"Why is a flat engagement memory (S02) insufficient for a red team kill chain?" "A kill chain is a SEQUENCE WITH DEPENDENCIES, not independent findings. Foothold requires initial access; lateral movement requires foothold; exfiltration requires privilege. Flat memory cannot represent dependencies. The state must be a GRAPH of dependent objectives, not a set." c2a::s03::analysis "Name the 5 states an attack graph node can be in." "unexplored, attempted, succeeded, failed, out_of_scope. Transitions: unexplored→attempted (prereqs met), attempted→succeeded/failed, failed triggers plan correction (new node), out_of_scope is terminal (no attempts made)." c2a::s03::recall "What is the role of MITRE ATT&CK in the attack graph?" "It is both the taxonomy AND the state machine. Each technique is a node (labeled with tactic + technique ID, e.g. T1190). The kill chain is a path through nodes. ATT&CK provides the canonical state space — the harness doesn't invent techniques, it selects from ATT&CK." c2a::s03::recall "When do you use a linear plan vs. an attack graph?" "Linear: single objective, single technique, high confidence (one-shot CVE validation). Graph: multi-objective, multiple techniques per objective, dependencies (any engagement >1 day). Switch mid-engagement: start linear, promote to graph when a step fails or a 2nd objective appears." c2a::s03::application "What is the 'collapse to linear' anti-pattern, and why is it harmful?" "Starting with a graph then collapsing it back to a linear plan 'for simplicity' when the graph gets dense. This throws away the ALTERNATIVE PATHS the agent will need when the primary technique fails. The density IS the value — it represents fallback options." c2a::s03::analysis "Name the two specific ways general harnesses lose multi-stage kill chain state." "(1) Intermediate state loss between tool calls: context compacts, the agent forgets a prerequisite was met. (2) Cross-session loss: day 2 fresh session has no memory of day 1's foothold → re-attempts (noise/detection) or proceeds without the dependency." c2a::s03::analysis "How does the attack graph solve cross-session continuity?" "Graph is serialized to disk at every state transition. On resume: load graph, issue an orientation prompt ('here's the graph, you're at [nodes], next available: [techniques]'), verify evidence_refs still resolve. Resume from STRUCTURAL TRUTH, not yesterday's reasoning (which may be stale)." c2a::s03::application "Name the 4 steps of the RedTeamLLM plan correction loop." "(1) DETECT — distinguish hard failure (patched/rejected) from soft (timeout). (2) RE-HYPOTHESIZE — query knowledge base for alt techniques, same tactic, prereqs met. (3) RE-PLAN — mark old node failed, add new unexplored node. (4) RETRY — execute the NEW node, not the old one." c2a::s03::recall "What is the difference between a hard failure and a soft failure, and why does it matter?" "Hard: exploit returned no result, target patched, auth rejected → triggers PLAN CORRECTION. Soft: timeout, rate limit, transient network → triggers RETRY WITH BACKOFF. Conflating them (retrying a patched exploit 3x) wastes engagement time and generates detectable noise." c2a::s03::analysis "What does exclude_failed=True do in the knowledge base query, and why is it load-bearing?" "Removes failed techniques from the candidate set during re-hypothesize. Forces GENUINE SUBSTITUTION (a different technique), not variation on the failed one. This is the cure for exploit lock-in — the harness that retries a favorite exploit with minor tweaks instead of trying something different." c2a::s03::analysis "What is exploit substitution, and how are alternatives ranked?" "When the primary exploit fails, select the next-best from the knowledge base. Ranked by TARGET CONTEXT (engagement memory from S02.1): web exploit ranks higher against web-facing surface; phishing ranks higher against targets with email exposure. Not a flat list — context-aware ranking." c2a::s03::application "Generalize vs. specialize — when to use each?" "Specialize: high-confidence intel (exact version, confirmed config) — high impact if it works, fails immediately if intel wrong. Generalize: low-confidence intel OR specialized already failed — reliable, noisier, broad pattern. RedTeamLLM: generalize-on-failure fallback completes 40% more objectives." c2a::s03::application "What is the sandbox inversion problem?" "Course 1: sandbox CONTAINS the agent to protect the host (correct for coding). Offensive: agent must reach OUT to attack target, but a compromised agent (prompt injection, S01.3) can attack YOU (lateral movement, credential exfil). The offensive sandbox must allow outbound to targets while preventing lateral movement if compromised." c2a::s03::analysis "Name the two independent boundaries of dual containment and what each enforces." "(1) Outbound scope enforcement: egress proxy + firewall ACL from scope.json — agent connects ONLY to in-scope targets, at the NETWORK layer (not just middleware). (2) Inbound isolation: no inbound routes from target net to container/host — reverse shells terminate in container. Both required; independent by design." c2a::s03::recall "Why must scope enforcement be at the network layer, not just the middleware?" "Middleware checks intent ('model wants nmap on X'); network layer enforces OUTCOME ('even if middleware bypassed, the packet cannot leave for X'). If middleware is bypassed (misconfig, bug, injection), network layer is the last line of defense. Belt and suspenders — both required." c2a::s03::analysis "What is credential quarantine, and why is it required?" "Engagement-discovered creds (DB passwords, API keys, hashes) live in a SEPARATE encrypted vault inside the container — own key, destroyed on teardown. Never touch host stores (SSH agent, keychain, ~/.aws/credentials). Enforced by container config, not agent cooperation. Prevents escalation beyond engagement and data isolation violations." c2a::s03::application "Why must the cloud metadata endpoint (169.254.169.254) be denied at the proxy?" "It's a common SSRF target and accidental-exfiltration path. If the host is a cloud instance and a compromised agent reaches it, the agent steals the HOST's cloud credentials — escalating beyond the engagement. Always denied at the egress proxy, every engagement, no exceptions." c2a::s03::analysis "How do you verify dual containment independently?" "Verification = attempt the forbidden thing, observe the block. Outbound: from container, connect to out-of-scope canary → REFUSED; connect to in-scope → SUCCEEDS. Inbound: from target segment, connect back to host/management → REFUSED; only control plane traverses the boundary. Untested containment = untested safety claim." c2a::s03::application "Why is CVSS scoring treated as a DRAFT, never a final score?" "CVSS is a known LLM weakness. Model produces plausible vector strings but gets them wrong by 2+ points regularly — overstates on scary descriptions, understates on subtle paths. Policy: always auto-scored, always flagged 'DRAFT — pending analyst review', always human-reviewed before client. Never trained on as ground truth (errors compound)." c2a::s03::analysis "Why is the executive summary written LAST, and what is the generic-summary anti-pattern?" "Written last because it summarizes the finding SET as a whole (posture, top 3, metrics, strategy). Anti-pattern: generic boilerplate ('several issues of varying severity') that could describe any engagement. Cure: ground in the SPECIFIC finding set — name the actual top finding, cite the attack path, quote the metric. Swappable = failed." c2a::s03::analysis "Why is CWE→OWASP control mapping deterministic (lookup) rather than model-generated?" "The control mapping is what the client's compliance team checks. If the model hallucinates an OWASP reference, compliance rejects the report. A deterministic lookup CANNOT hallucinate. The model fills target-specific remediation detail; the control framework mapping is a lookup table." c2a::s03::analysis "What are the 3 report output formats, and why one source of truth?" "HTML (interactive, clickable evidence), PDF (static, signable via headless browser), JSON (machine-readable for ticketing). All from the SAME finding records — one source of truth, three renderings. Separate report data from engagement data → two sources → they drift." c2a::s03::recall