Papers
Topics
Authors
Recent
Search
2000 character limit reached

OpenAnt: LLM-Powered Vulnerability Discovery Through Code Decomposition, Adversarial Verification, and Dynamic Testing

Published 17 Jun 2026 in cs.CR and cs.LG | (2606.19149v1)

Abstract: Automated vulnerability discovery in large codebases remains challenging: traditional static analysis produces high false-positive rates, while dynamic approaches such as fuzzing require substantial infrastructure and often target narrow classes of bugs. Recent advances in LLMs enable semantic reasoning about program behavior, but applying LLMs to repository-scale security analysis introduces challenges related to context management, cost, and verification. We present OpenAnt, an open-source vulnerability discovery system that integrates static program analysis with LLM-based reasoning in a multi-stage pipeline. OpenAnt introduces three key techniques. First, codebases are decomposed into self-contained analysis units filtered by reachability from external entry points, reducing the analysis surface by up to 97% while preserving attack-relevant code. Second, candidate vulnerabilities undergo adversarial verification through constrained attacker simulation, where the model evaluates exploitability under realistic attacker capabilities. Third, findings are validated through dynamic verification, in which exploit environments are generated automatically, executed in sandboxed containers, and discarded after use. Evaluation on widely used open-source projects including OpenSSL, WordPress, and Flowise shows that this architecture can identify previously unknown vulnerabilities while maintaining manageable analysis cost and substantially reducing false positives. Our results suggest that closed-loop vulnerability discovery pipelines, combining semantic reasoning with exploit validation, provide a practical path toward scalable automated security analysis. OpenAnt is released as open source under the Apache 2.0 license at https://github.com/knostic/OpenAnt.

Authors (2)

Summary

  • The paper introduces OpenAnt, a framework combining static decomposition, LLM-powered semantic analysis, adversarial simulation, and dynamic exploit generation.
  • It demonstrates a reduction of analysis scope by over 99% and confirms 75.8% of vulnerability candidates across multiple real-world codebases.
  • Results across diverse programming languages show practical, low-noise vulnerability detection with scalable cost and actionable security insights.

OpenAnt: An LLM-Integrated Pipeline for Scalable Vulnerability Discovery

Overview

This paper presents OpenAnt, an open-source framework for automated vulnerability discovery that fuses static program analysis with LLM-based semantic reasoning, adversarial attacker simulation, and dynamic exploit generation. The architecture explicitly targets the deficiencies of traditional SAST toolsโ€”high false positive rates and brittleness to contextโ€”by introducing repository decomposition, attacker-constrained verification, and scalable exploit validation. OpenAnt is implemented across multiple languages and evaluated on substantial open-source codebases, demonstrating its capacity to uncover previously unreported vulnerabilities while reducing analysis cost and false-positive volume by orders of magnitude.

Technical Contributions

Codebase Decomposition and Context Reduction

OpenAnt employs a two-stage static preprocessing pipeline leveraging AST analysis to decompose repositories into function-level "analysis units." Cross-file dependencies are resolved and inlined up to a configurable depth, producing context-complete units without overwhelming LLM context windows. Crucially, these units are filtered by call-graph reachability from entry points exposed to untrusted input (determined via decorator analysis, parameter conventions, and traversal). This preprocessing typically reduces the input to subsequent expensive LLM analysis by over 95%, retaining only security-relevant code paths.

LLM-Driven Exposure Classification and Vulnerability Detection

For each reachable unit, OpenAnt utilizes LLM agents to perform exposure classification, subdividing code into exploitable, vulnerable-internal, security-control, or neutral. The pipeline focuses its vulnerability detection exclusively on units classified as externally exploitable. The detection prompt is language-agnosticโ€”an essential claim supported by cross-language evaluationsโ€”and directs the model to reason about the codeโ€™s operational semantics, origin of input, and security ramifications without any language-specific tuning.

The detection model makes fine-grained findings: vulnerable, bypassable, inconclusive, protected, and safe. Critical here is the semantic-level approach, which traces attacker-controlled data flows into security-sensitive operations rather than performing rule- or pattern-matching.

Adversarial Verification

An adversarial verification stage is introduced: all findings (including those classified as safe/protected) are submitted to a constrained attacker simulation, where the LLM must iteratively attempt multi-strategy exploitation under realistic threat models (e.g., no server-side code manipulation or admin credentials). The adversarial model must document feasible exploitation steps, explicitly ruling out self-impact scenarios and confirming that vulnerable conditions affect another principal. Multi-strategy reasoning is enforced to mitigate false negatives inherent in single-path exploration.

Dynamic Exploit Generation and Verification

Confirmed candidates from adversarial verification are subjected to dynamic verification. Here, the LLM generates ephemeral exploit environmentsโ€”including Dockerfiles, execution scripts, and supporting artifactsโ€”executed in locked-down containers. If the exploit fails due to environment or code-generation errors, an iterative refinement process attempts up to three generations. This closed-loop, on-the-fly exploit generation is a key mechanism for minimizing persistent exploit template dependencies and essentially automates a proof-of-concept exploit for each candidate.

Evaluation and Empirical Findings

Methodology

OpenAnt is evaluated on eight real-world, actively maintained projects across six languages and diverse application domains (web frameworks, cryptographic libraries, workflow automation, etc.), explicitly avoiding synthetic or benchmark datasets (e.g., Juliet, OWASP Benchmark) due to pervasive training-data contamination issues identified in concurrent literature (2606.19149). This methodology directly evaluates OpenAntโ€™s capacity for discovering previously unpublished vulnerabilities in live codebasesโ€”arguably the most robust test of an automated vulnerability discovery pipeline.

Quantitative Results

The pipeline reduced 64,132 functions to 2,281 reachable units, then to 586 exploitable units (net 99%+ reduction before LLM-intensive stages). 190 vulnerability candidates remained after adversarial verification, of which 144 (75.8%) were reproduced with automated exploitsโ€”producing concrete, executable evidence of security flaws. These discoveries span over 30 vulnerability classes, including SSRF, IDOR, path traversal, XSS, injection, and privilege escalation, with high confirmation rates in classes leveraging direct input manipulation (e.g., 100% for command injection, 88.9% path traversal).

Adversarial verification eliminated 49.5% of initial findings, with most filtered due to effective input sanitization, authentication gating, attacker-only self-harm, or platform-level protections. The pipeline's reachability filtering cut LLM-stage compute costs by over 96% relative to naรฏvely analyzing all functions, bringing the full evaluation across all repositories to $1,461.25 versus an otherwise projected$23,700.

A particularly notable claim is the effectiveness of a single, language-agnostic prompt for semantic analysis and vulnerability reasoning across all tested ecosystems, with no prompt specialization or tailoring per language.

Theoretical and Practical Significance

OpenAnt's adversarial verification and dynamic confirmation stages provide empirical evidence that most LLM-based security pipelines suffer from high false positive rates due to a lack of feasible exploitation modeling; static SAST and even LLM-only approaches often confuse suspicious code with genuine, attacker-exploitable flaws. By requiring explicit attacker simulation and concrete exploit evidence, OpenAnt tightly couples vulnerability detection to practical exploitability, shrinking the space of actionable findings and streamlining triage for real-world adoption.

From a theoretical perspective, OpenAnt demonstrates that closed-loop, multi-agent, and multi-modal pipelines can overcome critical limitations in model context size, cost, and the ambiguity of static code analysis. The generalization of the detection prompt signals that cross-language vulnerability semantics can, at least in common web and backend architectures, be abstracted without language-specific heuristics.

Limitations and Open Questions

OpenAnt is not without constraints. The system is inherently limited by the reasoning capability, context length, and semantic understanding of the LLM substrate. It bears the inability to provide formal non-exploitation guarantees (negative proofs), and its dynamic verification is bounded by the fidelity of the generated runtime environment. Vulnerability classes requiring complex environment orchestration or precise race/timing controls remain difficult to confirm automatically. Moreover, the cost of agentic code exploration is non-trivial for very large repositories, despite efficient static reduction in analysis surface.

For future development, there are clear trajectories toward integrating specialized long-context models, improved hybridization with symbolic analyzers, and formal verification for high-assurance scenarios. Incremental, cache-based analysis may further close the computational efficiency gap.

Implications and Future Outlook

OpenAnt provides a clear architecture and empirical basis for the future of automated, LLM-assisted vulnerability discovery. Its continuous refinement pipelineโ€”transitioning from static reduction to semantic reasoning, attacker simulation, and empirical exploit generationโ€”serves as a blueprint for moving toward scalable, actionable, and low-noise automated security analysis. The pipelineโ€™s architecture is immediately extensible: incorporating symbolic reasoning, formal verification modules, or hybrid dynamic analyses would broaden both its correctness and coverage.

In the broader context of AI for security, OpenAntโ€™s approachโ€”treating LLMs not as static classifiers but as tool-using agents capable of adversarial reasoningโ€”likely presages a shift toward more robust, interactive, and verifiable automated infosec systems. The open-source release ensures a replicable baseline for both academic and industrial advancement.

Conclusion

OpenAnt exemplifies a state-of-the-art architecture for repository-scale vulnerability discovery by integrating static reachability analysis, LLM-powered semantic reasoning, adversarial attacker simulation, and automated exploit generation within a closed-loop pipeline. Its empirical performance on real-world codebases validates both the necessity of multi-stage reasoning and the feasibility of economically viable LLM-driven security analysis. The adversarial verification methodology raised in this work refines the space of actionable results and may inform design patterns for future autonomous code analysis tools. The approach holds promise for integration with other forms of program analysis and for extension to security-critical domains requiring both broad coverage and granular exploit confirmation.

For further details and to access the codebase, OpenAnt is available at https://github.com/knostic/OpenAnt.


Reference: "OpenAnt: LLM-Powered Vulnerability Discovery Through Code Decomposition, Adversarial Verification, and Dynamic Testing" (2606.19149)

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Explain it Like I'm 14

A simple explanation of โ€œOpenAnt: LLMโ€‘Powered Vulnerability Discovery Through Code Decomposition, Adversarial Verification, and Dynamic Testingโ€

1. What is this paper about?

This paper introduces OpenAnt, a tool that helps find security problems (vulnerabilities) in big piles of computer code. Instead of just guessing where problems might be, it uses an advanced AI that can read and reason about code, then tries to prove whether a problem can actually be attacked for real. The goal is to find real, important issues while avoiding false alarms that waste developersโ€™ time.

2. What questions were the authors trying to answer?

  • How can we search huge codebases without getting lost or paying a fortune for AI time?
  • Can an AI go beyond โ€œthis looks suspiciousโ€ and reason like a real attacker would?
  • Can we automatically show proof (a working test) that a bug is actually exploitable?

3. How did they do it? (Methods in everyday terms)

Think of a giant software project like a city with thousands of buildings (functions). OpenAnt acts like a team of safety inspectors who narrow down where danger could really affect the public, then test those spots carefully.

Hereโ€™s the stepโ€‘byโ€‘step plan:

  1. Parse and map the code (build the city map)
  • The system reads the whole codebase and records every function and which functions call which (a โ€œcall graphโ€).
  1. Keep only places the public can reach (shrink the search area)
  • It filters to functions that can be reached from โ€œentry pointsโ€ where outside users give input (like web routes and API endpoints). This cuts away most internal helper code that attackers canโ€™t touch.
  1. Classify exposure (identify highโ€‘risk rooms)
  • An AI looks at each reachable unit and decides whether itโ€™s truly exposed to users and worthy of deeper security checking.
  1. Detect possible vulnerabilities (spot likely hazards)
  • A stronger AI analyzes how user input flows through the code and if it reaches dangerous actions (like database queries, file access, or network calls) without proper checks.
  1. Adversarial verification (reason like a real attacker)
  • The AI pretends to be an attacker with realistic limits:
    • only a web browser (no server access, no admin passwords, no editing server files)
  • It tries multiple attack ideas, step by step, and records what would have to happen for the attack to workโ€”or why it fails. It also ignores โ€œselfโ€‘harmโ€ cases where only the attackerโ€™s own data is affected.
  1. Dynamic verification (build a mini test world)
  • For the most plausible findings, the system automatically builds a small, isolated environment (a Docker container) and runs a test exploit to see if the problem really happens. When finished, it deletes everything it created. This produces concrete evidence: CONFIRMED or not.

Key ideas behind this pipeline:

  • Code decomposition and reachability: break the code into small, selfโ€‘contained chunks that include their dependencies, then keep only the parts that outside users can reach. This keeps the AI focused and saves cost.
  • Adversarial verification: donโ€™t just claim a bugโ€”show how an attacker would actually use it despite realโ€‘world barriers (logins, input checks, browser rules).
  • Dynamic testing: automatically generate and run proofโ€‘ofโ€‘concept attacks in a safe sandbox to confirm the issue.

4. What did they find, and why is it important?

They ran OpenAnt on eight wellโ€‘known openโ€‘source projects (like WordPress, OpenSSL, and others) written in six different programming languages.

What happened:

  • Huge reduction in code to analyze: from 64,132 functions down to about 2,281 โ€œreachableโ€ units (around a 96% cut) before heavy AI reasoning began, and then down to about 586 truly exposed units.
  • Real vulnerability candidates: 190 issues survived the attackerโ€‘style reasoning step.
  • Concrete proof: 144 of those (about 76%) were reproduced automatically with generated exploits in sandboxed containers.
  • Lower cost through filtering: the whole run cost about $1,461. Without the early filtering steps, it would have been about$23,700.

Why this matters:

  • Fewer false alarms: Many traditional tools flag lots of โ€œmaybeโ€ problems. OpenAntโ€™s attacker simulation and live tests filter out the ones that donโ€™t really matter, giving developers a shorter, more trustworthy list.
  • Works across languages: The same reasoning approach (follow user input to dangerous actions) worked for multiple programming languages without changing the core prompt.
  • Realโ€‘world relevance: Instead of judging success only on artificial test sets (which AIs might have โ€œseenโ€ during training), they focused on finding new issues in actively maintained projects.

5. Whatโ€™s the bigger impact?

  • For developers and security teams: This approach helps teams focus on real, exploitable risks, not noise. It can fit into code reviews or ongoing security checks for large projects.
  • For the security field: It shows a practical path to scalable, AIโ€‘assisted code securityโ€”combine smart filtering, attackerโ€‘style reasoning, and automated proof.
  • For future work: There are limitsโ€”some complex bugs are hard to reproduce automatically; the system depends on the AIโ€™s skills; and large analyses can still be costly. But as AIs improve and costs drop, this โ€œclosed loopโ€ (reason, then verify with a live test) could become a standard way to find serious vulnerabilities at scale.

In short: OpenAnt is like a careful, efficient security inspector for code: it narrows the search to places outsiders can reach, thinks like a patient attacker, and then builds a safe test to show whether the danger is real.

Knowledge Gaps

Below is a consolidated list of concrete knowledge gaps, limitations, and open questions that remain unresolved by the paper. Each item is phrased to suggest actionable directions for future research.

  • Lack of head-to-head baselines: No quantitative comparison against leading SAST tools (e.g., CodeQL, Semgrep), fuzzing frameworks, or LLM-only detectors on the same repositories with matched metrics (precision/recall/F1, PPV, developer-validated true/false positives).
  • Absent ground truth and disclosure outcomes: The claim of discovering โ€œpreviously unknown vulnerabilitiesโ€ is not substantiated with responsible disclosure IDs, CVEs, patch links, or maintainer confirmations; without these, external validity of discoveries remains unverified.
  • No recall estimation: The pipelineโ€™s false-negative rate is unmeasured; there is no sampling of known exploitable issues in the evaluated repos to estimate missed vulnerabilities.
  • Incomplete funnel reporting: Key funnel counts per project (e.g., flagged in Stage 4, confirmed in Stage 5) are partially missing or truncated, preventing full reproducibility and cross-project comparison.
  • Entry-point heuristics may induce false negatives: The reachability filter relies on framework-specific patterns and decorators; its recall on dynamic dispatch, reflection, meta-programming, CLI tools, RPC handlers, GraphQL resolvers, or non-standard routing is not evaluated.
  • Library vs. application attack-surface modeling: For libraries (e.g., OpenSSL), defining โ€œexternally reachableโ€ is non-trivial; the paper does not clarify criteria or validate that true library attack surfaces were preserved after reachability filtering.
  • No ablation on dependency inlining depth: The choice of inlining dependencies to depth=3 is not justified; there is no study of deeper data flows, performance/accuracy trade-offs, or adaptive depth strategies by language/framework.
  • No study of call-graph soundness: The robustness of cross-file call-graph construction for dynamically typed languages (PHP, Ruby, JS/TS), C/C++ macros, templates, or reflection is unmeasured; impact on missed taint paths is unknown.
  • Exposure classification accuracy unknown: Stage 3 classification quality (exploitable vs. neutral/security-control) lacks a gold-standard evaluation, inter-rater agreements, or error analyses.
  • Stage interactions not quantified: It is unclear how often Stage 5 overturns Stage 4 โ€œsafe/protectedโ€ assessments, and what net value Stage 4 adds; an ablation is needed to justify each stageโ€™s contribution to cost and accuracy.
  • Model dependence and portability: Results depend on closed Anthropic models (Sonnet/Opus). Robustness across model vendors, versions, and open-source models (and under model drift) is untested.
  • Prompt sensitivity and determinism: The โ€œlanguage-agnosticโ€ prompts are not published; there is no sensitivity analysis on prompt variants, temperature, or sampling strategies, nor evaluation of run-to-run flakiness.
  • Cost/runtime reproducibility: Only dollar costs are reported; wall-clock times, hardware, concurrency, and queueing latencies are not reported, hindering operational planning and SLA estimation.
  • Incremental and large-scale deployment: The pipelineโ€™s behavior on monorepos, multi-million-LOC codebases, and incremental/CI runs (diff-based, caching, memoization) is untested.
  • Attacker model rigidity: The adversarial verification assumes a browser-only, unauthenticated remote attacker. Exploits requiring authenticated low-privilege users, insiders, API tokens, mobile apps, CLIs, or service principals are outside scope and unanalyzed.
  • โ€œVictim requirementโ€ may mask real impact: Disallowing self-impact scenarios may miss meaningful exposures (e.g., stored-XSS awaiting admin view, privilege escalation from attacker-owned objects) and multi-step exploit chains.
  • Multi-stage exploit chains: The system does not model chained vulnerabilities across services/components; how to compose findings into realistic kill-chains remains open.
  • Dynamic verification environment gaps: The sandbox constraints (512 MB RAM, 1 CPU, 120 s timeout) likely prevent reproducing complex builds, integration dependencies, or timing-sensitive issues; the proportion of INCONCLUSIVE/ERROR due to environment limits vs. non-exploitability is not analyzed.
  • Network and external-service modeling: SSRF and egress behaviors depend on network topology; clear policies for external network access, stub services, DNS, and intra-service isolation are not detailed or evaluated.
  • Safety and ethical safeguards: Potential risks from running auto-generated exploit code (e.g., sandbox escapes, unintended outbound requests) and the governance/IRB/responsible use policies are not specified.
  • Tooling attack surface: The pipeline executes untrusted code in containers; a threat analysis of the orchestrator, container isolation, and supply-chain dependencies (e.g., package managers) is absent.
  • Coverage beyond input-to-sink flaws: The system focuses on taint-style vulnerabilities; its ability to detect logic bugs, protocol violations, memory safety, concurrency, and side-channel issues is limited and not empirically quantified.
  • Memory safety in C/C++: The approachโ€™s effectiveness on low-level memory errors (common in OpenSSL) is unclear; no integration with sanitizers/fuzzers or differential testing is explored.
  • Lost-in-the-middle mitigation unquantified: While decomposition is posited as a remedy, there is no measurement of long-context degradation vs. unit-level performance, nor alternative retrieval/hierarchical strategies.
  • CWE mapping and severity: Findings are not mapped to CWE categories or assigned severity (e.g., CVSS), limiting triage prioritization and cross-tool comparability.
  • Developer-centric outcomes: No measurement of time-to-triage, fix acceptance, remediation guidance quality, or reduction of alert fatigue in real developer workflows.
  • Triage artifacts and datasets: The paper does not release the structured outputs (Stage 5 reasoning trails, Stage 6 PoCs), making independent auditing of exploitability assessments difficult.
  • Effect of caching and retrieval: Despite high Stage 3 costs, there is no evaluation of semantic caching, code embedding retrieval, or index-assisted navigation to reduce repeated exploration.
  • Build-system and ecosystem variability: The robustness of Stage 6 across diverse build tools (e.g., Bazel, CMake, Gradle), OS-specific dependencies, and GPU/accelerator constraints is untested.
  • Role- and tenant-aware verification: The system lacks a mechanism to synthesize realistic authenticated identities/tenants and verify authorization boundaries (e.g., ABAC/RBAC, multi-tenant isolation).
  • Parameterizable attacker capabilities: There is no interface to tailor attacker constraints (e.g., mobile client, API-only, OAuth tokens, insider) per project, nor evaluation of how such parameters affect detection outcomes.
  • Flakiness across retries: Stage 6 allows up to three fix-and-retry iterations, but the success curve, failure modes, and stability across runs are unreported.
  • Integration with other analyses: How to compose OpenAnt with fuzzing, symbolic execution, or Datalog-based static analysis for higher recall and stronger guarantees remains open.
  • Maintainability under model changes: The pipelineโ€™s brittleness to model API changes and pricing/latency volatility is not discussed; strategies for model-agnostic orchestration are missing.
  • Privacy/compliance for proprietary code: The implications of sending code to third-party LLMs, data retention policies, and options for on-prem or air-gapped inference are not addressed.
  • Entry-point discovery across architectures: Microservices, event-driven systems, message queues, and serverless triggers pose non-HTTP entry points; discovery and reachability across these paradigms is not evaluated.
  • Selection bias in evaluated projects: Projects favor web-facing repos; external validity to embedded systems, desktop apps, kernel modules, or data pipelines is untested.
  • Ranking and prioritization: The system reports counts but lacks principled scoring/ranking of findings for efficient human triage under budget constraints.

Practical Applications

Immediate Applications

Below are actionable use cases that can be deployed now, derived from OpenAntโ€™s code decomposition, adversarial verification, and dynamic (Docker-based) exploit validation. Each bullet indicates relevant sectors and key dependencies/assumptions.

  • Evidence-based CI/CD security gates for repositories
    • Sectors: software, SaaS, finance, healthcare, government IT
    • What: Integrate OpenAnt as a CI job (e.g., GitHub Action/GitLab CI) to scan only externally reachable code paths, run LLM-based adversarial verification, and attach reproducible PoC artifacts to pull requests.
    • Tools/workflow: โ€œOpenAnt CI Action,โ€ PR-comment bot that posts CONFIRMED PoCs; merge gating on โ€œCONFIRMEDโ€ tag.
    • Dependencies: Supported languages (Python, JS/TS, Go, C/C++, Ruby, PHP); Docker on CI runners; LLM API access/cost budget; network permissions for sandboxed tests as needed.
    • Assumptions: Input-driven vulnerabilities are in scope; long-context model quality affects detection.
  • Triage noise reduction for existing SAST deployments
    • Sectors: software, AppSec tooling vendors
    • What: Use OpenAntโ€™s reachability filtering to pre-filter SAST findings and its adversarial verification to down-rank non-exploitable alerts.
    • Tools/workflow: โ€œReachability Filterโ€ plugin for Semgrep/CodeQL; โ€œAdversarial Verifier SDKโ€ that ingests SAST alerts and emits exploitability labels/PoCs.
    • Dependencies: Access to project call graphs; mapping of SAST alerts to code units; LLM API.
    • Assumptions: SAST alert context is sufficient for LLM reasoning.
  • Evidence-backed vulnerability reports for maintainers and CVE filings
    • Sectors: open-source maintainers, MSSPs, bug bounty programs
    • What: Run OpenAnt pre-release or on bug bounty submissions to auto-generate PoCs and structured JSON outcomes (CONFIRMED/INCONCLUSIVE/etc.), improving triage throughput and report quality.
    • Tools/workflow: โ€œExploit Reproducer CLIโ€; scheduled scans on release candidates; attach containerized PoC artifacts to security advisories.
    • Dependencies: Buildable test environment; Docker; repository access.
    • Assumptions: Dynamic verification covers the vulnerability environment without complex external deps.
  • Secure plugin/extension marketplace vetting
    • Sectors: WordPress, npm, VS Code, browser extensions, workflow platforms (Flowise, n8n)
    • What: Scan third-party plugins with reachability filtering and exploit validation to detect IDOR, SSRF, mass assignment, XSS before publication.
    • Tools/workflow: โ€œMarketplace Intake Scannerโ€ pipeline; publish exploit evidence to maintainers privately.
    • Dependencies: Sandbox-safe execution of plugin code; containerization; clear entry-point heuristics for each framework.
    • Assumptions: Marketplace policies permit automated analysis and temporary execution.
  • Rapid pre-engagement code review for consulting and pentesting
    • Sectors: security consulting, MSSPs
    • What: Accelerate scoping by quickly highlighting externally exposed risky flows and validated PoCs, guiding manual testing toward likely exploitable areas.
    • Tools/workflow: โ€œDiscovery-then-Manualโ€ two-phase workflow; deliverable includes exploit evidence bundle.
    • Dependencies: Client repository access; safe sandboxing; model access.
    • Assumptions: Client code builds cleanly enough for containerized PoC execution.
  • Due diligence scanning in M&A and vendor risk management
    • Sectors: finance, enterprise procurement, legal
    • What: Produce an evidence-based risk snapshot of targetsโ€™ codebases, focusing on exploitable, externally reachable vulnerabilities.
    • Tools/workflow: โ€œEvidence-Based Risk Reportโ€ with per-repo funnel stats and validated findings.
    • Dependencies: Legal permission for source access; compute budget; Docker.
    • Assumptions: Short engagement windows; coverage limited to input-driven classes.
  • SecOps/SOC enrichment for incident response
    • Sectors: enterprise SecOps, MSPs
    • What: When a suspicious endpoint is implicated in incidents, run targeted OpenAnt units to confirm exploitability and reproduce attack paths.
    • Tools/workflow: โ€œOn-demand Adversarial Verificationโ€ job tied to incident ticket.
    • Dependencies: CI/security infra with Docker; time-boxed LLM calls.
    • Assumptions: Code versions under investigation are accessible.
  • Compliance and assurance evidence for SSDF/ISO 27001/PCI DSS controls
    • Sectors: regulated industries (finance, healthcare)
    • What: Treat dynamic verification logs and artifacts as objective evidence that high-risk paths are tested for exploitability.
    • Tools/workflow: Pipeline artifacts archived in compliance repository; audit dashboards.
    • Dependencies: Policy acceptance of AI-assisted validation; retention strategy for ephemeral artifacts.
    • Assumptions: Auditors accept reproducible PoCs as evidence; privacy constraints on code access.
  • Secure development education and labs
    • Sectors: academia, corporate training
    • What: Use OpenAnt to generate real PoCs from training repos, teaching closed-loop โ€œfrom code to exploitโ€ reasoning.
    • Tools/workflow: Classroom kits with predefined repos and ephemeral containers.
    • Dependencies: Student-safe compute; curated repos; controlled LLM usage.
    • Assumptions: Focus on input-driven classes aligns with course objectives.
  • Low-cost small-team security for SMEs
    • Sectors: SMEs, startups
    • What: Host an โ€œOpenAnt Liteโ€ scheduled scan on critical services to catch high-impact, externally exposed flaws without a dedicated AppSec team.
    • Tools/workflow: Weekly/PR-triggered scans with digest reports and PoCs.
    • Dependencies: Budgeting per-run; Docker-ready CI; LLM API.
    • Assumptions: SMEs accept the subset coverage and cost variability.

Long-Term Applications

The following applications require further research, scaling, integration, or standardization before broad deployment.

  • Auto-remediation loops with exploit-to-fix workflows
    • Sectors: software, DevSecOps tooling vendors
    • What: Couple confirmed exploits to LLM-guided patch suggestions, test patches against the same dynamic harness, and auto-open PRs.
    • Dependencies: High-precision patch generation; regression testing; human-in-the-loop review.
    • Assumptions: Adequate model reliability for safe code modification.
  • IDE-native โ€œattacker simulationโ€ and reachable-path reasoning
    • Sectors: developer tooling
    • What: Inline โ€œWhat can an attacker do here?โ€ analysis in editors, showing reachable sinks and exploitability with on-demand PoC harness generation.
    • Dependencies: Efficient local context retrieval; low-latency LLMs; developer privacy controls.
    • Assumptions: Cost and latency reduction for interactive use.
  • Sector-grade coverage for complex environments (microservices, distributed systems, ICS)
    • Sectors: energy, manufacturing, telecom, fintech, healthcare
    • What: Extend dynamic verification to multi-service orchestrations (Kubernetes), message buses, and timing/race conditions using coordinated containers.
    • Dependencies: Orchestrated testbeds; service emulators; tighter time control; possibly fuzzing integration.
    • Assumptions: Feasible to model external dependencies and timing in CI; extended vulnerability classes.
  • Integration with formal methods and symbolic execution
    • Sectors: high-assurance software (aerospace, medical devices, finance)
    • What: Use symbolic execution to prove reachability to sinks and feed counterexamples into OpenAntโ€™s dynamic harness for exploit realization.
    • Dependencies: Scalable hybrid analysis; interchange formats between tools; compute resources.
    • Assumptions: Hybrid pipelines outperform either approach alone for critical components.
  • National-scale scanning of critical open source with evidence artifacts
    • Sectors: public sector, CERTs, policy
    • What: Government-backed programs to continuously scan critical OSS, publish responsible, evidence-based advisories, and support maintainers with PoCs.
    • Dependencies: Funding; governance and disclosure policy; community coordination; compute.
    • Assumptions: Policy alignment with OSS ecosystems and responsible disclosure norms.
  • Supply-chain and registry gatekeeping with exploit-validated checks
    • Sectors: package registries (npm, PyPI), container registries, app stores
    • What: Mandate or incentivize exploit-validated scans for high-risk packages prior to feature releases or โ€œtrustedโ€ labels.
    • Dependencies: Standard APIs for results; throughput to handle ecosystem scale; avoiding excessive false negatives/positives.
    • Assumptions: Community acceptance; fairness and transparency in gatekeeping.
  • Risk scoring for cyber insurance underwriters
    • Sectors: insurance, finance
    • What: Use counts and severity of CONFIRMED vulnerabilities in core services to inform premiums and underwriting decisions.
    • Dependencies: Standardized scoring; anti-gaming safeguards; periodic attestations.
    • Assumptions: Legal and ethical permission to assess codebases; consistent methodologies.
  • Benchmarking and research standards for LLM security evaluation
    • Sectors: academia, standards bodies (NIST/ISO), industry consortia
    • What: Establish contamination-aware evaluation protocols using real-world discovery and dynamic verification as a gold standard.
    • Dependencies: Shared datasets of anonymized PoCs; reproducibility infrastructure.
    • Assumptions: Broad adoption by researchers and vendors.
  • Privacy-preserving and on-prem LLM analysis
    • Sectors: healthcare, finance, defense
    • What: Deploy OpenAnt with local or edge LLMs and offline container builds so source never leaves the perimeter.
    • Dependencies: Strong local models; MLOps for on-prem; hardware.
    • Assumptions: Local models approach cloud LLM reasoning quality.
  • Cross-language and monorepo scale-out with hierarchical analysis
    • Sectors: large enterprises
    • What: Hierarchical/context-chunking strategies to handle very deep call graphs and massive monorepos without losing relevant context.
    • Dependencies: Improvements in retrieval-augmented analysis; model long-context robustness.
    • Assumptions: Continued advances in model context handling and cost efficiency.
  • Standardized exploit-result schema and attestation
    • Sectors: compliance, supply chain, auditors
    • What: Define a common JSON/attestation schema for exploit outcomes that auditors and tools can verify and exchange.
    • Dependencies: Industry consensus; cryptographic signing/attestation infrastructure.
    • Assumptions: Ecosystem incentives for interoperability outweigh vendor lock-in.
  • Augmented fuzzing guided by LLM semantic triage
    • Sectors: software, security research
    • What: Use OpenAnt to identify promising sinks/paths; hand seeds/constraints to fuzzers (AFL/libFuzzer/OSS-Fuzz) for deeper coverage and variant discovery.
    • Dependencies: Seed generation interfaces; instrumentation; CI orchestration.
    • Assumptions: Synergy improves recall on complex bugs beyond input-driven classes.
  • Continuous โ€œruntime postureโ€ monitoring in production-like mirrors
    • Sectors: SaaS, cloud platforms
    • What: Mirror production builds into staging and run periodic exploit validation with synthetic traffic to detect regressions or newly reachable paths.
    • Dependencies: Safe staging infra; change-detection triggers; cost controls.
    • Assumptions: Organizational tolerance for frequent automated security exercises.

Notes on feasibility across applications

  • Model capability/limits: Effectiveness depends on LLM reasoning quality and context window limits; some classes (logic/spec violations, race conditions) remain challenging.
  • Cost controls: Stage 3 (exposure classification) dominates operational cost; reachability filtering and caching are essential for scale.
  • Dynamic verification coverage: Complex dependencies and timing-sensitive exploits may require manual harnessing or extended orchestration.
  • Scope alignment: Best results for input-driven vulnerabilities that propagate to dangerous sinks (injection, path traversal, SSRF, auth bypass, XSS).
  • Governance and data handling: Policies may restrict code sharing with cloud LLMs; on-prem deployments mitigate but require strong local models and MLOps maturity.

Glossary

  • Abstract syntax tree (AST): A tree representation of the syntactic structure of source code used for program analysis and tooling. "language-specific abstract syntax tree (AST) analysis."
  • Adversarial verification: A validation stage that tests whether a hypothesized vulnerability is exploitable by simulating realistic attacker behavior. "Stage 5: Adversarial Verification"
  • Agentic exploration: Iterative, tool-assisted code navigation by an LLM agent to gather context and trace relationships for analysis. "the agentic code exploration required to trace call relationships and security exposure."
  • American fuzzy lop (AFL): A popular coverage-guided fuzzing tool that discovers bugs by mutating inputs and monitoring execution. "American fuzzy lop (AFL)."
  • Authorization bypass: A flaw allowing access to protected functionality or data without proper permission checks. "including authorization bypasses, server-side request forgery (SSRF), injection vulner- abilities, and path traversal flaws."
  • Benchmark leakage: Contamination where evaluation benchmarks appear in model training data, inflating apparent performance. "LLM benchmark leakage"
  • Bidirectional call graph: A graph of function calls that records both caller and callee relationships for program understanding. "construct a bidirectional call graph"
  • Breadth-first traversal: A graph exploration strategy that visits neighbors level by level, used here to mark reachable functions. "performs a breadth-first traversal of the call graph"
  • Closed-loop vulnerability discovery pipeline: An analysis process that cycles from detection to verification and back, aiming to produce concrete exploit evidence. "closed-loop vulnerability discovery pipeline"
  • Constrained attacker simulation: Modeling a realistic attacker with limited capabilities (e.g., browser-only, no admin) to test exploitability. "constrained attacker simulation"
  • Cross-site scripting (XSS): An injection attack where untrusted input is executed as script in a user's browser. "cross-site scripting (XSS)"
  • Data-flow analysis: Static analysis that tracks how data moves through a program to identify unsafe flows to sensitive operations. "data-flow analysis."
  • Dangerous sink: A security-sensitive operation (e.g., file I/O, command exec) that becomes hazardous when fed attacker-controlled input. "dangerous sink"
  • Decorator analysis: Inspection of framework-specific annotations to identify externally exposed functions. "decorator analysis"
  • Docker Compose: A YAML-based tool for defining and running multi-container Docker applications. "a Docker Compose configuration"
  • Dynamic verification: Runtime validation that attempts to reproduce exploits in a controlled environment. "Stage 6: Dynamic Verification"
  • Ephemeral execution: Short-lived, disposable test environments that are created to run an exploit and then removed. "Ephemeral execution."
  • Exposure classification: Categorizing code units by security relevance and external reachability before deeper analysis. "Stage 3: Exposure Classification"
  • IDOR (Insecure Direct Object Reference): A class of authorization flaws where direct references to objects can be manipulated to access others' data. "IDOR / Missing Authorization"
  • Intermediate representation: A unified, language-agnostic format produced by parsers to support downstream analysis stages. "unified intermediate representation"
  • Language-agnostic prompt: A single prompt template designed to reason about vulnerabilities across different programming languages. "the detection prompt is language-agnostic."
  • Lost-in-the-middle effect: Degradation in model accuracy when key information appears in the middle of long inputs. "lost-in-the-middle effect"
  • Mass assignment: A vulnerability where bulk input binding sets unintended object fields, enabling privilege escalation or policy bypass. "Mass Assignment / Privilege Escalation"
  • OSS-Fuzz: A continuous fuzzing service for open-source projects that automates large-scale bug discovery. "OSS-Fuzz"
  • Path traversal: An attack that manipulates file paths to access files outside intended directories. "path traversal flaws."
  • Reachability filtering: Restricting analysis to code reachable from external inputs to reduce cost while preserving attack surface. "reachability filtering reduces the analysis set to 390 units"
  • Sandboxed Docker containers: Isolated containerized environments with restricted resources used for safe exploit testing. "sandboxed Docker containers"
  • Server-side request forgery (SSRF): An attack where a server is tricked into making unintended requests to internal or external services. "server-side request forgery (SSRF)"
  • Static Application Security Testing (SAST): Automated static code analysis for detecting potential vulnerabilities without executing the program. "Static Application Security Testing (SAST) tools"
  • Symbolic analysis: Program reasoning technique using symbolic representations of inputs/paths to infer properties or find bugs. "symbolic analysis"
  • Zip Slip: A path traversal vulnerability in archive extraction allowing files to be written outside the target directory. "Zip Slip"

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 4 tweets with 41 likes about this paper.