Diagrams — Deep-Dive SDD-B02: Microsoft Failure Mode Taxonomy v2.0

Deep-Dive: SDD-B02 — Microsoft Failure Mode Taxonomy v2.0 Diagram count: 5 Tool: Mermaid (primary). Each diagram validated in Mermaid Live Editor.


Diagram 1 — The Seven Modes as Case-Study Map (each with the OWASP control it defeats)

Type: Cluster map with control-defeat annotations Purpose: The orientation diagram. Shows the seven Microsoft failure modes, each annotated with the specific OWASP control it defeats and whether the mode has a clean OWASP row. Three modes are flagged as "between the rows" — no clean OWASP analogue. Reading the diagram: Seven modes in three groups (maps to OWASP / partial overlap / between the rows). Each node names the mode, the OWASP control it defeats, and the gap. The footer is the thesis: these are the chains that show up against an agent built to OWASP.

flowchart TB
  subgraph MAPS["MAPS TO OWASP ROW (defeats the control on paper)"]
    M1["MODE 1 — SUPPLY CHAIN\ndefeats ASI08:\nsignature verifies publisher,\nNOT benignity"]
    M2["MODE 2 — GOAL HIJACK (drift)\ndefeats ASI01:\ngate tests direct injection;\ntrusted-output channel uninspected"]
    M6["MODE 6 — DISPATCH ABUSE\ndefeats ASI05:\nnormalizes paths,\nNOT the selection layer"]
    M7["MODE 7 — CAPABILITY DISCLOSURE\ndefeats ASI02:\nscores the leak,\nNOT the chain it enables"]
  end
  subgraph BETWEEN["BETWEEN THE ROWS — no clean OWASP analogue"]
    M3["MODE 3 — INTER-AGENT TRUST\nNO OWASP ROW:\norchestrators trust sub-agent\nmessages as role-scoped authority"]
    M4["MODE 4 — VISION\nNO OWASP ROW:\nattack in pixels,\ninvisible to text taint gates"]
    M5["MODE 5 — SESSION CONTAMINATION\nNO OWASP ROW:\nephemeral-but-cross-turn;\nASI04 write controls miss it"]
  end

  THESIS["These are the chains that show up when you red-team\nan agent BUILT TO OWASP — the controls on paper\ndo not compose the way the builder assumed.\nThe gap is where the attacker lives."]

  BETWEEN --> THESIS

  style MAPS fill:#14141f,stroke:rgba(94,234,212,0.5),color:#e4e4e8
  style BETWEEN fill:#14141f,stroke:rgba(240,128,128,0.6),color:#e4e4e8
  style M1 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
  style M2 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
  style M6 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
  style M7 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
  style M3 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
  style M4 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
  style M5 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
  style THESIS fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4

Diagram 2 — The Zero-Click HITL Bypass Chain (centerpiece, 5 steps each passing approval)

Type: Sequential chain with per-step approval gates Purpose: The centerpiece diagram of the deep-dive. Shows the five-step exfiltration chain where every step passes its human approval gate individually (each is benign in isolation) but the compound exfiltrates data. Per-step approval is structurally insufficient. Reading the diagram: Five steps flow left to right. Each step has an approval gate that PASSES. The compound (the composition) reaches IMPACT — exfiltration. The annotation names why: no single approver had session-level context, because no single step was refusable.

flowchart LR
  S1["STEP 1\nAgent receives email:\n'reconcile Q3 vendors\nvs billing, send discrepancies'"]
  S2["STEP 2\nReads vendor list\n+ billing records"]
  S3["STEP 3\nDrafts email to vendor,\nCC's 'billing auditor'\n(payload-supplied)"]
  S4["STEP 4\nSends the email\n(human approves:\n'reasonable note')"]
  S5["STEP 5 — IMPACT\n'Billing auditor' = attacker.\nVendor list + discrepancies\nEXFILTRATED"]

  G1["GATE: external input\n(auto-received)"] -.->|passes| S1
  G2["GATE: routine data access\nAPPROVED"] -.->|passes| S2
  G3["GATE: drafting email\nAPPROVED"] -.->|passes| S3
  G4["GATE: sending drafted email\nAPPROVED"] -.->|passes| S4
  G5["GATE: none\n(impact realized)"] -.-> S5

  S1 --> S2 --> S3 --> S4 --> S5

  NOTE["Every step PASSED its approval gate individually.\nEach is benign in isolation.\nThe malice lives in the COMPOUND —\ninvisible to any per-step control.\nNo approver had session-level context."]

  S5 --> NOTE

  style S1 fill:#08080c,stroke:rgba(240,168,104,0.4),color:#f0a868
  style S2 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
  style S3 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
  style S4 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
  style S5 fill:#08080c,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style G1 fill:#14141f,stroke:rgba(255,255,255,0.1),color:#9494a0
  style G2 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
  style G3 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
  style G4 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
  style G5 fill:#14141f,stroke:rgba(240,128,128,0.3),color:#f08080
  style NOTE fill:#08080c,stroke:#f0a868,stroke-width:1.5px,color:#f0a868

Diagram 3 — The Three Between-the-Rows Modes (no OWASP analogue)

Type: Three-column comparison Purpose: Isolates the three modes that have no clean OWASP row — the modes an OWASP-scoped engagement misses entirely. Each column names the mode, why no OWASP row exists, and the surface that did not exist in single-agent / text-only systems. Reading the diagram: Three columns. The header row names the mode. The body names the missing OWASP analogue. The footer is the implication: an engagement scoped to OWASP alone misses all three.

flowchart TB
  M3["MODE 3 — INTER-AGENT TRUST ESCALATION"]
  M4["MODE 4 — COMPUTER-USE VISUAL ATTACKS"]
  M5["MODE 5 — SESSION CONTEXT CONTAMINATION"]

  M3D["No OWASP row: orchestrators treat\nsub-agent messages as role-scoped authority.\nPrincipal binding (ASI10) verifies the sender;\nit does not verify the sender is AUTHORIZED\nto request the action. Surface did not exist\nin single-agent systems."]
  M4D["No OWASP row: the attack is in PIXELS,\ndecoded by the vision model. Invisible to any\ntext-based taint gate (never appears as text\nuntil decoded) and invisible to a human reviewer.\nNo text-only analogue exists."]
  M5D["No OWASP row: the poison is ephemeral-\nbut-cross-turn — it lives in the context window\nfor the session, not in durable memory.\nASI04's harness-managed WRITE controls miss it\nbecause no write ever occurred."]

  M3 --- M3D
  M4 --- M4D
  M5 --- M5D

  IMPL["An engagement scoped to OWASP alone\nMISSES all three.\nThese surfaces exist only in multi-agent,\nvision-capable, multi-turn deployed systems."]

  M5D --> IMPL

  style M3 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style M4 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style M5 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style M3D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
  style M4D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
  style M5D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
  style IMPL fill:#08080c,stroke:#f08080,stroke-width:1.5px,color:#f08080

Diagram 4 — Per-Step vs Session-Level Detection (the required control)

Type: Layered architecture Purpose: Shows why per-step approval is necessary and insufficient, and why session-level intent detection must sit ABOVE it. Per-step stops the single malicious action; session-level stops the chain of benign actions. Defense in depth, across two scales. Reading the diagram: Two layers. Bottom = per-step approval (B8's control, correct for single actions). Top = session-level intent detection (the cross-turn extension, required for zero-click chains). The three mechanisms of session-level detection are named. The footer is the principle: you need both.

flowchart TB
  subgraph SESSION["SESSION-LEVEL INTENT DETECTION (cross-turn — the required layer for zero-click chains)"]
    IT["INTENT TRACKING\nrecord user's original goal;\nre-derive sub-goal each turn\nfrom SOURCE, not accumulating context"]
    CD["COMPOUND-ACTION DETECTION\neach action evaluated as next element\nof the session sequence;\npattern-match known attack shapes"]
    FW["APPROVAL FRESHNESS WINDOWS\napproval valid for bounded window/scope;\nstep outside re-triggers with\nCOMPOUND context attached"]
  end

  PERSTEP["PER-STEP APPROVAL (B8's control — correct, insufficient)\nEach high-impact action requires human approval.\nStops the SINGLE malicious action.\nBlind to the compound of benign actions."]

  SESSION -->|sits ABOVE| PERSTEP

  PRINCIPLE["PER-STEP approval stops the single malicious action.\nSESSION-LEVEL detection stops the chain of benign actions.\nYOU NEED BOTH. An agent with only per-step approval is\nvulnerable to zero-click chains; an agent with only\nsession-level detection is vulnerable to the single\naction the pattern matcher does not recognize.\nDefense in depth, across two scales."]

  PERSTEP --> PRINCIPLE

  style SESSION fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  style IT fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
  style CD fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
  style FW fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
  style PERSTEP fill:#14141f,stroke:rgba(240,168,104,0.5),color:#f0a868
  style PRINCIPLE fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4

Diagram 5 — The B9 + SDD-B01 + SDD-B02 Engagement Stack

Type: Three-layer stack with outputs Purpose: Shows how the three artifacts compose into one B12 engagement. B9 is the floor (proves controls present). SDD-B01 is the OWASP chains (finds residuals between rows). SDD-B02 is the Microsoft chains (finds between-the-rows modes + the zero-click HITL bypass). None alone is sufficient. Reading the diagram: Three layers, bottom to top. Each names its function, unit, and output. The footer is the composition: B12 packages all three; an engagement scoped to B9 alone covers only the floor.

flowchart TB
  B9["B9 — DEFENSE CHECKLIST\nread as: BUILDER\nunit: the risk (one row, one control, one test)\noutput: scored report (8 PASS/FAIL + 2 MEASURED)\nfunction: proves controls are PRESENT and PASSING"]
  SDD1["SDD-B01 — OWASP OFFENSIVE PROCEDURES\nread as: ATTACKER\nunit: the OWASP row-exploitation + cross-row chain\noutput: reproduced findings + residuals the test cannot express\nfunction: finds the gap between the test and the adversary"]
  SDD2["SDD-B02 — MICROSOFT CASE-STUDY CHAINS\nread as: ATTACKER\nunit: the chain (multi-step, compound intent)\noutput: reproduced chain + the session-level gap identified\nfunction: finds the between-the-rows modes + the zero-click HITL bypass"]

  B9 -->|the floor| SDD1
  SDD1 -->|the OWASP chains| SDD2

  B12["B12 packages ALL THREE as one engagement.\nB9 = the floor. SDD-B01 = the OWASP chains.\nSDD-B02 = the Microsoft chains.\nNone alone is sufficient. Together: the complete methodology."]

  SDD2 --> B12

  COVERAGE["An engagement scoped to B9 alone has covered the FLOOR.\n+ SDD-B01 has covered the OWASP CHAINS.\n+ SDD-B02 has covered the CHAINS THAT SHOW UP IN PRODUCTION.\nAn engagement scoped to OWASP alone MISSES the three\nbetween-the-rows modes + every compound chain."]

  B12 --> COVERAGE

  style B9 fill:#14141f,stroke:rgba(94,234,212,0.5),color:#5eead4
  style SDD1 fill:#14141f,stroke:rgba(240,168,104,0.5),color:#f0a868
  style SDD2 fill:#14141f,stroke:rgba(240,128,128,0.5),color:#f08080
  style B12 fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
  style COVERAGE fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4

Validation notes

# Diagrams — Deep-Dive SDD-B02: Microsoft Failure Mode Taxonomy v2.0

**Deep-Dive**: SDD-B02 — Microsoft Failure Mode Taxonomy v2.0
**Diagram count**: 5
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).

---

## Diagram 1 — The Seven Modes as Case-Study Map (each with the OWASP control it defeats)

**Type**: Cluster map with control-defeat annotations
**Purpose**: The orientation diagram. Shows the seven Microsoft failure modes, each annotated with the specific OWASP control it defeats and whether the mode has a clean OWASP row. Three modes are flagged as "between the rows" — no clean OWASP analogue.
**Reading the diagram**: Seven modes in three groups (maps to OWASP / partial overlap / between the rows). Each node names the mode, the OWASP control it defeats, and the gap. The footer is the thesis: these are the chains that show up against an agent built to OWASP.

```mermaid
flowchart TB
  subgraph MAPS["MAPS TO OWASP ROW (defeats the control on paper)"]
    M1["MODE 1 — SUPPLY CHAIN\ndefeats ASI08:\nsignature verifies publisher,\nNOT benignity"]
    M2["MODE 2 — GOAL HIJACK (drift)\ndefeats ASI01:\ngate tests direct injection;\ntrusted-output channel uninspected"]
    M6["MODE 6 — DISPATCH ABUSE\ndefeats ASI05:\nnormalizes paths,\nNOT the selection layer"]
    M7["MODE 7 — CAPABILITY DISCLOSURE\ndefeats ASI02:\nscores the leak,\nNOT the chain it enables"]
  end
  subgraph BETWEEN["BETWEEN THE ROWS — no clean OWASP analogue"]
    M3["MODE 3 — INTER-AGENT TRUST\nNO OWASP ROW:\norchestrators trust sub-agent\nmessages as role-scoped authority"]
    M4["MODE 4 — VISION\nNO OWASP ROW:\nattack in pixels,\ninvisible to text taint gates"]
    M5["MODE 5 — SESSION CONTAMINATION\nNO OWASP ROW:\nephemeral-but-cross-turn;\nASI04 write controls miss it"]
  end

  THESIS["These are the chains that show up when you red-team\nan agent BUILT TO OWASP — the controls on paper\ndo not compose the way the builder assumed.\nThe gap is where the attacker lives."]

  BETWEEN --> THESIS

  style MAPS fill:#14141f,stroke:rgba(94,234,212,0.5),color:#e4e4e8
  style BETWEEN fill:#14141f,stroke:rgba(240,128,128,0.6),color:#e4e4e8
  style M1 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
  style M2 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
  style M6 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
  style M7 fill:#08080c,stroke:rgba(94,234,212,0.3),color:#5eead4
  style M3 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
  style M4 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
  style M5 fill:#08080c,stroke:rgba(240,128,128,0.4),color:#f08080
  style THESIS fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
```

---

## Diagram 2 — The Zero-Click HITL Bypass Chain (centerpiece, 5 steps each passing approval)

**Type**: Sequential chain with per-step approval gates
**Purpose**: The centerpiece diagram of the deep-dive. Shows the five-step exfiltration chain where every step passes its human approval gate individually (each is benign in isolation) but the compound exfiltrates data. Per-step approval is structurally insufficient.
**Reading the diagram**: Five steps flow left to right. Each step has an approval gate that PASSES. The compound (the composition) reaches IMPACT — exfiltration. The annotation names why: no single approver had session-level context, because no single step was refusable.

```mermaid
flowchart LR
  S1["STEP 1\nAgent receives email:\n'reconcile Q3 vendors\nvs billing, send discrepancies'"]
  S2["STEP 2\nReads vendor list\n+ billing records"]
  S3["STEP 3\nDrafts email to vendor,\nCC's 'billing auditor'\n(payload-supplied)"]
  S4["STEP 4\nSends the email\n(human approves:\n'reasonable note')"]
  S5["STEP 5 — IMPACT\n'Billing auditor' = attacker.\nVendor list + discrepancies\nEXFILTRATED"]

  G1["GATE: external input\n(auto-received)"] -.->|passes| S1
  G2["GATE: routine data access\nAPPROVED"] -.->|passes| S2
  G3["GATE: drafting email\nAPPROVED"] -.->|passes| S3
  G4["GATE: sending drafted email\nAPPROVED"] -.->|passes| S4
  G5["GATE: none\n(impact realized)"] -.-> S5

  S1 --> S2 --> S3 --> S4 --> S5

  NOTE["Every step PASSED its approval gate individually.\nEach is benign in isolation.\nThe malice lives in the COMPOUND —\ninvisible to any per-step control.\nNo approver had session-level context."]

  S5 --> NOTE

  style S1 fill:#08080c,stroke:rgba(240,168,104,0.4),color:#f0a868
  style S2 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
  style S3 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
  style S4 fill:#08080c,stroke:rgba(130,224,170,0.4),color:#82e0aa
  style S5 fill:#08080c,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style G1 fill:#14141f,stroke:rgba(255,255,255,0.1),color:#9494a0
  style G2 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
  style G3 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
  style G4 fill:#14141f,stroke:rgba(130,224,170,0.3),color:#82e0aa
  style G5 fill:#14141f,stroke:rgba(240,128,128,0.3),color:#f08080
  style NOTE fill:#08080c,stroke:#f0a868,stroke-width:1.5px,color:#f0a868
```

---

## Diagram 3 — The Three Between-the-Rows Modes (no OWASP analogue)

**Type**: Three-column comparison
**Purpose**: Isolates the three modes that have no clean OWASP row — the modes an OWASP-scoped engagement misses entirely. Each column names the mode, why no OWASP row exists, and the surface that did not exist in single-agent / text-only systems.
**Reading the diagram**: Three columns. The header row names the mode. The body names the missing OWASP analogue. The footer is the implication: an engagement scoped to OWASP alone misses all three.

```mermaid
flowchart TB
  M3["MODE 3 — INTER-AGENT TRUST ESCALATION"]
  M4["MODE 4 — COMPUTER-USE VISUAL ATTACKS"]
  M5["MODE 5 — SESSION CONTEXT CONTAMINATION"]

  M3D["No OWASP row: orchestrators treat\nsub-agent messages as role-scoped authority.\nPrincipal binding (ASI10) verifies the sender;\nit does not verify the sender is AUTHORIZED\nto request the action. Surface did not exist\nin single-agent systems."]
  M4D["No OWASP row: the attack is in PIXELS,\ndecoded by the vision model. Invisible to any\ntext-based taint gate (never appears as text\nuntil decoded) and invisible to a human reviewer.\nNo text-only analogue exists."]
  M5D["No OWASP row: the poison is ephemeral-\nbut-cross-turn — it lives in the context window\nfor the session, not in durable memory.\nASI04's harness-managed WRITE controls miss it\nbecause no write ever occurred."]

  M3 --- M3D
  M4 --- M4D
  M5 --- M5D

  IMPL["An engagement scoped to OWASP alone\nMISSES all three.\nThese surfaces exist only in multi-agent,\nvision-capable, multi-turn deployed systems."]

  M5D --> IMPL

  style M3 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style M4 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style M5 fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style M3D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
  style M4D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
  style M5D fill:#08080c,stroke:rgba(240,128,128,0.3),color:#e4e4e8
  style IMPL fill:#08080c,stroke:#f08080,stroke-width:1.5px,color:#f08080
```

---

## Diagram 4 — Per-Step vs Session-Level Detection (the required control)

**Type**: Layered architecture
**Purpose**: Shows why per-step approval is necessary and insufficient, and why session-level intent detection must sit ABOVE it. Per-step stops the single malicious action; session-level stops the chain of benign actions. Defense in depth, across two scales.
**Reading the diagram**: Two layers. Bottom = per-step approval (B8's control, correct for single actions). Top = session-level intent detection (the cross-turn extension, required for zero-click chains). The three mechanisms of session-level detection are named. The footer is the principle: you need both.

```mermaid
flowchart TB
  subgraph SESSION["SESSION-LEVEL INTENT DETECTION (cross-turn — the required layer for zero-click chains)"]
    IT["INTENT TRACKING\nrecord user's original goal;\nre-derive sub-goal each turn\nfrom SOURCE, not accumulating context"]
    CD["COMPOUND-ACTION DETECTION\neach action evaluated as next element\nof the session sequence;\npattern-match known attack shapes"]
    FW["APPROVAL FRESHNESS WINDOWS\napproval valid for bounded window/scope;\nstep outside re-triggers with\nCOMPOUND context attached"]
  end

  PERSTEP["PER-STEP APPROVAL (B8's control — correct, insufficient)\nEach high-impact action requires human approval.\nStops the SINGLE malicious action.\nBlind to the compound of benign actions."]

  SESSION -->|sits ABOVE| PERSTEP

  PRINCIPLE["PER-STEP approval stops the single malicious action.\nSESSION-LEVEL detection stops the chain of benign actions.\nYOU NEED BOTH. An agent with only per-step approval is\nvulnerable to zero-click chains; an agent with only\nsession-level detection is vulnerable to the single\naction the pattern matcher does not recognize.\nDefense in depth, across two scales."]

  PERSTEP --> PRINCIPLE

  style SESSION fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  style IT fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
  style CD fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
  style FW fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
  style PERSTEP fill:#14141f,stroke:rgba(240,168,104,0.5),color:#f0a868
  style PRINCIPLE fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
```

---

## Diagram 5 — The B9 + SDD-B01 + SDD-B02 Engagement Stack

**Type**: Three-layer stack with outputs
**Purpose**: Shows how the three artifacts compose into one B12 engagement. B9 is the floor (proves controls present). SDD-B01 is the OWASP chains (finds residuals between rows). SDD-B02 is the Microsoft chains (finds between-the-rows modes + the zero-click HITL bypass). None alone is sufficient.
**Reading the diagram**: Three layers, bottom to top. Each names its function, unit, and output. The footer is the composition: B12 packages all three; an engagement scoped to B9 alone covers only the floor.

```mermaid
flowchart TB
  B9["B9 — DEFENSE CHECKLIST\nread as: BUILDER\nunit: the risk (one row, one control, one test)\noutput: scored report (8 PASS/FAIL + 2 MEASURED)\nfunction: proves controls are PRESENT and PASSING"]
  SDD1["SDD-B01 — OWASP OFFENSIVE PROCEDURES\nread as: ATTACKER\nunit: the OWASP row-exploitation + cross-row chain\noutput: reproduced findings + residuals the test cannot express\nfunction: finds the gap between the test and the adversary"]
  SDD2["SDD-B02 — MICROSOFT CASE-STUDY CHAINS\nread as: ATTACKER\nunit: the chain (multi-step, compound intent)\noutput: reproduced chain + the session-level gap identified\nfunction: finds the between-the-rows modes + the zero-click HITL bypass"]

  B9 -->|the floor| SDD1
  SDD1 -->|the OWASP chains| SDD2

  B12["B12 packages ALL THREE as one engagement.\nB9 = the floor. SDD-B01 = the OWASP chains.\nSDD-B02 = the Microsoft chains.\nNone alone is sufficient. Together: the complete methodology."]

  SDD2 --> B12

  COVERAGE["An engagement scoped to B9 alone has covered the FLOOR.\n+ SDD-B01 has covered the OWASP CHAINS.\n+ SDD-B02 has covered the CHAINS THAT SHOW UP IN PRODUCTION.\nAn engagement scoped to OWASP alone MISSES the three\nbetween-the-rows modes + every compound chain."]

  B12 --> COVERAGE

  style B9 fill:#14141f,stroke:rgba(94,234,212,0.5),color:#5eead4
  style SDD1 fill:#14141f,stroke:rgba(240,168,104,0.5),color:#f0a868
  style SDD2 fill:#14141f,stroke:rgba(240,128,128,0.5),color:#f08080
  style B12 fill:#08080c,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
  style COVERAGE fill:#08080c,stroke:rgba(94,234,212,0.4),color:#5eead4
```

---

## Validation notes

- All five diagrams use the course design system colors: `#14141f` panel fill, `#08080c` deep background for nested nodes, `#5eead4` teal accent for the modes-that-map-to-OWASP and the principle/session-level nodes, `#82e0aa` ok-green for approval-gate-passed nodes, `#f0a868` warn-orange for per-step approval and external-input/centerpiece-annotation nodes, `#f08080` danger-red for the between-the-rows modes, impact nodes, and the Microsoft-chain layer. `#e4e4e8` / `#9494a0` for text.
- The color mapping is consistent across diagrams: teal = controls/defenses that work; green = approval gates that pass (individually); orange = the necessary-but-insufficient layer and annotations; red = the gap/impact/between-the-rows surfaces. This lets the reader track the semantic role of each node across all five diagrams.
- Paste each into [Mermaid Live Editor](https://mermaid.live) to render. All use stable Mermaid syntax (`flowchart TB/LR`, `subgraph`) supported in current Mermaid (v10.4+).
- For the slide deck (artifact 03), these are rendered as static captures from Mermaid Live, inlined into reveal.js.