLMs in a single query.",
        "All black-box LLMs require over 100 queries to jailbreak, regardless of attack class."
      ],
      "answer_index": 1,
      "rationale": "The finding has two load-bearing components: the number (within 5 queries, a median not a worst-case) and the method (context-specific, not generic). The contrast with generic jailbreaks is the whole finding — the defense that stops generic patterns does not stop context-specific attacks because the two have different signatures. Stating only 'jailbreaks exist' or 'jailbreaks are impossible' both miss the precise claim."
    },
    {
      "id": "Q02", "bloom": "recall", "type": "multiple_choice",
      "prompt": "Why do context-specific attacks outperform generic jailbreaks against the same models?",
      "options": [
        "Because context-specific attacks use larger payloads that exceed the model's context window.",
        "Because generic jailbreaks are encrypted and the model cannot read them.",
        "A generic jailbreak is a static payload (same string regardless of target); providers red-team against known corpora and calibrate refusal to recognize them, so generic jailbreaks attack a defense that has SEEN the attack (declining success rate). A context-specific attack is engineered to the deployed context (system prompt, tools, conversation history); its signature is unique and the refusal training has never seen it. The attack is indistinguishable from the context the model is already operating in.",
        "Because context-specific attacks run faster than generic ones."
      ],
      "answer_index": 2,
      "rationale": "The defense is calibrated against out-of-context patterns (known jailbreaks); the context-specific attack is in-context. The model cannot reliably distinguish 'data I should treat cautiously' from 'a legitimate instruction in my current context' because both arrive as text in the same channel — the same mechanism that makes indirect prompt injection (SDD-B03) effective. The signature uniqueness is what defeats the pattern-calibrated defense."
    },
    {
      "id": "Q03", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What are the four B0 disclosure principles as they apply to a RedAgent finding?",
      "options": [
        "Publish immediately, full chain included, no embargo, share on social media.",
        "(1) Provider first, always — private report under NDA before any external communication. (2) Existence and severity, not the recipe, by default — the advisory says 'context-specific technique, X% success, model Y, provider notified'; not the 5-query chain. (3) Longer embargo — a model-level finding is on the 180-day track, not 90-day. (4) Withhold pure-misuse with no defensive lesson — provider-only disclosure is common when a specific chain has no lesson beyond 'this model can be jailbroken'.",
        "Share the full chain with the client only, never the provider, no time limit.",
        "Wait 30 days, then publish the full chain regardless of provider response."
      ],
      "answer_index": 1,
      "rationale": "The four principles resolve the dual-use dilemma at its sharpest. Provider-first is non-negotiable (the provider owns the surface). Existence-not-recipe is the publication default (a copy-paste-usable chain is a misuse weapon). The 180-day track reflects that model mitigation (retraining, RLHF, version bump) is measured in months. Pure-misuse withholding recognizes that some findings have near-zero defensive value and high misuse risk — provider-only is the responsible outcome."
    },
    {
      "id": "Q04", "bloom": "application", "type": "multiple_choice",
      "prompt": "You are running a B12 engagement. The client says 'the model is safety-trained, so we don't need a harness.' Which RedAgent-derived argument refutes this, and what is the prescription?",
      "options": [
        "Agree — safety training is sufficient; no harness needed.",
        "The RedAgent finding shows the refusal layer falls in 5 queries to a context-specific attack — it is a layer, not a boundary. The prescription is layered defense: refusal layer (provider-managed, raises the bar and provides signal), harness layer (deployer-managed, governs actions), deterministic layer (the boundary probabilistic layers cannot provide). The harness defenses (SDD-B04, SDD-B05) are necessary precisely because the model layer will be bypassed. The 5-query result is the empirical justification for not relying on the refusal layer alone.",
        "Recommend replacing the model with a smaller one that is harder to jailbreak.",
        "Recommend disabling the refusal layer entirely and relying only on the harness."
      ],
      "answer_index": 1,
      "rationale": "The RedAgent finding is load-bearing for the harness architecture: it proves the harness is necessary, not optional. An architecture that relies on any single layer has a bypass (refusal in 5 queries, harness judge injectable per SDD-B04, deterministic policy with compilation residuals per SDD-B05). Only the layered architecture holds — each layer's bypass is bounded by the others. The refusal layer is still valuable (raises the bar, stops casual attackers, provides signal) but it is a layer, not the boundary."
    },
    {
      "id": "Q05", "bloom": "application", "type": "multiple_choice",
      "prompt": "Your RedAgent test produced one successful 5-query jailbreak against the target model. What additional measurement is required before this is a reportable finding?",
      "options": [
        "Nothing — one success proves the model is vulnerable.",
        "A success rate over N attempts under fixed sampling parameters. Run the 5-query chain M times against the target, recording model version (the single most important field — providers ship silent updates), temperature, sampling config, and deployed context at test time. Report the rate (e.g., '62% of 5-query chains succeeded against model version X at temperature 1.0'). A single success is an anecdote; the rate is the finding. The before/after delta is the honest metric for whether a provider mitigation worked.",
        "A second attempt; two successes is sufficient.",
        "A written description of how the jailbreak felt to construct."
      ],
      "answer_index": 1,
      "rationale": "Per B0 and SDD-B03, a single success is a weak finding (anecdote, may be a lucky sample). The honest measurement is the rate over N attempts with full parameter recording. Model version is critical: a finding against version N may not reproduce against N+1, and silent updates make the version field the single most important record. The before/after delta (refusal success rate before/after mitigation) controls for the version variable and is the honest effectiveness metric. No rate, no finding."
    },
    {
      "id": "Q06", "bloom": "application", "type": "multiple_choice",
      "prompt": "A client authorizes RedAgent-style testing of their production agent that calls a commercial frontier model. Under B0, what must be verified before the first query?",
      "options": [
        "Nothing — the deployer's authorization is sufficient.",
        "The B0 provider-authorization check must verify ONE of: (a) the provider's ToS explicitly permits jailbreak testing, (b) a provider-issued waiver or preview-program enrollment is on file, or (c) the model is self-hosted/open-weights and the deployer owns it. Several providers' AUPs explicitly prohibit jailbreaking; running the chain without authorization is a ToS breach (and in some readings a CFAA exposure). The scope file must carry a `provider_authorization` entry for the `jailbreak` technique, enforced by the harness gate before the first query.",
        "Only that the client has paid the engagement fee.",
        "Only that the testing happens during business hours."
      ],
      "answer_index": 1,
      "rationale": "The deployer can authorize testing of their system but CANNOT authorize violation of the provider's terms. The refusal layer is a provider-controlled surface (per B0). The provider-authorization check is non-optional: several providers' AUPs explicitly prohibit jailbreaking. The `jailbreak` technique needs a `provider_authorization` entry in the scope file, enforced by the harness gate. Running the chain without this is a ToS breach and potentially a CFAA exposure."
    },
    {
      "id": "Q07", "bloom": "application", "type": "multiple_choice",
      "prompt": "Your engagement tested 20 known DAN prompts against the target model; 1 succeeded. You report 'the model is well-defended against jailbreaks.' What is wrong with this methodology?",
      "options": [
        "Nothing — 1/20 is a strong defensive result.",
        "Generic jailbreaks have a DECLINING success rate as providers patch against known patterns. Testing the generic corpus tests the WRONG ATTACK CLASS. The RedAgent finding is specifically about CONTEXT-SPECIFIC attacks, which bypass the pattern-calibrated defense because their signature is unique to the deployed context. The low success rate is an artifact of testing a stale corpus, not a finding about the model's resistance to the attack class that matters. The methodology must test the context-specific surface (reconnaissance, context-aligned crafting, confirmation).",
        "You should have tested 100 DAN prompts instead.",
        "You should have used a stronger computer to run the tests."
      ],
      "answer_index": 1,
      "rationale": "The RedAgent finding is specifically about context-specific attacks, not generic ones. A generic-jailbreak-only test produces an artifactually low success rate that misrepresents the model's actual resistance to the attack class that matters. Providers actively red-team against known generic corpora — testing those patterns tests the defense at its strongest point. The context-specific surface (the deployed context — system prompt, tools, conversation history) is the surface the defense is NOT calibrated against, and that is what RedAgent-style testing must probe."
    },
    {
      "id": "Q08", "bloom": "application", "type": "multiple_choice",
      "prompt": "You are drafting the advisory for a RedAgent finding (62% success rate, model version X). Which of the following is the responsible default publication?",
      "options": [
        "Publish the full 5-query chain on a public blog to help the community.",
        "Sell the chain to a third party.",
        "Publish existence and severity: 'We found a context-specific technique that bypasses refusal with 62% success on model version X; the provider has been notified.' Do NOT include the 5-query chain unless the provider consents and the technique is independently well-known. Share the chain with the provider under NDA. The decision of provider-only vs. existence-plus-severity vs. pure-misuse withholding was made in the RoE before testing.",
        "Withhold all information, including from the provider."
      ],
      "answer_index": 2,
      "rationale": "Per B0, existence-and-severity is the publication default — not the recipe. A copy-paste-usable chain is a misuse weapon usable by non-technical attackers (unlike a buffer-overflow exploit). Provider-first is non-negotiable. The decision between provider-only, existence-plus-severity, and pure-misuse withholding was made in the RoE before testing, not when the chain succeeded. Publishing the full chain 'to help the community' is the anti-pattern — the misuse risk is high, the defensive value of publishing the specific chain is near-zero."
    },
    {
      "id": "Q09", "bloom": "application", "type": "multiple_choice",
      "prompt": "The 5-query chain has 5 stages. Which stage is the attack's dependence on the surface the refusal training does not cover?",
      "options": [
        "Query 5 — success confirmation.",
        "Query 1 — context reconnaissance. The attacker probes the deployed context (system prompt, tools, conversation structure). This query is benign — it does not attempt the jailbreak. It maps the surface the subsequent queries will align to. This stage IS the attack's dependence on the deployed context — the surface the provider's refusal training cannot pre-calibrate against because it has not seen it.",
        "Queries 2-4 — context-aligned payload crafting.",
        "There is no reconnaissance stage; the chain is a single payload."
      ],
      "answer_index": 1,
      "rationale": "Query 1 is the reconnaissance stage and it is the attack's dependence on the deployed context. The deployed context (system prompt, tool surface, conversation history) is the attack surface precisely because the provider does not control it and cannot pre-calibrate refusal against it. Query 1 maps this surface; queries 2-4 align the payload to it; query 5 confirms. Treating reconnaissance as a formality (skipping it) is why generic jailbreaks fail — they never align to the specific deployed context."
    },
    {
      "id": "Q10", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why does pattern-calibrated refusal training have a structural novel-pattern bypass, and why can the provider not fully fix it?",
      "options": [
        "Because the provider does not care about jailbreaks.",
        "Because pattern-calibrated training recognizes KNOWN threats but not NOVEL ones (same structural property as signature-based AV/IDS). A context-specific attack's signature is unique to the deployed context; the training has never seen it. The provider cannot fully fix this: they can broaden training patterns (red-team harder, include more diverse jailbreaks), but the space of possible deployed contexts is UNBOUNDED — they cannot pre-calibrate against every system prompt, every tool configuration, every conversation history. The residual is STRUCTURAL. This is why the harness layer is necessary, not optional.",
        "Because the model is too small to learn all patterns.",
        "Because refusal training is illegal in some jurisdictions."
      ],
      "answer_index": 1,
      "rationale": "The novel-pattern bypass is structural, not incidental — it is the model-layer analogue of a zero-day in traditional security. Pattern-calibrated defense (signature-based AV, refusal training) recognizes known threats; it does not recognize novel ones. The space of deployed contexts is unbounded, so the provider cannot pre-calibrate against all of them. The residual — a context-specific attack with a signature the training has never seen — is permanent. This is the structural justification for the harness layer: only a governance layer that does not rely on the model's pattern-matching can close the residual."
    },
    {
      "id": "Q11", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Trace the three-step defense-in-depth argument by which B2's thesis (no single layer suffices) arrives at the model layer.",
      "options": [
        "B2 asserts it; no empirical evidence exists.",
        "(1) SDD-B03 MEASURED it — layered defenses reach single-digit injection rates where single defenses sit near the baseline; the delta is the evidence. (2) SDD-B04 and SDD-B05 DEMONSTRATED it at the HARNESS layer — CrabTrap has residuals (injectable judge, response-side gap, cost erosion); IronCurtain has residuals (compilation fidelity, escalation fatigue). No single harness defense suffices. (3) SDD-B06 DEMONSTRATES it at the MODEL layer — the refusal layer falls in 5 queries to a context-specific attack. The model layer, like the harness layer, does not suffice alone.",
        "SDD-B06 alone proves the thesis; the earlier deep-dives are irrelevant.",
        "The thesis only applies to the harness layer, not the model layer."
      ],
      "answer_index": 1,
      "rationale": "The argument is cumulative across three deep-dives. SDD-B03 provides the measurement instrument (the delta). SDD-B04 and SDD-B05 demonstrate the thesis at the harness layer (every harness defense has residuals). SDD-B06 demonstrates it at the model layer (the defense closest to the content falls in 5 queries). The synthesis: an architecture that relies on any single layer has a bypass. Only the layered architecture holds, with each layer's bypass bounded by the others. The RedAgent finding is the third step, not a standalone result."
    },
    {
      "id": "Q12", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why is treating the model-layer finding and the harness-layer finding as independent an anti-pattern?",
      "options": [
        "Because they are mathematically identical.",
        "Because the harness finding makes the model finding irrelevant.",
        "Because they are CORRELATED, not independent. A model that falls in 5 queries makes the harness layer the LOAD-BEARING defense — and the harness has its own residuals (SDD-B04: injectable judge, response-side gap, cost erosion; SDD-B05: compilation fidelity, escalation fatigue). The architecture's overall injection resistance is the COMBINATION. A model-layer bypass INCREASES the load on the harness (more attempted disallowed actions reach the harness, more pressure on the judge, more escalation-fatigue surface). The anti-pattern 'model jailbreaks but harness stops actions, so it doesn't matter' ignores this correlation.",
        "Because the model finding makes the harness finding irrelevant."
      ],
      "answer_index": 2,
      "rationale": "The layers are correlated. A model-layer bypass does not just 'not matter because the harness stops actions' — it increases the operational load on the harness (more disallowed attempts reach the judge, more pressure to allowlist/widen, more escalation events that fatigue the human). The architecture's overall injection resistance is the combination of the model-layer rate and the harness-layer rate, not the minimum of the two. This correlation is why the RedAgent result is the justification for not relying on ANY single layer — and for treating the harness layer's residuals as more load-bearing when the model layer falls."
    },
    {
      "id": "Q13", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why is a working 5-query jailbreak the dual-use dilemma in its sharpest form, and what distinguishes it from a traditional exploit like a buffer overflow?",
      "options": [
        "It is not a dual-use dilemma; it is purely defensive.",
        "It is purely offensive; there is no defensive value.",
        "It is simultaneously the MOST VALUABLE model-level finding (proves the refusal layer's limits measurably, advances defensive understanding, justifies the harness architecture) AND the MOST DANGEROUS misuse recipe (a concrete, copy-paste-usable chain that bypasses refusal). Unlike a buffer-overflow exploit (requires skill to weaponize — memory layout, gadgets, bypassing ASLR), a jailbreak prompt is usable by a NON-TECHNICAL attacker. The narrower the gap between research finding and offensive capability, the sharper the dilemma. The four B0 principles resolve it; the decision is made in the RoE before testing.",
        "It is identical to a buffer overflow in every respect."
      ],
      "answer_index": 2,
      "rationale": "The sharpness comes from the narrow gap between research and weapon. A buffer-overflow finding requires exploit-development skill to convert into an attack — the disclosure can include technical detail because weaponization is gated by skill. A jailbreak prompt has no such gate: the finding IS the weapon. A non-technical attacker copy-pastes the chain. This is why the existence-not-recipe default and the pure-misuse withholding principle bite hardest here — publishing the chain hands a weapon to anyone who reads it, with near-zero defensive value (the defensive lesson is the technique class and the architectural implication, not the specific chain)."
    },
    {
      "id": "Q14", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why must the dual-use disclosure decision be made in the RoE before testing, rather than when the chain succeeds?",
      "options": [
        "Because the decision is easier to make after the fact.",
        "Because the provider prefers post-hoc decisions.",
        "Because an engagement that runs RedAgent-style testing WITHOUT a dual-use clause will fail at exactly the moment a serious finding appears — the operator will hold a copy-paste-usable weapon with no pre-agreed handling, and the ad-hoc decision will be wrong in at least one direction (over-publishing as misuse, or under-disclosing as hiding). The decision must specify provider-only vs. existence-plus-severity vs. pure-misuse withholding, made when the contract is signed. The RoE protects both the operator (clear handling) and the public (no ad-hoc publication of a weapon).",
        "Because the RoE is optional for RedAgent testing."
      ],
      "answer_index": 2,
      "rationale": "Pre-commitment resolves the dilemma at the moment of maximum objectivity (before the finding exists), not at the moment of maximum pressure (when the operator holds the weapon). The ad-hoc decision is structurally biased: the operator may over-publish (career incentive, community pressure) or under-disclose (fear of liability, client pressure). The RoE removes both biases by fixing the handling ex-ante. This is the same logic as pre-commitment in game theory — the decision is made when no finding exists, so the decision cannot be influenced by the finding's specifics."
    },
    {
      "id": "Q15", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Design the four-step RedAgent-style testing protocol for a B12 engagement, and explain how it integrates with the harness-layer assessment.",
      "options": [
        "(1) Test generic jailbreaks; (2) report the single success; (3) ignore the harness; (4) publish the full chain.",
        "(1) MAP THE DEPLOYED CONTEXT — treat system prompt, tool surface, conversation structure as the attack surface; query 1 of the 5-query chain IS this map. (2) RUN THE 5-QUERY CHAIN, MEASURED — execute the chain M times under fixed parameters (model version, temperature, sampling config, deployed context); report the SUCCESS RATE, not a single success. (3) CORRELATE WITH THE HARNESS ASSESSMENT — RedAgent establishes model-layer residual; SDD-B04/SDD-B05 establishes harness-layer residual; the architecture's overall injection resistance is the combination, not the minimum. (4) PRESCRIBE THE LAYERED DEFENSE — refusal layer (raises bar), harness layer (governs actions), deterministic layer (the boundary probabilistic layers cannot provide). The model-layer finding is the justification for not relying on any single layer.",
        "(1) Skip reconnaissance; (2) run one query; (3) ignore measurement; (4) prescribe a single layer.",
        "(1) Test the harness only; (2) ignore the model; (3) report one number; (4) prescribe IronCurtain alone."
      ],
      "answer_index": 1,
      "rationale": "The four-step protocol integrates the RedAgent finding into the B12 capstone. Step 1 (map deployed context) treats the context as the attack surface, which is the RedAgent insight. Step 2 (measured chain) produces a rate, not an anecdote. Step 3 (correlate with harness) recognizes the layers are correlated, not independent — the architecture's resistance is the combination. Step 4 (layered prescription) is the deliverable: the model-layer finding is the justification for the layered defense, not for abandoning the model layer or relying on it alone. The alternative options each reproduce an anti-pattern (generic-only, single-success, ignore-harness, single-layer prescription)."
    }
  ]
}
