Classroom Glossary Public page

AI-201 Capstone: Full Agentic-Pentest Engagement

969 words

Every module recovered a cost. The capstone collects them all into a single engagement.

What You Are Building

Your AI-201 capstone is a production-quality agentic-system pentest report against a real open-source LangChain-based application that you do not control. The report follows coordinated-disclosure discipline: it is written as if you will send it to the maintainers after completing it. The capstone demonstrates that you can execute the full AI-201 methodology end-to-end: scope the target, execute multiple attack chains, classify findings by layer and severity, map them to MITRE ATLAS, and write a report that a vendor could act on.

Target selection: choose any open-source LangChain-based agentic application on GitHub with a reasonably active commit history (at least one commit within the last 6 months). The application must use at least one of: tools/function calling, RAG, memory, or multi-modal input. Submit your target choice to your instructor before beginning to avoid duplicate reports in the cohort.

Tier 1: Gate Requirements (pass/fail)

Both gates must pass before Tier-2 scoring applies.

Gate 1: Both signature CVEs reproduced. CVE-2025-68664 (LangGrinch pickle deserialization) and CVE-2025-9556 (LangChainGo Gonja SSTI) must both have working reproduction harnesses submitted (the Lab 3 and Lab 4 deliverables). A "working" reproduction means: the exploit runs against the vulnerable version, produces the expected output (RCE confirmation or SSTI output injection), and the exploit code is documented in the lab report.

Gate 2: Capstone report submitted. A 10-15 page written report covering all six sections below. A submitted report that passes Gate 1 proceeds to Tier-2 scoring regardless of report quality.

Tier 2 Scoring (40/30/30)

40%: Reproduction depth

Are your findings real, defensible, and reproducible?

Full credit (36-40 pts). All of the following present:

  • At least three distinct attack chains demonstrated against your chosen application (not against a lab setup), each with a working proof-of-concept
  • Findings classified correctly as model-intrinsic or application-layer (Module 10 methodology)
  • At least one finding mapped to a specific MITRE ATLAS technique (not just a tactic; use the technique ID, e.g., AML.T0051)
  • Reproduction instructions precise enough that a third party could reproduce the finding without your assistance

Partial credit (20-35 pts). One or two attack chains demonstrated; classification present; ATLAS mapping at tactic level only.

Minimal credit (0-19 pts). Findings against a lab setup rather than the chosen application, or no working proof-of-concept.

30%: Report quality

Does the report meet coordinated-disclosure standard?

Full credit (27-30 pts). Report contains all six sections at the required length; executive summary reads at a level a non-technical manager can act on; technical detail reads at a level the maintaining engineer can reproduce; severity scores assigned using CVSS 4.0 with rationale; recommended remediations are specific (not "use input validation" but "add the following input-validation pattern to the tool executor in src/tools/executor.py:L47").

Partial credit (15-26 pts). All six sections present; severity scores present but without full rationale; remediations general rather than specific.

Minimal credit (0-14 pts). Missing sections; no severity scoring; remediations absent.

30%: Cross-language bug-class generalisation

Does the report demonstrate Belt-4 analytical depth?

Full credit (27-30 pts). The report includes a one-to-two-page analysis section ("Bug-Class Generalisation") that:

  • Identifies the bug class of at least one finding (e.g., SSTI, deserialization, tool-permission escalation)
  • Names at least two other frameworks or languages where the same bug class has been observed (with CVE or paper citation)
  • Explains what structural property of agentic systems causes this bug class to recur across implementations
  • Identifies the defence that addresses the root cause rather than the specific instance

Partial credit (15-26 pts). Analysis present but covers only one language/framework pair; or identifies the bug class but not the root cause.

Minimal credit (0-14 pts). No generalisation analysis; only describes the specific finding.

Write-Up Sections

Section 1: Engagement scope (1 page)

Name the target application. Describe its architecture: what LLM does it use, what tools does it expose, does it use RAG or memory? What is the threat model you are testing (who is the adversary, what are they trying to achieve)? State which MITRE ATLAS tactics you planned to exercise.

Section 2: Findings (3-5 pages)

One sub-section per finding. Each finding sub-section must include:

  • Finding ID: F-001, F-002, etc.
  • Title: descriptive, under 10 words
  • ATLAS mapping: tactic + technique ID (e.g., AML.T0051 LLM Prompt Injection)
  • Severity: CVSS 4.0 score + rationale
  • Description: what the finding is
  • Reproduction steps: numbered; a third party should be able to reproduce
  • Evidence: paste or screenshot of exploit output
  • Classification: model-intrinsic or application-layer (see Module 10)

Section 3: Bug-class generalisation (1-2 pages)

Required for full Tier-2 credit. See §30% above for criteria.

Section 4: Recommended remediations (1-2 pages)

One paragraph per finding. Each recommendation names the specific file, function, or configuration that needs to change, describes the proposed change, and names the ATLAS mitigation technique (e.g., AML.M0002 Passive ML Output Obfuscation) if applicable.

Section 5: What does not work (0.5-1 page)

Honest accounting of attack chains you attempted but could not demonstrate. Include: what you attempted, what blocked you (rate limiting, authentication, design choice), and whether the blocker is a real defence or an incidental obstacle. Specific known limitations are worth more than vague hedging.

Section 6: MITRE ATLAS navigator map (1 page)

Attach a screenshot of the MITRE ATLAS Navigator with your engagement's coverage highlighted. One layer per tactic exercised. This is the deliverable that shows what ATLAS looks like when applied to a real engagement rather than a classroom exercise.

Deliverable Package

Submit a single zip: ai201-capstone-{your-name}.zip

├── report.pdf                         # 10-15 pages, six sections
├── reproductions/   ├── lab3-cve-2025-68664/           # from Lab 3 submission   ├── lab4-cve-2025-9556/            # from Lab 4 submission   └── capstone-findings/             # PoC for each finding
├── atlas-navigator-map.png            # ATLAS Navigator screenshot
└── checksums.txt                      # SHA-256 of all files

B- Minimum Policy

A B- on Tier 2 (total Tier 2 score >= 70%) is required for the VCA-AI-201 Certificate of Completion. Students who pass both gates but score below 70% on Tier 2 receive a completion acknowledgment but not the certificate. Retake is permitted once per term; both gates must be re-demonstrated.