FORGE: Multi-Agent Graduated Exploitation and Detection Engineering

📅 2026-06-02
📈 Citations: 0
Influential: 0
📄 PDF

career value

221K/year
🤖 AI Summary
This work addresses the growing gap between the surge in vulnerability disclosures and organizations’ capacity to assess them, exacerbated by the longstanding fragmentation in research on exploit generation, prioritization, and detection rule engineering. To bridge this divide, the authors propose FORGE, a multi-agent system that introduces “exploit depth tiers” as a unifying framework for end-to-end vulnerability assessment. FORGE constructs targeted applications from CVE metadata, employs LLM-guided four-tier evaluation to iteratively refine exploits, and automatically generates Sigma and Snort detection rules from OpenTelemetry behavioral traces. Evaluated on 603 CVEs, FORGE achieves a 67.8% end-to-end success rate for L1+ exploits at a cost of $1.50 per CVE, produces L2+ detection rules that significantly improve normalized coverage (p=0.035), and yields Snort rules with zero false positives on benign traffic in 93.4% of cases.
📝 Abstract
Vulnerability disclosure volumes now far exceed organizational assessment capacity, yet three adjacent research communities (proof-of-concept generation, vulnerability prioritization, and detection rule engineering) operate largely in isolation. Existing automated exploit generation systems report binary pass/fail outcomes, discarding partial progress and producing no signal for the other two communities. This paper presents FORGE, a multi-agent system that bridges these three silos through graduated exploitation depth. Five specialized agents (Intel, Generator, Planner, Exploit, and Detector) execute in a fixed pipeline that (1) generates targeted vulnerable applications from CVE metadata, (2) conducts coached, multi-turn exploitation assessed by an LLM-primary oracle on a four-level taxonomy (L0: no evidence through L3: full compromise), and (3) produces Sigma and Snort detection rules grounded in OpenTelemetry exploitation traces. Graduated depth is the bridging mechanism: deeper exploitation yields richer behavioral traces for detection engineering, while depth data across scoring bands provides ground truth for prioritization validation. A tiered knowledge architecture accumulates intelligence across assessments, transferring build and exploitation experience to subsequent CVEs. Evaluation on 603 CVEs from the CVE-GENIE dataset achieves 67.8% end-to-end L1+ exploitation at USD 1.50 per CVE across eight languages and 187 CWE types. Exploitation rates remain near 68% regardless of EPSS or CVSS band, indicating that pattern-level reachability is orthogonal to metadata-based prioritization. Detection rules from L2+ exploitation achieve significantly higher span-normalized grounding than L1-derived rules (p=0.035), and 93.4% of generated Snort rules produce zero false positives against a synthetic benign corpus.
Problem

Research questions and friction points this paper is trying to address.

vulnerability disclosure
automated exploit generation
vulnerability prioritization
detection rule engineering
multi-agent system
Innovation

Methods, ideas, or system contributions that make the work stand out.

graduated exploitation
multi-agent system
detection rule engineering
LLM-based oracle
vulnerability prioritization
🔎 Similar Papers
No similar papers found.