An AI-powered vulnerability research platform that runs the whole workflow — discover, analyze, verify, exploit, disclose — from one open-source app. Solo desktop or team server.
the autonomous pipeline
Every target runs through the same 10-stage pipeline. Parallel where it helps. Pause and resume at any step. No AI required — add it later when you want verification.
Git clone or local path ingest. Detects build system and language.
Commit history, blame, security-relevant commits, contributor mapping.
Entry points, trust boundaries, pre-auth code, externally reachable routes.
48 Python tools + 10 plugins run against the target in parallel.
17 known CVE variant patterns matched across every file.
Dockerfile, CI/CD, .env, compiler flags, Kubernetes manifests.
5-tier false-positive filter: dedup, reachability, heuristics, AI triage, confidence.
Correlate findings into attack chains. Multi-hop taint analysis.
Self-consistency verification with calibrated confidence scores.
Stage findings for human accept / reject with full context.
▲ stages in purple run in parallel · ▲ stages in blue are sequential
three pillars
Static, dynamic, and AI — not three separate tools you have to glue together. They share the same finding graph, the same filter, the same review queue.
48 custom Python tools — memory safety, crypto, protocol, concurrency, supply chain — plus 10 integrated scanners: Semgrep, Trivy, CodeQL, Nuclei, Grype, OSV-Scanner, Bandit, Safety, Nettacker, Garak. Every finding flows through a 5-tier false-positive filter and optional AI triage.
Drive candidates into a running environment without leaving the app. Auto-harnessed libFuzzer, scripted gdb with breakpoint asserts, Docker + QEMU VMs with snapshot/resume, tcpdump capture, nmap scanning, angr symbolic execution, radare2 disassembly. Every job pauses, resumes, and attaches evidence to findings.
Claude, OpenAI, Gemini, Ollama, Claude CLI — task-based routing with per-task fallback chains. Investigate mode runs step-gated analyses. Everything works with zero AI configured; add providers when you want verification. In team mode, the server proxies keys so they never leave your network.
Every candidate finding can be driven into a live environment without leaving VulnForge. Fuzz the function. Step it in gdb. Detonate it in a disposable VM. Watch the network. Solve the binary. Then attach the evidence to the finding and move on.
isolation
Exploits run in Docker / QEMU with no network (default), dropped capabilities, and overlay filesystems. Snapshot before each step, rewind if it breaks.
observability
Stdout, stderr, syscalls, packets, registers — all streamed to a ring buffer and attached to the finding. Reproducers ship with the report.
composable
Fuzz crashes auto-open findings the AI can investigate. Breakpoint asserts turn into hypotheses. Captures feed the protocol analyzer.
the real app
Every image below is a real screen from the app, with research data anonymized at the DOM layer before capture. Structure, colors, and UX are exactly what you get after installing.
plug any AI provider · or none · task-based routing with per-task fallback
VulnForge ships an MCP server at /mcp that exposes 101 tools over JSON-RPC + SSE. Claude Code, custom orchestrators, or your own agent can run the whole workflow — pipeline control, findings CRUD, fuzz jobs, disclosure, export — without touching the UI.
three ways to run it
One codebase, three artifacts. Solo ships as a signed Electron installer. Team runs as a Docker compose service or a bare-metal tarball with a systemd unit.
# 1 · Solo desktop — fully offline
git clone https://github.com/AsafMeizner/vulnforge.git
cd vulnforge
npm install
npm run dev
# open http://localhost:5173
# first-launch wizard → pick "Solo"architecture at a glance
Every desktop keeps its own SQLite + MCP server — works fully offline. Team mode adds a sync server that proxies AI keys, runs worker-pool scans, and enforces 3-tier privacy scopes. Switch modes without rebuilding anything.
start hunting
Free, open source, MIT licensed. No telemetry, no sign-up, no AI required to get started.