← All posts

The problem with scanners

Security teams drown in findings. A "critical" alert from a scanner is a guess — maybe reachable, maybe exploitable, maybe a false positive that will eat a day of an engineer's time to triage. Reconnaissance is slow, correlation is manual, and exploitation — the only step that converts a guess into a decision — is gated behind an expensive senior pentester's calendar.

The whole stack is optimized to produce noise, not evidence. Enterprises are paying senior pentesters to do correlation and proof work that should be autonomous.

Five agents, one run

Argus deploys five specialized agents simultaneously against a target. Four map the attack surface in parallel. The fifth — the Exploit Agent — takes the prioritized findings and proves them by crafting and firing working PoCs, capturing the artifact, and emitting a cryptographically-signed exploit report.

Without Argus:  1 senior pentester × 4-8 hours = fragmented findings, manual correlation
With Argus:     5 agents × ~15 minutes          = unified intelligence + signed working exploits

The coordinator-agent pattern

Argus is a single Rust binary that drives all five agents. The Coordinator runs on startup, asks Aegis to decompose the engagement into a task graph, and schedules agents for parallel execution whenever their dependencies are satisfied.

A first-pass task graph for an unknown target looks like this:

root
├─ recon.network              (Network Agent)
├─ recon.web                  (Web Agent)
├─ recon.osint                (OSINT Agent)
├─ correlate                  (Vuln Correlator — depends on all recon.*)
└─ exploit                    (Exploit Agent — depends on correlate)

The Coordinator re-plans dynamically. An open port on an unusual service triggers the Coordinator to ask Aegis whether to extend the Web Agent's task list. The graph is live, not static.

The shared intelligence board

The board is an in-process, append-only log of typed events. Agents write observations; the Correlator writes hypotheses; the Exploit Agent writes findings. The TUI subscribes to everything and updates its panels on each event.

Event types: Observation, Hypothesis, Probe, Finding, AegisCall. No locking — the board is a tokio broadcast channel with snapshots on read. Writers append, readers project.

What each agent does

Network Agent — nmap + masscan. Port scanning, service fingerprinting, banner grabbing. Writes observations for every open port and identified service.

Web Agent — httpx + whatweb + nuclei + ffuf. Endpoint discovery, technology fingerprinting, CVE template matching. Writes observations for every discovered endpoint and potential vulnerability class.

OSINT Agent — subfinder + theHarvester + whois + dnsx. Subdomain enumeration, email harvesting, DNS recon. Writes observations for every discovered asset outside the primary target.

Vuln Correlator — reads all observations, calls Aegis to reason over them, and writes hypotheses ranked by severity and exploitability. KEV cross-referencing happens here.

Exploit Agent — takes the top hypotheses and works through a probe → exploit → verify loop. 165+ web exploit modules covering SQLi, XSS, SSRF, IDOR, JWT confusion, path traversal, auth bypass, and more. On success: captures the artifact, hashes it, and emits a signed Finding.

Scope enforcement

Every agent runs inside a scope enforcer loaded from a YAML scope file. The enforcer is invoked on every outbound HTTP call and every subprocess invocation. Violations raise a ScopeError and abort the offending event without halting the run. The scope file is hashed at load time and the hash is embedded in every trace event and every report — so the engagement is fully reproducible and auditable.

The reporting layer

Argus produces four report formats from a single validated intermediate representation: Markdown, JSON, HTML (single-file, dark-mode aware, all CSS inlined), and SARIF 2.1.0 for GitHub code-scanning and DefectDojo ingestion. Every rendered artifact carries a SHA-256 integrity stamp. The report IR is byte-deterministic — the same run always produces the same bytes.

The reproducibility field in every report contains the exact CLI invocation needed to re-run the engagement against the same scope. Findings are severity-ordered (Critical→Info), KEV-listed first within band, then CVSS descending.

What comes next

v1.0 is single-operator, single-machine. The next phase is distributed execution — multiple Argus instances coordinating against a large scope, sharing a remote intelligence board. The Aegis integration is already designed for this: the LLM client is a trait, and the caching layer makes demo-mode replay deterministic without touching the model.