Papers
Topics
Authors
Recent
Search
2000 character limit reached

Agentic Vulnerability Discovery

Updated 9 July 2026
  • Agentic Vulnerability Discovery is a method that orchestrates staged, tool-mediated analysis to gather evidence and validate hypotheses across multiple stages.
  • It integrates techniques like guided fuzzing, multi-agent auditing, and dynamic verification to improve detection accuracy and reduce false positives.
  • Practical applications include repository scans, web exploit confirmations, and cyber-physical system audits, showcasing its versatility in diverse security domains.

Agentic vulnerability discovery is a family of methods that treats vulnerability analysis as a staged, tool-mediated, and evidence-accumulating process rather than as one-shot classification or isolated prompting. In the current literature, the term spans repository-level vulnerability detection, exploit confirmation from minimal metadata, guided fuzzing around inferred invariants, harness-synthesized multi-agent auditing, and the discovery of vulnerabilities introduced by agentic runtimes themselves. Across these settings, the common pattern is an orchestrated system that plans investigations, acquires bounded context, invokes specialized tools, validates hypotheses with external evidence, and emits structured findings or proof artifacts (Meng et al., 11 Mar 2026, Sajadi et al., 15 Feb 2026, Luo et al., 17 Jun 2026, Hou et al., 20 Jun 2026).

1. Conceptual scope and problem framing

Agentic vulnerability discovery emerged in response to limits that recur across several security domains. Repository-level code vulnerabilities often depend on long-range dependencies, cross-file interactions, configuration state, helper functions, and runtime conditions that are invisible to local code views, so one-shot predictors and function-local encoders struggle to gather and reconcile the required evidence (Meng et al., 11 Mar 2026). In web exploitation, static and dynamic scanners frequently produce non-actionable findings because they do not connect a CWE label and a source location to concrete triggers, preconditions, and reproduction steps; AXE therefore positions agentic exploitation as a validation stage that consumes minimal metadata and autonomously attempts to confirm exploitability (Sajadi et al., 15 Feb 2026). In secure software engineering workflows, isolated tasks such as detection or patch generation do not reflect industrial practice; a role-based workflow with Planner, Analyzer, Fixer, and Verifier explicitly embeds discovery within a broader cycle of diagnosis, remediation, and fix verification (Basu et al., 12 Jun 2026).

The same expression also names a second research direction: discovering vulnerabilities that arise because a model is embedded in an agentic loop. In the AgentSeer work, an “agentic vulnerability” is a failure mode that emerges only when a LLM operates within a system with tools, memory, delegation, and environmental interaction, and the paper reports “agentic-only” vulnerabilities that fail at model level but succeed inside the agentic execution context (Wicaksono et al., 21 Sep 2025). The runtime-supply-chain formulation goes further by recasting retrieved context, memory, and tool resolution as inference-time dependencies exposed to a Man-in-the-Environment adversary; this shifts the attack surface from static build artifacts to cyclic runtime behavior (Jiang et al., 23 Feb 2026). In safety-critical cyber-physical settings such as Agentic Vehicles, the scope expands again: agentic vulnerability discovery becomes role-aware, cross-layer threat analysis over Personal Agent, Driving Strategy Agent, and deterministic Safety Check boundaries, with cognitive risks such as memory poisoning, intent breaking, and misaligned behavior interacting with perception, communication, and control layers (Eslami et al., 18 Dec 2025).

A plausible implication is that the phrase now names a methodological family rather than a single task. Some systems use agents to find vulnerabilities in software or protocols; others analyze the vulnerabilities of the agentic substrate itself. What unifies them is not the artifact under test, but the reliance on staged reasoning, tool invocation, persistent state, and explicit validation.

2. Recurring architectural patterns

A central architectural pattern is the replacement of monolithic inference with layered orchestration. VulnAgent-X makes this explicit through five stages: lightweight risk screening, bounded context expansion, specialized analysis agents, selective dynamic verification, and evidence fusion (Meng et al., 11 Mar 2026). Risk triage retains only the top-KK suspicious regions, with default suspicious-region budget K=8K = 8, while bounded context expansion retrieves callers, callees, tests, configs, and similar changes under a default context budget B=6,000B = 6{,}000 tokens. The framework then routes work among a Router Agent, Semantic Analysis Agent, Security Analysis Agent, Logic Bug Agent, and Sceptic Agent, before a Verification Agent is triggered only for “high-severity/low-confidence” cases and evidence is fused into a structured finding tuple fi=(ti,li,ei,ci,si)f_i = (t_i, l_i, e_i, c_i, s_i) (Meng et al., 11 Mar 2026).

Role separation appears in other forms. The vulnerability-handling workflow built on CrewAI fixes four roles—Planner, Analyzer, Fixer, and Verifier—and constrains each role’s outputs so that discovery remains distinct from remediation and verification (Basu et al., 12 Jun 2026). Code-Augur converts an agent’s implicit notion of “secure” into explicit local invariants that are committed as in-source assertions and then falsified by a guided fuzzer, turning specification inference into the core orchestration primitive (Luo et al., 17 Jun 2026). Revelio imposes a strict stage boundary between hypothesis generation and hypothesis confirmation, using inexpensive models and lightweight static analysis for breadth, then stronger models plus sanitizer-backed execution for confirmation (Hou et al., 20 Jun 2026). AgentFlow generalizes the harness itself as the object of optimization by defining a multi-agent harness as

H=(A,G,Σ,Φ,Ψ),H = (\mathcal{A}, \mathcal{G}, \Sigma, \Phi, \Psi),

where A\mathcal{A} is the set of agents, G\mathcal{G} the directed communication graph, Σ\Sigma the message templates, Φ\Phi the tool allocation, and Ψ\Psi the coordination protocol (Liu et al., 22 Apr 2026).

Several systems also formalize prioritization. Knowdit schedules semantic-pattern pairs by

K=8K = 80

so less-tested DeFi semantics receive priority, and it encodes recurring share-accounting behavior with

K=8K = 81

to derive auditing invariants for ERC-4626-like mechanisms (Kong et al., 27 Mar 2026). VCAO makes orchestration explicitly game-theoretic: the LRM orchestrator solves a repeated Bayesian Stackelberg search game over kernel files, functions, paths, tools, and time budgets, with formal K=8K = 82-style online guarantees instantiated in the paper as

K=8K = 83

for the regret bound (Mishra, 9 Apr 2026).

This suggests that the main architectural divide is no longer between “static” and “dynamic” analysis, but between shallow pipelines and systems that explicitly represent search state, role boundaries, uncertainty, and the cost of additional evidence.

3. Evidence, verification, and executable confirmation

The distinguishing feature of the area is the movement from speculative findings to externally checkable evidence. VulnAgent-X treats vulnerability detection as an evidence-driven auditing process and pushes ambiguous, high-severity cases into selective dynamic verification, where minimal validation artefacts such as reproducing inputs, unit tests, and payloads are generated and then incorporated into the fused score (Meng et al., 11 Mar 2026). The role-based CrewAI workflow likewise separates diagnosis from verification and evaluates the Verifier on whether the generated patch removes the root cause and unsafe path without introducing regressions (Basu et al., 12 Jun 2026).

Several systems make executable proof the reporting threshold. Revelio reports vulnerabilities only when a generated Proof-of-Vulnerability triggers a deterministic sanitizer in an independent rerun; it uses AddressSanitizer, UndefinedBehaviorSanitizer, and MemorySanitizer as oracles and reports zero false positives under this criterion (Hou et al., 20 Jun 2026). SLYP performs binary exploration, COM inspection, and dynamic debugging, then compiles and runs C++ PoCs in a VM, attaches a debugger, and treats a crash in the service process—with access violation, heap corruption, security check failure, or AppVerifier break—as confirmation (Lee et al., 6 May 2026). AXE operates in a grey-box setting and uses attack-type-specific evaluators and reproducible PoC artifacts to confirm web vulnerabilities from a CWE and vulnerable location (Sajadi et al., 15 Feb 2026). A2 uses a Planner–Executor–Validator loop on Android, with the Validator designing customized read-only oracles for UI, ICC, filesystem, and cryptographic behaviors rather than trusting the Executor’s claims (Wang et al., 29 Aug 2025).

In domains where bespoke exploit or sanitizer oracles are unavailable, the literature substitutes alternative signals. Code-Augur treats a violated assertion as either a genuine vulnerability or a flawed specification requiring refinement (Luo et al., 17 Jun 2026). Knowdit turns a semantic-pattern hypothesis into Foundry harnesses whose require-based oracles encode K=8K = 84, K=8K = 85, and K=8K = 86, and then uses a Finding Reflector to distinguish true findings from expected behavior or specification errors (Kong et al., 27 Mar 2026). Chai explicitly states that cryptographic misuse lacks the crash or sanitizer feedback available in memory-safety work, so it repurposes cross-library disagreement as the oracle: differential testing over X.509, JWT, and SAML libraries produces accept/reject vectors, normalized error classes, and identity-attribute discrepancies that are then traced through a cryptographic dependency graph to downstream applications (Villa et al., 25 Jun 2026).

A plausible implication is that “verification” in agentic vulnerability discovery is broader than exploit generation. It includes sanitizer-confirmed PoVs, debugger-verified crashes, assertion falsification, structured oracles, differential inconsistency, and multi-stage human-reviewable evidence. What remains constant is that the final report is conditioned on evidence external to the agent’s own reasoning trace.

4. Observability, runtime attack surfaces, and agentic systems as targets

A substantial branch of the literature studies agentic systems as attack surfaces in their own right. AgentSeer decomposes execution into an action graph and a component graph, tracking atomic actions such as response generation, tool calls, and handoffs alongside agents, tools, short-term memory, and long-term memory (Wicaksono et al., 21 Sep 2025). In the cross-model extension, the unified representation is formalized as K=8K = 87 with K=8K = 88 and supports per-action and per-tool Attack Success Rate calculations, revealing that tool-calling contexts show 24–60% higher ASR across the evaluated models (Wicaksono et al., 5 Sep 2025). Both studies report that standalone model vulnerabilities do not fully transfer to deployed agentic contexts, and that agent transfer operations are the highest-risk tool category (Wicaksono et al., 21 Sep 2025, Wicaksono et al., 5 Sep 2025).

The CI/CD setting makes these flows concrete. AWI, or Agentic Workflow Injection, is defined as a workflow-level injection flaw in GitHub Actions where untrusted GitHub event context is incorporated into agent prompts or agent-consumed inputs and converted into attacker-influenced behavior through agent tools or downstream workflow logic (Wang et al., 8 May 2026). The paper distinguishes Prompt-to-Agent (P2A) from Prompt-to-Script (P2S), constructs an Agentic Workflow Dependency Graph, and reports 519 potential AWI vulnerabilities, of which 496 are confirmed exploitable, for a precision of 95.6% (Wang et al., 8 May 2026). The same runtime-centric perspective appears in the runtime supply-chain framework, which divides threats into transient context injection, persistent memory poisoning, and tool supply-chain attacks across discovery, implementation, and invocation, and introduces the Viral Agent Loop as a semantic self-replication mechanism in which agents become carriers because outputs re-enter the environment and later contexts (Jiang et al., 23 Feb 2026).

In cyber-physical systems, the role architecture becomes the security model. Agentic Vehicles separate a Personal Agent from a Driving Strategy Agent and then place a deterministic Safety Check layer as the final gate before planning and control (Eslami et al., 18 Dec 2025). The paper maps fifteen OWASP-style agentic risks onto vehicular roles, adds cross-layer propagation from perception, V2X, computing, and control layers, and scores threats with

K=8K = 89

where B=6,000B = 6{,}0000, B=6,000B = 6{,}0001, B=6,000B = 6{,}0002, and B=6,000B = 6{,}0003 are each mapped from B=6,000B = 6{,}0004 to B=6,000B = 6{,}0005 (Eslami et al., 18 Dec 2025). The severity matrix is explicitly context-dependent: “Autonomous / High Agency, T7 Misaligned & Deceptive Behaviors” is scored as B=6,000B = 6{,}0006 (“Critical”), whereas “Manual / Low Agency, T1 Memory Poisoning” is scored as B=6,000B = 6{,}0007 (“Low”) (Eslami et al., 18 Dec 2025).

These works broaden the meaning of vulnerability discovery. The target is no longer only a codebase or binary; it may also be the orchestration graph, tool registry, memory layer, event pipeline, or role boundary through which agentic behavior is mediated.

5. Domain-specific instantiations and empirical results

The literature now covers repository-scale source analysis, operating-system kernels, binaries, smart contracts, Android applications, cryptographic libraries, CI/CD workflows, and browser-scale multi-agent harnesses. The table summarizes representative outcomes exactly as reported.

Setting System Reported outcome
Repository-level C/C++ detection VulnAgent-X PrimeVul F1 0.316 / AUROC 0.741; JULY F1 0.741 with Top-1 0.589, Top-3 0.782, MRR 0.671 (Meng et al., 11 Mar 2026)
Java full-chain SAST Argus 23 vulnerabilities across seven repositories; CodeQL found 0 and IRIS found 1 in that setup (Liang et al., 8 Apr 2026)
Web exploit confirmation AXE 30% exploitation success on CVE-Bench; 3× over black-box baselines (Sajadi et al., 15 Feb 2026)
Windows COM race discovery SLYP 0.973 F1 on 40 cases; 28 previously unknown vulnerabilities across nine COM services, 16 CVEs, $140,000 in bounties (Lee et al., 6 May 2026)
Android apps A2 78.3% coverage on Ghera; 104 true-positive zero-day vulnerabilities on 169 production APKs, 57 self-validated with PoCs (Wang et al., 29 Aug 2025)
DeFi smart contracts Knowdit All 14 high-severity and 77% of medium-severity vulnerabilities on AuditEval, with only 2 false positives (Kong et al., 27 Mar 2026)
Memory safety at repository scale Revelio 19 previously unknown memory-safety vulnerabilities on seven production-quality projects, total cost about $300 (Hou et al., 20 Jun 2026)
Specification-first agentic detection Code-Augur 22 new vulnerabilities in key open-source projects (Luo et al., 17 Jun 2026)
Cryptographic misuse Chai Over 100 vulnerabilities across X.509, JWT, and SAML libraries and downstream applications (Villa et al., 25 Jun 2026)
Chrome multi-agent harnesses AgentFlow 84.3% on TerminalBench-2; ten previously unknown zero-day vulnerabilities in Google Chrome, including two Critical sandbox escapes (Liu et al., 22 Apr 2026)
Kernel discovery orchestration VCAO 2.7× more validated vulnerabilities per unit budget than coverage-only fuzzing and 68% reduction in false-positive rates reaching human reviewers (Mishra, 9 Apr 2026)

Beyond the headline outcomes, the evaluation methodology itself is revealing. VulnAgent-X shows that removing bounded context expansion produces the largest recall drop on PrimeVul, while removing the Sceptic Agent slightly raises recall but worsens precision and false-positive rate, indicating that adversarial counter-evidence search is not incidental but structurally important (Meng et al., 11 Mar 2026). Argus demonstrates a supply-chain-first variant of agentic discovery: dependency parsing, retrieval over NVD, OSV, GHSA, Snyk, and community issue trackers, PoC generation, CodeQL-based forward retrieval, backward recursion, and end-to-end review yielded 23 exploitable vulnerabilities in seven industrial Java repositories at an average end-to-end runtime of about 0.44 hours per repository and about \$2.54 per run (Liang et al., 8 Apr 2026).

The most mature systems also show that orchestration alone materially changes outcomes even when the underlying model is fixed. In AgentFlow, harness synthesis over roles, prompts, tools, topology, and coordination reaches 84.3% on TerminalBench-2, while the “No Structure Search” ablation reaches 76.4%, “No Tool Search” 71.9%, and “No Prompt Search” 51.8% (Liu et al., 22 Apr 2026). Code-Augur reports that invariant trips constitute a major discovery lane, and Revelio’s ablations show that enforced stage separation and sanitizer-grounded verification improve both recall and trustworthiness relative to prompt-only variants (Luo et al., 17 Jun 2026, Hou et al., 20 Jun 2026).

A plausible implication is that the field’s strongest empirical gains no longer come solely from larger models. They come from better decomposition of search, richer verifier feedback, stricter confirmation criteria, and harness-level optimization.

6. Limitations, controversy, and open problems

The literature is explicit that agentic vulnerability discovery remains constrained by tooling, benchmarks, and target-specific assumptions. VulnAgent-X notes benchmark label noise, limited environmental and build capture, implicit helper-function semantics, and open challenges for very large, polyglot repositories and unseen build systems (Meng et al., 11 Mar 2026). The Planner–Analyzer–Fixer–Verifier workflow operates at vulnerable-file level rather than full-repository level and reports that CodeQL integration can improve some integer-arithmetic cases while also misdirecting the Analyzer when findings are not the root cause (Basu et al., 12 Jun 2026). Revelio is limited to vulnerability classes with deterministic sanitizer signals and to cases for which the repository exposes an executable harness; it therefore does not generalize directly to logic flaws or races lacking such oracles (Hou et al., 20 Jun 2026). Code-Augur, although specification-first, depends on the quality of inferred invariants and can overconstrain or misplace them, especially when interprocedural context is incomplete (Luo et al., 17 Jun 2026).

For systems that analyze agentic runtimes, portability and defense evaluation remain open. AgentSeer currently depends on a specific orchestration and tracing stack, and the studies do not report confidence intervals, which limits statistical interpretation of ASR differences (Wicaksono et al., 21 Sep 2025, Wicaksono et al., 5 Sep 2025). TaintAWI is a static analyzer with explicit over-approximation across LLM boundaries, so repository-specific policies or complex shell semantics can still induce false positives or false negatives despite high measured precision (Wang et al., 8 May 2026). The runtime-supply-chain framework argues for a Zero-Trust Runtime Architecture, but also notes residual risks such as adaptive attacks that mimic benign provenance, semantic evasion of intent matching, and incomplete taint tracking across paraphrases (Jiang et al., 23 Feb 2026). In Agentic Vehicles, the paper identifies the need for formal evaluation frameworks that measure incident rates, unsafe action frequency, detection latency, and false positives, and it describes a scoped Safety Monitor Agent only as future work (Eslami et al., 18 Dec 2025).

The strongest positive results also expose a methodological tension. Chai explicitly argues that cryptographic misuse lacks the kinds of sanitizers that make memory-safety discovery efficient, and its answer is to elevate naturally occurring disagreement signals into oracles (Villa et al., 25 Jun 2026). VCAO instead formalizes discovery as a repeated Bayesian Stackelberg search game over heterogeneous verifiers, while AgentFlow optimizes the harness program itself through a typed graph DSL and a feedback-driven outer loop (Mishra, 9 Apr 2026, Liu et al., 22 Apr 2026). This suggests that there is no single dominant formulation of agentic discovery. The field currently supports at least four: evidence-fusion pipelines, exploit-confirmation loops, specification-falsification systems, and orchestration-level search over agent teams.

Across the surveyed work, several directions recur. They include formal provenance systems and semantic monitors that do not expand the attack surface, richer benchmarks for deployment-specific vulnerabilities, better repository-scale context acquisition, more precise human-in-the-loop checkpoints, extension beyond source-available and sanitizer-observable targets, and standardized evaluation of attack success, false-positive burden, and operational cost (Jiang et al., 23 Feb 2026, Eslami et al., 18 Dec 2025, Hou et al., 20 Jun 2026). The cumulative record suggests not a finished paradigm, but a consolidation around one principle: vulnerability discovery becomes substantially more reliable when hypotheses, tooling, and verification are orchestrated as explicit interacting components rather than collapsed into a single model invocation.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (17)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Agentic Vulnerability Discovery.