the full catalog

Everything VulnForge does, in one place.

Ten feature categories. Every bullet is backed by code that ships today — check the repo if you want to inspect how any of it works.

01 · Paste a URL → reviewed finding

Core pipeline

The autonomous pipeline handles the entire lifecycle. Clone, analyze, scan, filter, verify, and stage findings for review — all from one Git URL or local path. Pause mid-pipeline and resume later. Batch mode scans multiple targets in parallel. No-AI mode works out of the box.

Paste-a-URL hunts — auto-detect language and pick the right tools
Pause / resume — long-running jobs survive restarts
Batch mode — parallel multi-target
No-AI mode — add providers later

02 · 48 Python tools + 10 plugins

Static analysis

Memory safety, crypto, protocol, concurrency, supply chain — a curated 48-tool suite written for VulnForge, plus ten first-party plugin integrations of industry-standard scanners. Every finding flows through a 5-tier false-positive filter: dedup, reachability, heuristics, AI triage, confidence scoring.

48 custom Python tools — built for VulnForge's finding graph
10 integrated plugins — Semgrep · Trivy · CodeQL · Nuclei · Grype · OSV-Scanner · Bandit · Safety · Nettacker · Garak
17 CVE variant patterns — matched across every file
Config auditing — Dockerfile · CI/CD · .env · K8s
Attack surface mapping — entry points · trust boundaries · pre-auth code
Dependency reachability — filter unreachable dep vulns via call graph

03 · libFuzzer · gdb · Docker · QEMU · live capture

Runtime — live testing, VMs, sandboxes

The Runtime page is where candidates become proofs. Drive any finding into a real, isolated environment without leaving VulnForge — fuzz the function, step through it in gdb, detonate the exploit in a disposable Docker container or full-system QEMU VM, capture the network traffic live, scan a host with nmap, or symbolically execute the binary. Every job streams output to the UI and MCP agents, pauses and resumes without losing state, and attaches its evidence directly to the finding. Ten executor types, one orchestration layer.

libFuzzer — auto-generated harness from the function signature, ASAN+UBSAN, coverage-guided, minimized reproducers
gdb sessions — scripted breakpoints with assertion validation, persistent across restarts, attach or launch
Docker sandboxes — disposable containers, dropped caps, no-net by default, snapshot → run → rewind → export delta
QEMU full-system VMs — boot a kernel, run the exploit, rewind with qcow2 snapshots, kernel-mode tracing
tcpdump + tshark — live capture, sliceable PCAP, protocol-anomaly feed into AI pipeline
nmap — host & service scanning with fingerprint matching
angr symbolic execution — craft inputs that reach a sink under constraints
radare2 / rizin — disassembly, string xrefs, decompilation indexed for the investigator
Pause / resume / cancel — every job, including long-running fuzz runs, without losing state
MCP-drivable — agents can spawn runtime jobs and read output via tools.call

VulnForge Runtime page — active fuzz, debug, sandbox, and capture jobs

04 · 5 providers · 7 presets · task routing

AI copilot

Claude, OpenAI, Gemini, Ollama, or Claude CLI — task-based routing with per-task fallback chains. Investigate mode runs step-gated interactive analyses. Assumption extraction lists all implicit assumptions in a function. Hypothesis generation suggests research directions. Auto-fallback kicks in on rate-limit exhaustion.

5 providers — Claude · OpenAI · Gemini · Ollama · Claude CLI
7 routing presets — Smart Split · All Claude · All OpenAI · All Gemini · All Local · Budget · Claude CLI
Investigate mode — interactive, step-gated
Assumption extraction — list every implicit assumption
Hypothesis generation — AI suggests research directions
Team-server proxy — keys stay on the server

VulnForge AI page — task-routing matrix with 7 presets (Smart Split, All Claude, All OpenAI, All Gemini, All Local, Budget, Claude CLI) mapping tasks to providers and models

05 · Hypothesis board · notes · sessions

Research workspace

A persistent research journal with kanban board for hypothesis tracking (open → investigating → confirmed → disproved). Markdown notes with YAML frontmatter. Pluggable backends: local filesystem today, Obsidian vault today, Notion and Logseq planned. Quick-capture from anywhere with Ctrl/Cmd+N. Investigation context survives restarts.

Hypothesis board — 4-column kanban
Markdown notes — YAML frontmatter, full-text search
Pluggable backends — Local · Obsidian (Notion/Logseq planned)
Quick capture — Ctrl/Cmd+N from anywhere
Server-side session — investigation context persists

06 · PoC workbench · proof ladder

Exploit development

Write exploit code linked to findings in a PoC workbench. Advance each finding up a proof ladder: pattern → manual → traced → PoC → weaponized. Eight built-in exploit templates cover format string, buffer overflow, heap use-after-free, SQL injection, SSRF, and more.

PoC workbench — exploit code linked to findings
Proof ladder — 5 stages: pattern → weaponized
8 exploit templates — FS · BoF · UAF · SQLi · SSRF · more

07 · NVD sync · git bisect · patch analysis

Historical intelligence

Sync CVEs from NVD and cross-reference against your target's dependencies. Use git bisect to pinpoint the commit that introduced a vulnerability. Extract patterns from historical security commits to power variant hunting.

NVD sync — fetch CVEs, cross-reference deps
Git bisect — pinpoint the bug-introducing commit
Patch analysis — extract patterns from security commits

VulnForge Historical Intelligence — NVD sync, git bisect, patch analysis

08 · Jira · Linear · Trello · Slack · GitHub

Integrations & disclosure

Full ticketing workflow: open, update, link findings to tickets across Jira, Linear, Trello, and GitHub Issues. Slack for messaging. Vendor management with contacts, platforms, and response times. SLA tracking with on-track / warning / overdue indicators. Bounty analytics: total payouts, averages, per-program ROI.

Ticketing — Jira · Linear · Trello · GitHub Issues
Messaging — Slack notifications & updates
Vendor management — contacts · platforms · response times
SLA tracking — on-track · warning · overdue
Bounty analytics — payouts · averages · per-program ROI

VulnForge Disclosure & Bounty Ops page — Pipeline, Vendors, and Analytics tabs with SLA status + CVE + bounty columns

09 · SARIF 2.1 · CVE JSON 5.0 · backups

Compliance & export

Export findings as SARIF 2.1 (compatible with GitHub, GitLab, and Azure DevOps security tabs) or CVE JSON 5.0 for CNA submission. Full workspace backup as JSON. Every action recorded in the audit trail.

SARIF 2.1 — GitHub · GitLab · Azure DevOps compatible
CVE JSON 5.0 — CNA submission format
Workspace backup — full JSON dump
Audit trail — every action logged

VulnForge Audit & Export page — Export SARIF + Backup Workspace buttons above a filterable audit log of every action

10 · Command palette · keyboard-first

Pro UX

A command palette (Ctrl/Cmd+K) jumps to any of 22 pages. A keyboard-shortcut cheat sheet (press ?) shows everything at once. Grouped navigation collapses the sidebar into logical sections. The favicon matches your OS light/dark preference and updates live.

Command palette — Ctrl/Cmd+K to jump anywhere
Keyboard shortcuts — ? for the full cheat sheet
Grouped navigation — 22 pages in collapsible sidebar
Theme-aware favicon — live OS light/dark switching

VulnForge command palette (Ctrl/Cmd+K) open over the dashboard — fuzzy-match navigation to every page