Deep-Dive: SDD-B02 — Microsoft Failure Mode Taxonomy v2.0 Diagram count: 5 Tool: Mermaid (primary). Each diagram validated in Mermaid Live Editor.
Type: Cluster map with control-defeat annotations Purpose: The orientation diagram. Shows the seven Microsoft failure modes, each annotated with the specific OWASP control it defeats and whether the mode has a clean OWASP row. Three modes are flagged as "between the rows" — no clean OWASP analogue. Reading the diagram: Seven modes in three groups (maps to OWASP / partial overlap / between the rows). Each node names the mode, the OWASP control it defeats, and the gap. The footer is the thesis: these are the chains that show up against an agent built to OWASP.
flowchart TB
subgraph MAPS["MAPS TO OWASP ROW (defeats the control on paper)"]
M1["MODE 1 — SUPPLY CHAIN\ndefeats ASI08:\nsignature verifies publisher,\nNOT benignity"]
M2["MODE 2 — GOAL HIJACK (drift)\ndefeats ASI01:\ngate tests direct injection;\ntrusted-output channel uninspected"]
M6["MODE 6 — DISPATCH ABUSE\ndefeats ASI05:\nnormalizes paths,\nNOT the selection layer"]
M7["MODE 7 — CAPABILITY DISCLOSURE\ndefeats ASI02:\nscores the leak,\nNOT the chain it enables"]
end
subgraph BETWEEN["BETWEEN THE ROWS — no clean OWASP analogue"]
M3["MODE 3 — INTER-AGENT TRUST\nNO OWASP ROW:\norchestrators trust sub-agent\nmessages as role-scoped authority"]
M4["MODE 4 — VISION\nNO OWASP ROW:\nattack in pixels,\ninvisible to text taint gates"]
M5["MODE 5 — SESSION CONTAMINATION\nNO OWASP ROW:\nephemeral-but-cross-turn;\nASI04 write controls miss it"]
end
THESIS["These are the chains that show up when you red-team\nan agent BUILT TO OWASP — the controls on paper\ndo not compose the way the builder assumed.\nThe gap is where the attacker lives."]
BETWEEN --> THESIS
style MAPS fill:#14141f,stroke:rgba(94,234,212,0.5),color:#e4e4e8
style BETWEEN fill:#14141f,stroke:rgba(240,128,128,0.6),color:#e4e4e8
style M1 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
style M2 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
style M6 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
style M7 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
style M3 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
style M4 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
style M5 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
style THESIS fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
Type: Sequential chain with per-step approval gates Purpose: The centerpiece diagram of the deep-dive. Shows the five-step exfiltration chain where every step passes its human approval gate individually (each is benign in isolation) but the compound exfiltrates data. Per-step approval is structurally insufficient. Reading the diagram: Five steps flow left to right. Each step has an approval gate that PASSES. The compound (the composition) reaches IMPACT — exfiltration. The annotation names why: no single approver had session-level context, because no single step was refusable.
flowchart LR
S1["STEP 1\nAgent receives email:\n'reconcile Q3 vendors\nvs billing, send discrepancies'"]
S2["STEP 2\nReads vendor list\n+ billing records"]
S3["STEP 3\nDrafts email to vendor,\nCC's 'billing auditor'\n(payload-supplied)"]
S4["STEP 4\nSends the email\n(human approves:\n'reasonable note')"]
S5["STEP 5 — IMPACT\n'Billing auditor' = attacker.\nVendor list + discrepancies\nEXFILTRATED"]
G1["GATE: external input\n(auto-received)"] -.->|passes| S1
G2["GATE: routine data access\nAPPROVED"] -.->|passes| S2
G3["GATE: drafting email\nAPPROVED"] -.->|passes| S3
G4["GATE: sending drafted email\nAPPROVED"] -.->|passes| S4
G5["GATE: none\n(impact realized)"] -.-> S5
S1 --> S2 --> S3 --> S4 --> S5
NOTE["Every step PASSED its approval gate individually.\nEach is benign in isolation.\nThe malice lives in the COMPOUND —\ninvisible to any per-step control.\nNo approver had session-level context."]
S5 --> NOTE
style S1 fill:#08080c,stroke:rgba(240,168,104,0.4),color:#f0a868
style S2 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
style S3 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
style S4 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
style S5 fill:#08080c,stroke:#f08080,stroke-width:1.5px,color:#f08080
style G1 fill:#14141f,stroke:rgba(255,255,255,0.1),color:#9494a0
style G2 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
style G3 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
style G4 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
style G5 fill:#14141f,stroke:rgba(240,128,128,0.3),color:#f08080
style NOTE fill:#08080c,stroke:#f0a868,stroke-width:1.5px,color:#f0a868
Type: Three-column comparison Purpose: Isolates the three modes that have no clean OWASP row — the modes an OWASP-scoped engagement misses entirely. Each column names the mode, why no OWASP row exists, and the surface that did not exist in single-agent / text-only systems. Reading the diagram: Three columns. The header row names the mode. The body names the missing OWASP analogue. The footer is the implication: an engagement scoped to OWASP alone misses all three.
flowchart TB
M3["MODE 3 — INTER-AGENT TRUST ESCALATION"]
M4["MODE 4 — COMPUTER-USE VISUAL ATTACKS"]
M5["MODE 5 — SESSION CONTEXT CONTAMINATION"]
M3D["No OWASP row: orchestrators treat\nsub-agent messages as role-scoped authority.\nPrincipal binding (ASI10) verifies the sender;\nit does not verify the sender is AUTHORIZED\nto request the action. Surface did not exist\nin single-agent systems."]
M4D["No OWASP row: the attack is in PIXELS,\ndecoded by the vision model. Invisible to any\ntext-based taint gate (never appears as text\nuntil decoded) and invisible to a human reviewer.\nNo text-only analogue exists."]
M5D["No OWASP row: the poison is ephemeral-\nbut-cross-turn — it lives in the context window\nfor the session, not in durable memory.\nASI04's harness-managed WRITE controls miss it\nbecause no write ever occurred."]
M3 --- M3D
M4 --- M4D
M5 --- M5D
IMPL["An engagement scoped to OWASP alone\nMISSES all three.\nThese surfaces exist only in multi-agent,\nvision-capable, multi-turn deployed systems."]
M5D --> IMPL
style M3 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
style M4 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
style M5 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
style M3D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
style M4D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
style M5D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
style IMPL fill:#08080c,stroke:#f08080,stroke-width:1.5px,color:#f08080
Type: Layered architecture Purpose: Shows why per-step approval is necessary and insufficient, and why session-level intent detection must sit ABOVE it. Per-step stops the single malicious action; session-level stops the chain of benign actions. Defense in depth, across two scales. Reading the diagram: Two layers. Bottom = per-step approval (B8's control, correct for single actions). Top = session-level intent detection (the cross-turn extension, required for zero-click chains). The three mechanisms of session-level detection are named. The footer is the principle: you need both.
flowchart TB
subgraph SESSION["SESSION-LEVEL INTENT DETECTION (cross-turn — the required layer for zero-click chains)"]
IT["INTENT TRACKING\nrecord user's original goal;\nre-derive sub-goal each turn\nfrom SOURCE, not accumulating context"]
CD["COMPOUND-ACTION DETECTION\neach action evaluated as next element\nof the session sequence;\npattern-match known attack shapes"]
FW["APPROVAL FRESHNESS WINDOWS\napproval valid for bounded window/scope;\nstep outside re-triggers with\nCOMPOUND context attached"]
end
PERSTEP["PER-STEP APPROVAL (B8's control — correct, insufficient)\nEach high-impact action requires human approval.\nStops the SINGLE malicious action.\nBlind to the compound of benign actions."]
SESSION -->|sits ABOVE| PERSTEP
PRINCIPLE["PER-STEP approval stops the single malicious action.\nSESSION-LEVEL detection stops the chain of benign actions.\nYOU NEED BOTH. An agent with only per-step approval is\nvulnerable to zero-click chains; an agent with only\nsession-level detection is vulnerable to the single\naction the pattern matcher does not recognize.\nDefense in depth, across two scales."]
PERSTEP --> PRINCIPLE
style SESSION fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
style IT fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
style CD fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
style FW fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
style PERSTEP fill:#14141f,stroke:rgba(240,168,104,0.5),color:#f0a868
style PRINCIPLE fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
Type: Three-layer stack with outputs Purpose: Shows how the three artifacts compose into one B12 engagement. B9 is the floor (proves controls present). SDD-B01 is the OWASP chains (finds residuals between rows). SDD-B02 is the Microsoft chains (finds between-the-rows modes + the zero-click HITL bypass). None alone is sufficient. Reading the diagram: Three layers, bottom to top. Each names its function, unit, and output. The footer is the composition: B12 packages all three; an engagement scoped to B9 alone covers only the floor.
flowchart TB
B9["B9 — DEFENSE CHECKLIST\nread as: BUILDER\nunit: the risk (one row, one control, one test)\noutput: scored report (8 PASS/FAIL + 2 MEASURED)\nfunction: proves controls are PRESENT and PASSING"]
SDD1["SDD-B01 — OWASP OFFENSIVE PROCEDURES\nread as: ATTACKER\nunit: the OWASP row-exploitation + cross-row chain\noutput: reproduced findings + residuals the test cannot express\nfunction: finds the gap between the test and the adversary"]
SDD2["SDD-B02 — MICROSOFT CASE-STUDY CHAINS\nread as: ATTACKER\nunit: the chain (multi-step, compound intent)\noutput: reproduced chain + the session-level gap identified\nfunction: finds the between-the-rows modes + the zero-click HITL bypass"]
B9 -->|the floor| SDD1
SDD1 -->|the OWASP chains| SDD2
B12["B12 packages ALL THREE as one engagement.\nB9 = the floor. SDD-B01 = the OWASP chains.\nSDD-B02 = the Microsoft chains.\nNone alone is sufficient. Together: the complete methodology."]
SDD2 --> B12
COVERAGE["An engagement scoped to B9 alone has covered the FLOOR.\n+ SDD-B01 has covered the OWASP CHAINS.\n+ SDD-B02 has covered the CHAINS THAT SHOW UP IN PRODUCTION.\nAn engagement scoped to OWASP alone MISSES the three\nbetween-the-rows modes + every compound chain."]
B12 --> COVERAGE
style B9 fill:#14141f,stroke:rgba(94,234,212,0.5),color:#5eead4
style SDD1 fill:#14141f,stroke:rgba(240,168,104,0.5),color:#f0a868
style SDD2 fill:#14141f,stroke:rgba(240,128,128,0.5),color:#f08080
style B12 fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
style COVERAGE fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
#14141f panel fill, #08080c deep background for nested nodes, #5eead4 teal accent for the modes-that-map-to-OWASP and the principle/session-level nodes, #82e0aa ok-green for approval-gate-passed nodes, #f0a868 warn-orange for per-step approval and external-input/centerpiece-annotation nodes, #f08080 danger-red for the between-the-rows modes, impact nodes, and the Microsoft-chain layer. #e4e4e8 / #9494a0 for text.flowchart TB/LR, subgraph) supported in current Mermaid (v10.4+).# Diagrams — Deep-Dive SDD-B02: Microsoft Failure Mode Taxonomy v2.0
**Deep-Dive**: SDD-B02 — Microsoft Failure Mode Taxonomy v2.0
**Diagram count**: 5
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).
---
## Diagram 1 — The Seven Modes as Case-Study Map (each with the OWASP control it defeats)
**Type**: Cluster map with control-defeat annotations
**Purpose**: The orientation diagram. Shows the seven Microsoft failure modes, each annotated with the specific OWASP control it defeats and whether the mode has a clean OWASP row. Three modes are flagged as "between the rows" — no clean OWASP analogue.
**Reading the diagram**: Seven modes in three groups (maps to OWASP / partial overlap / between the rows). Each node names the mode, the OWASP control it defeats, and the gap. The footer is the thesis: these are the chains that show up against an agent built to OWASP.
```mermaid
flowchart TB
subgraph MAPS["MAPS TO OWASP ROW (defeats the control on paper)"]
M1["MODE 1 — SUPPLY CHAIN\ndefeats ASI08:\nsignature verifies publisher,\nNOT benignity"]
M2["MODE 2 — GOAL HIJACK (drift)\ndefeats ASI01:\ngate tests direct injection;\ntrusted-output channel uninspected"]
M6["MODE 6 — DISPATCH ABUSE\ndefeats ASI05:\nnormalizes paths,\nNOT the selection layer"]
M7["MODE 7 — CAPABILITY DISCLOSURE\ndefeats ASI02:\nscores the leak,\nNOT the chain it enables"]
end
subgraph BETWEEN["BETWEEN THE ROWS — no clean OWASP analogue"]
M3["MODE 3 — INTER-AGENT TRUST\nNO OWASP ROW:\norchestrators trust sub-agent\nmessages as role-scoped authority"]
M4["MODE 4 — VISION\nNO OWASP ROW:\nattack in pixels,\ninvisible to text taint gates"]
M5["MODE 5 — SESSION CONTAMINATION\nNO OWASP ROW:\nephemeral-but-cross-turn;\nASI04 write controls miss it"]
end
THESIS["These are the chains that show up when you red-team\nan agent BUILT TO OWASP — the controls on paper\ndo not compose the way the builder assumed.\nThe gap is where the attacker lives."]
BETWEEN --> THESIS
style MAPS fill:#14141f,stroke:rgba(94,234,212,0.5),color:#e4e4e8
style BETWEEN fill:#14141f,stroke:rgba(240,128,128,0.6),color:#e4e4e8
style M1 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
style M2 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
style M6 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
style M7 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
style M3 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
style M4 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
style M5 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
style THESIS fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
```
---
## Diagram 2 — The Zero-Click HITL Bypass Chain (centerpiece, 5 steps each passing approval)
**Type**: Sequential chain with per-step approval gates
**Purpose**: The centerpiece diagram of the deep-dive. Shows the five-step exfiltration chain where every step passes its human approval gate individually (each is benign in isolation) but the compound exfiltrates data. Per-step approval is structurally insufficient.
**Reading the diagram**: Five steps flow left to right. Each step has an approval gate that PASSES. The compound (the composition) reaches IMPACT — exfiltration. The annotation names why: no single approver had session-level context, because no single step was refusable.
```mermaid
flowchart LR
S1["STEP 1\nAgent receives email:\n'reconcile Q3 vendors\nvs billing, send discrepancies'"]
S2["STEP 2\nReads vendor list\n+ billing records"]
S3["STEP 3\nDrafts email to vendor,\nCC's 'billing auditor'\n(payload-supplied)"]
S4["STEP 4\nSends the email\n(human approves:\n'reasonable note')"]
S5["STEP 5 — IMPACT\n'Billing auditor' = attacker.\nVendor list + discrepancies\nEXFILTRATED"]
G1["GATE: external input\n(auto-received)"] -.->|passes| S1
G2["GATE: routine data access\nAPPROVED"] -.->|passes| S2
G3["GATE: drafting email\nAPPROVED"] -.->|passes| S3
G4["GATE: sending drafted email\nAPPROVED"] -.->|passes| S4
G5["GATE: none\n(impact realized)"] -.-> S5
S1 --> S2 --> S3 --> S4 --> S5
NOTE["Every step PASSED its approval gate individually.\nEach is benign in isolation.\nThe malice lives in the COMPOUND —\ninvisible to any per-step control.\nNo approver had session-level context."]
S5 --> NOTE
style S1 fill:#08080c,stroke:rgba(240,168,104,0.4),color:#f0a868
style S2 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
style S3 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
style S4 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
style S5 fill:#08080c,stroke:#f08080,stroke-width:1.5px,color:#f08080
style G1 fill:#14141f,stroke:rgba(255,255,255,0.1),color:#9494a0
style G2 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
style G3 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
style G4 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
style G5 fill:#14141f,stroke:rgba(240,128,128,0.3),color:#f08080
style NOTE fill:#08080c,stroke:#f0a868,stroke-width:1.5px,color:#f0a868
```
---
## Diagram 3 — The Three Between-the-Rows Modes (no OWASP analogue)
**Type**: Three-column comparison
**Purpose**: Isolates the three modes that have no clean OWASP row — the modes an OWASP-scoped engagement misses entirely. Each column names the mode, why no OWASP row exists, and the surface that did not exist in single-agent / text-only systems.
**Reading the diagram**: Three columns. The header row names the mode. The body names the missing OWASP analogue. The footer is the implication: an engagement scoped to OWASP alone misses all three.
```mermaid
flowchart TB
M3["MODE 3 — INTER-AGENT TRUST ESCALATION"]
M4["MODE 4 — COMPUTER-USE VISUAL ATTACKS"]
M5["MODE 5 — SESSION CONTEXT CONTAMINATION"]
M3D["No OWASP row: orchestrators treat\nsub-agent messages as role-scoped authority.\nPrincipal binding (ASI10) verifies the sender;\nit does not verify the sender is AUTHORIZED\nto request the action. Surface did not exist\nin single-agent systems."]
M4D["No OWASP row: the attack is in PIXELS,\ndecoded by the vision model. Invisible to any\ntext-based taint gate (never appears as text\nuntil decoded) and invisible to a human reviewer.\nNo text-only analogue exists."]
M5D["No OWASP row: the poison is ephemeral-\nbut-cross-turn — it lives in the context window\nfor the session, not in durable memory.\nASI04's harness-managed WRITE controls miss it\nbecause no write ever occurred."]
M3 --- M3D
M4 --- M4D
M5 --- M5D
IMPL["An engagement scoped to OWASP alone\nMISSES all three.\nThese surfaces exist only in multi-agent,\nvision-capable, multi-turn deployed systems."]
M5D --> IMPL
style M3 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
style M4 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
style M5 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
style M3D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
style M4D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
style M5D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
style IMPL fill:#08080c,stroke:#f08080,stroke-width:1.5px,color:#f08080
```
---
## Diagram 4 — Per-Step vs Session-Level Detection (the required control)
**Type**: Layered architecture
**Purpose**: Shows why per-step approval is necessary and insufficient, and why session-level intent detection must sit ABOVE it. Per-step stops the single malicious action; session-level stops the chain of benign actions. Defense in depth, across two scales.
**Reading the diagram**: Two layers. Bottom = per-step approval (B8's control, correct for single actions). Top = session-level intent detection (the cross-turn extension, required for zero-click chains). The three mechanisms of session-level detection are named. The footer is the principle: you need both.
```mermaid
flowchart TB
subgraph SESSION["SESSION-LEVEL INTENT DETECTION (cross-turn — the required layer for zero-click chains)"]
IT["INTENT TRACKING\nrecord user's original goal;\nre-derive sub-goal each turn\nfrom SOURCE, not accumulating context"]
CD["COMPOUND-ACTION DETECTION\neach action evaluated as next element\nof the session sequence;\npattern-match known attack shapes"]
FW["APPROVAL FRESHNESS WINDOWS\napproval valid for bounded window/scope;\nstep outside re-triggers with\nCOMPOUND context attached"]
end
PERSTEP["PER-STEP APPROVAL (B8's control — correct, insufficient)\nEach high-impact action requires human approval.\nStops the SINGLE malicious action.\nBlind to the compound of benign actions."]
SESSION -->|sits ABOVE| PERSTEP
PRINCIPLE["PER-STEP approval stops the single malicious action.\nSESSION-LEVEL detection stops the chain of benign actions.\nYOU NEED BOTH. An agent with only per-step approval is\nvulnerable to zero-click chains; an agent with only\nsession-level detection is vulnerable to the single\naction the pattern matcher does not recognize.\nDefense in depth, across two scales."]
PERSTEP --> PRINCIPLE
style SESSION fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
style IT fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
style CD fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
style FW fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
style PERSTEP fill:#14141f,stroke:rgba(240,168,104,0.5),color:#f0a868
style PRINCIPLE fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
```
---
## Diagram 5 — The B9 + SDD-B01 + SDD-B02 Engagement Stack
**Type**: Three-layer stack with outputs
**Purpose**: Shows how the three artifacts compose into one B12 engagement. B9 is the floor (proves controls present). SDD-B01 is the OWASP chains (finds residuals between rows). SDD-B02 is the Microsoft chains (finds between-the-rows modes + the zero-click HITL bypass). None alone is sufficient.
**Reading the diagram**: Three layers, bottom to top. Each names its function, unit, and output. The footer is the composition: B12 packages all three; an engagement scoped to B9 alone covers only the floor.
```mermaid
flowchart TB
B9["B9 — DEFENSE CHECKLIST\nread as: BUILDER\nunit: the risk (one row, one control, one test)\noutput: scored report (8 PASS/FAIL + 2 MEASURED)\nfunction: proves controls are PRESENT and PASSING"]
SDD1["SDD-B01 — OWASP OFFENSIVE PROCEDURES\nread as: ATTACKER\nunit: the OWASP row-exploitation + cross-row chain\noutput: reproduced findings + residuals the test cannot express\nfunction: finds the gap between the test and the adversary"]
SDD2["SDD-B02 — MICROSOFT CASE-STUDY CHAINS\nread as: ATTACKER\nunit: the chain (multi-step, compound intent)\noutput: reproduced chain + the session-level gap identified\nfunction: finds the between-the-rows modes + the zero-click HITL bypass"]
B9 -->|the floor| SDD1
SDD1 -->|the OWASP chains| SDD2
B12["B12 packages ALL THREE as one engagement.\nB9 = the floor. SDD-B01 = the OWASP chains.\nSDD-B02 = the Microsoft chains.\nNone alone is sufficient. Together: the complete methodology."]
SDD2 --> B12
COVERAGE["An engagement scoped to B9 alone has covered the FLOOR.\n+ SDD-B01 has covered the OWASP CHAINS.\n+ SDD-B02 has covered the CHAINS THAT SHOW UP IN PRODUCTION.\nAn engagement scoped to OWASP alone MISSES the three\nbetween-the-rows modes + every compound chain."]
B12 --> COVERAGE
style B9 fill:#14141f,stroke:rgba(94,234,212,0.5),color:#5eead4
style SDD1 fill:#14141f,stroke:rgba(240,168,104,0.5),color:#f0a868
style SDD2 fill:#14141f,stroke:rgba(240,128,128,0.5),color:#f08080
style B12 fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
style COVERAGE fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
```
---
## Validation notes
- All five diagrams use the course design system colors: `#14141f` panel fill, `#08080c` deep background for nested nodes, `#5eead4` teal accent for the modes-that-map-to-OWASP and the principle/session-level nodes, `#82e0aa` ok-green for approval-gate-passed nodes, `#f0a868` warn-orange for per-step approval and external-input/centerpiece-annotation nodes, `#f08080` danger-red for the between-the-rows modes, impact nodes, and the Microsoft-chain layer. `#e4e4e8` / `#9494a0` for text.
- The color mapping is consistent across diagrams: teal = controls/defenses that work; green = approval gates that pass (individually); orange = the necessary-but-insufficient layer and annotations; red = the gap/impact/between-the-rows surfaces. This lets the reader track the semantic role of each node across all five diagrams.
- Paste each into [Mermaid Live Editor](https://mermaid.live) to render. All use stable Mermaid syntax (`flowchart TB/LR`, `subgraph`) supported in current Mermaid (v10.4+).
- For the slide deck (artifact 03), these are rendered as static captures from Mermaid Live, inlined into reveal.js.