exploit-forge

⏳ The Problem

A skilled security researcher takes days to weeks to analyze a vulnerability, build a test environment, write an exploit, and prove it works. The process is manual, expensive, and doesn't scale.

🤖 What exploit-forge Does

78 AI agents work together - researching the vulnerability, building Docker labs, writing exploit code, and verifying it against both vulnerable and patched targets. Fully autonomous.

✅ The Result

A complete, verified exploit package - working PoC, Docker lab, and technical writeup - delivered in minutes, not weeks. No human in the loop. Nine pipelines cover every domain.

🧩 Multidisciplinary Complexity

One CVE needs Ghidra and GDB. The next needs WinDbg on a remote VM. The next needs a Playwright browser session. Each demands a different skillset, different tools, different architectures - and hours of debugging to get right.

🦄 The Unicorn Problem

A researcher who can reverse engineer binaries, write ROP chains, pentest web apps, diff Windows patches, AND decompile Android APKs? They barely exist. And even they can only work on one thing at a time.

🌐 Every Stack, Every Framework

The target could be Node, ASP.NET, PHP, Flask, Spring, Rails - any stack. A human researcher might master two or three. The AI reads them all equally, pulling API docs, source code, and framework internals on the fly.

🗺️ Surface Mapping

Identify attack surface, entry points, dangerous sinks. Build call graphs and trace data flow from inputs to sinks.

🔎 Variant Hunting

Search for similar code patterns and related CVEs. Find variants of known vulnerability classes in new locations.

🧪 Fuzz Campaigns

Run AFL++/libFuzzer with coverage feedback, ASAN/UBSAN sanitizers. Auto-triage crashes by exploitability.

Phase 1: Reconnaissance

Pre-Recon analyzes source code for attack surfaces. Recon performs full site mapping with Playwright. Two agents feed all five parallel tracks.

Phase 2: Vulnerability Analysis

Five agents run in parallel - SQLi, XSS, Auth Bypass, SSRF, and Authorization Bypass. Each gets its own browser instance.

Phase 3: Exploitation

Only vuln types with confirmed findings proceed to exploitation. Each exploit agent gets a dedicated Playwright session to prove the finding with evidence.

🔄 Retry Presets

Production: 5min → 30min backoff, 50 max attempts
Testing: 10s → 30s, 5 attempts
Subscription: 5min → 6hr, 100 attempts

📊 State Tracking

Current phase, completed agents, per-agent cost/turns/duration, advisory warnings, and human review flags - all persisted in workflow state.

⏸️ Resume Support

Workflows pause and resume from the last checkpoint. Workspaces persist by default - use CLEAN=true for fresh runs.

Claude Executor

Manages multi-turn Claude conversations. Handles MCP tool dispatch, streaming responses, retry logic with exponential backoff, spending cap detection, and API error recovery.

Prompt Manager

Template interpolation with {{CVE_ID}}, {{WORKSPACE_PATH}} variables. Include directives for shared partials. 177 prompt template files across all pipelines.

Multi-Tier Models

Small (Haiku) for lightweight tasks, Medium (Sonnet) for standard agent work, Large (Opus) for complex reasoning. Per-agent model selection optimizes cost vs. capability.

Metrics & Billing

Per-agent tracking of turns used, USD cost, and wall-clock duration. Aggregated into workflow summary. Billing cap detection auto-pauses if spending limits are hit.

📄 Markdown Reports

• Intel brief
• Vulnerability analysis
• Lab build report
• PoC verification report
• Final README

🚦 JSON Gates

• Exploitability gate (proceed/block)
• Runtime gate (env ready?)
• Finding gate (findings sufficient?)
• Confidence scores + blockers

📦 Workspace Layout

• source/ - target code
• lab/ - Docker builds
• deliverables/ - reports + PoCs
• artifacts/ - evidence

Shared Tools

• save_deliverable
• write_file + verification
• run_in_repo
• run_exploit_test
• exploit_claim_gate

Pipeline-Specific

• WinForge: 18 tools (WinDbg, VM SSH, ghidriff)
• APKForge: 14 tools (APKTool, JADX, secrets)
• BinForge: 8 tools (GDB, checksec, crash)
• ZeroForge: 8 tools (fuzz, sanitizer, triage)

External MCPs

• EIP server (vuln intelligence)
• Playwright (5 browser agents)
• Ghidra + GDB agents
• SharkMCP (packet capture)

base.Dockerfile

Ubuntu 22.04 + Node.js 22 + Docker CLI + build tools, git, ripgrep, jq, cmake, Python 3

base-jvm.Dockerfile

Base + Java 21 + Ghidra headless - for BinForge and StackForge reverse engineering

Pipeline Layers

• CVEForge: GDB, strace, pwntools, checksec
• BinForge: Ghidra, GDB, ROPgadget, capstone
• ZeroForge: AFL++, libFuzzer, ASAN/UBSAN
• WinForge: ghidriff, QEMU guest tools

New Domains

• ShannonForge: Playwright, Chromium
• APKForge: APKTool, JADX, aapt
• WPForge: WordPress CLI, PHP, semgrep
• LabForge: Docker-in-Docker for cleanup

Commands

• start - Launch a pipeline workflow
• stop - Stop containers
• logs - Tail live workflow output
• status - Structured run status (--json)
• workspaces - List workspace dirs

Examples

• ./forge cveforge start CVE=CVE-2026-28296
• ./forge binforge start TARGET=/path/to/binary
• ./forge shannonforge start URL=https://target.com
• ./forge apkforge start APK=/path/to/app.apk
• ./forge zeroforge start TARGET_REPO=git://...

install.sh - 53 KB, 13 stages

• Base packages + Docker CE + Node.js 22
• Java 21 + Ghidra + ghidriff
• QEMU/KVM + libvirt (WinForge VMs)
• Clone 15+ repos + build all MCP servers
• Temporal + PostgreSQL + Docker images
• Windows VM provisioning (ISOs + QCOW2)

setup.sh - 42 KB, 6 stages

• System tools + Homebrew
• Systemd services (Paperclip, forge-browser)
• MCP infrastructure wiring
• B2 backup system + GPG keys
• AI tool settings (Claude Code, Codex)
• Shell config + environment

Claimed Impact

Agent claims "RCE achieved" or "authentication bypass confirmed" based on its analysis and PoC execution results.

Evidence Check

Gate compares claim against actual exploit test output - exit codes, signals, stdout/stderr, timeout state. Does the evidence support the claim?

Verdict

Approved - evidence matches claim.
Downgraded - partial evidence, reduced severity.
Blocked - no supporting evidence.

🔍 EIP Server

Query vulnerability intelligence - CVE details, exploit rankings, EPSS scores. Powers the intel phase of every CVE-based pipeline.

📋 Paperclip AI

Company workflow orchestration. CEO and ForgeRunner agents query pipeline status, trigger runs, and monitor progress via forge-ops MCP.

📱 Telegram

Real-time notifications for pipeline phase transitions and completions. The founder monitors runs from their phone.

🐙 GitHub

Clone target repositories, checkout specific commits/tags. SSH key authentication for private repos.

🗄️ PostgreSQL

forge_archive database stores audit logs, agent metrics, and deliverable metadata. Ingested via scripts for historical analysis.

☁️ Backblaze B2

Daily encrypted backups of forge data, audit logs, and workspace artifacts. GPG-encrypted at rest.

CVEForge run cost

ZeroForge run cost

Max turns per agent

TypeScript

ES2022 strict mode

Temporal.io

v1.15 workflows

Claude SDK

v0.2.38 agent runtime

Docker

11 images · Compose

MCP

18K LOC · 10 servers

Ghidra

Headless analysis

GDB

Runtime debugging

AFL++

Coverage fuzzing

IOCP race condition in the Windows kernel. WinForge identified the vulnerability through binary diffing of Patch Tuesday updates, then built a working exploit on a QEMU/KVM Windows VM.

Type confusion in Chrome's Maglev JIT compiler. After the vendor patched the original finding, exploit-forge's bypass agent found a way around the fix - in 75 minutes.

Local privilege escalation via D-Bus in systemd-machined. The vendor's patch was incomplete - exploit-forge identified and bypassed it in 72 minutes, autonomously.

Previously unknown FastCGI protocol desynchronization bugs in nginx, discovered by ZeroForge through automated coverage-guided fuzzing with AFL++ and sanitizer feedback.