Method

AI-Assisted Vulnerability Discovery Pipeline

A reusable pipeline that combines local LLMs with traditional scanning tools to automate vulnerability research, exploit analysis, and recon at scale.

  • #ai
  • #pentesting
  • #automation
  • #llm
  • #recon

Why AI-assisted?

Manual pentesting across a large surface area is slow. A single researcher can examine maybe 10-20 endpoints per hour. An LLM-augmented pipeline can process hundreds, triage results, and produce candidate exploit chains, all while running on consumer hardware without sending data to external APIs.

Pipeline architecture

Target scope → Recon module → Analysis LLM → Prioritizer → Exploit matcher → Report
     ↑                                                                          |
     └────────────────────── Feedback loop ────────────────────────────────────┘

All components run locally via Ollama with models like Qwen3 4B and DeepSeek Coder for analysis tasks.

Stage 1: Recon module

The recon module runs standard tools but structures their output for LLM consumption:

# Pseudo-code for the recon collector
def collect(target):
    return {
        "domains": subfinder(target),
        "endpoints": httpx(target, tech_detect=True),
        "screenshots": gowitness(target),
        "tech_stack": wappalyzer(target),
    }

Each tool’s raw output is normalized into a JSON schema that the LLM can process without additional parsing.

Stage 2: Analysis LLM

The structured recon data is fed into the LLM with a prompt template:

You are analyzing a target for security vulnerabilities.
Given: [tech stack], [endpoint list], [known CVEs in stack]
Task:
1. Identify likely vulnerability classes for each endpoint
2. Prioritize by exploitation difficulty × impact
3. Suggest specific payloads or techniques to try

The LLM returns a ranked list of candidate attack vectors. Each candidate includes the reasoning chain, so the operator can verify before attempting.

Stage 3: Exploit matcher

The prioritized candidates are matched against an offline exploit database (searchsploit + custom PoC collection). Matching is done by:

  1. CVE ID — direct lookup
  2. Technology + version — semantic similarity to known exploits
  3. Vulnerability class — SQLi, RCE, SSRF, etc.

The matcher outputs a ranked exploit chain with references and reproduction steps.

Stage 4: Feedback loop

Results from manual validation are fed back into the pipeline:

Successful exploitation → tag exploit as "confirmed"
False positive → add to exclusion list with the reason
New technique discovered → add to prompt template gallery

Over time, the pipeline becomes increasingly specific to the operator’s methodology. What starts as a generic tool becomes a personalized vulnerability research assistant.

Hardware requirements

The entire pipeline runs on a single machine:

  • CPU/GPU: 8+ cores, 16 GB+ RAM (NVIDIA GPU optional for larger models)
  • Models: Qwen3 4B (analysis), DeepSeek Coder 7B (exploit generation)
  • Storage: 50 GB for tool binaries and exploit database

No API keys, no cloud services, no data leaving the machine.

References