Method
AI-Assisted Vulnerability Discovery Pipeline
A reusable pipeline that combines local LLMs with traditional scanning tools to automate vulnerability research, exploit analysis, and recon at scale.
Why AI-assisted?
Manual pentesting across a large surface area is slow. A single researcher can examine maybe 10-20 endpoints per hour. An LLM-augmented pipeline can process hundreds, triage results, and produce candidate exploit chains, all while running on consumer hardware without sending data to external APIs.
Pipeline architecture
Target scope → Recon module → Analysis LLM → Prioritizer → Exploit matcher → Report
↑ |
└────────────────────── Feedback loop ────────────────────────────────────┘
All components run locally via Ollama with models like Qwen3 4B and DeepSeek Coder for analysis tasks.
Stage 1: Recon module
The recon module runs standard tools but structures their output for LLM consumption:
# Pseudo-code for the recon collector
def collect(target):
return {
"domains": subfinder(target),
"endpoints": httpx(target, tech_detect=True),
"screenshots": gowitness(target),
"tech_stack": wappalyzer(target),
}
Each tool’s raw output is normalized into a JSON schema that the LLM can process without additional parsing.
Stage 2: Analysis LLM
The structured recon data is fed into the LLM with a prompt template:
You are analyzing a target for security vulnerabilities.
Given: [tech stack], [endpoint list], [known CVEs in stack]
Task:
1. Identify likely vulnerability classes for each endpoint
2. Prioritize by exploitation difficulty × impact
3. Suggest specific payloads or techniques to try
The LLM returns a ranked list of candidate attack vectors. Each candidate includes the reasoning chain, so the operator can verify before attempting.
Stage 3: Exploit matcher
The prioritized candidates are matched against an offline exploit database (searchsploit + custom PoC collection). Matching is done by:
- CVE ID — direct lookup
- Technology + version — semantic similarity to known exploits
- Vulnerability class — SQLi, RCE, SSRF, etc.
The matcher outputs a ranked exploit chain with references and reproduction steps.
Stage 4: Feedback loop
Results from manual validation are fed back into the pipeline:
Successful exploitation → tag exploit as "confirmed"
False positive → add to exclusion list with the reason
New technique discovered → add to prompt template gallery
Over time, the pipeline becomes increasingly specific to the operator’s methodology. What starts as a generic tool becomes a personalized vulnerability research assistant.
Hardware requirements
The entire pipeline runs on a single machine:
- CPU/GPU: 8+ cores, 16 GB+ RAM (NVIDIA GPU optional for larger models)
- Models: Qwen3 4B (analysis), DeepSeek Coder 7B (exploit generation)
- Storage: 50 GB for tool binaries and exploit database
No API keys, no cloud services, no data leaving the machine.