cd /news/artificial-intelligence/building-a-10-agent-security-civiliz… · home topics artificial-intelligence article
[ARTICLE · art-47967] src=dev.to ↗ pub= topic=artificial-intelligence verified=true sentiment=↑ positive

Building a 10-Agent Security Civilization with Qwen and Alibaba Cloud 🛡️🤖

A team of developers built NEXUS, an autonomous society of 10 specialized AI agents for security auditing, using Qwen models via Alibaba Cloud's DashScope API. The system discovers, triages, exploits, patches, and reports vulnerabilities in real open-source software with zero false positives by design. NEXUS features a governance council for severity scoring and a three-tier memory engine for learning across codebases.

read2 min views1 publishedJul 4, 2026

Security auditing is broken.

If you’ve ever run a static analysis tool (SAST) on a large codebase, you know the pain: thousands of alerts, zero context, and a 90% false-positive rate. On the other end of the spectrum, hiring human penetration testers is incredibly expensive and impossible to scale alongside modern CI/CD pipelines.

For the **Qwen Cloud Global AI Hackathon**, we decided to rethink the problem entirely. What if, instead of using a single monolithic AI to "find bugs," we built an entire specialized *civilization* of agents?

Meet NEXUS, an autonomous society of 10 distinct AI agents that discovers, triages, exploits, patches, and reports security vulnerabilities in real open-source software.

Instead of asking an LLM to "find a bug and fix it" (which usually results in hallucinations), we split the vulnerability lifecycle into 10 distinct, highly-specialized roles.

Powered by the DashScope API (using Qwen-Max

and Qwen-Plus

), our pipeline looks like this: Qwen-Plus

):`Qwen-Plus`

):`Qwen-Max`

):`Qwen-Max`

):`Qwen-Max`

):`Qwen-Max`

):`Qwen-Max`

):`Qwen-Plus`

):By forcing the system to generate a PoC and independently verify it, we shifted from a model of guessing bugs to proving them. Zero false positives by design.

One of the coolest features we built is the Governance Council.

When the Hunter agent finds a verified vulnerability, we don't just ask a single LLM to rate its severity. Instead, we spin up three distinct agents with completely different system prompts:

These three agents independently evaluate the finding, and the orchestrator mathematically averages their scores to reach a consensus. Watching them debate a vulnerability in real-time on our dashboard feels like a glimpse into the future of autonomous organizations.

To make NEXUS actually learn from its scans, we couldn't just rely on context windows. We built a 3-tier memory engine:

pgvector

):pgvector . Over time, NEXUS actively learns what vulnerabilities "look" like across different codebases.NEXUS isn't just an API wrapper; it's deeply integrated into the Alibaba Cloud ecosystem.

dashscope-intl.aliyuncs.com

API for Qwen inference. We routed high-reasoning tasks to Qwen-Max

and summarization/routing tasks to Qwen-Plus

to optimize our API credits.oss2

Python SDK so that the moment the Report agent finishes its job, the final Markdown advisory is immutably uploaded to We built a Next.js "Mission Control" dashboard that connects to our backend via WebSockets. When you paste a GitHub URL into NEXUS, you get to sit back and watch 10 AI agents systematically dismantle, exploit, and patch the codebase in real-time.

Building NEXUS taught us that the future of AI isn't a single, omniscient chatbot. It's specialized, communicative, and governed societies of agents working together to solve problems that humans simply don't have the scale to tackle alone.

Built for the Qwen Cloud Global AI Hackathon 2026. Check out the code on GitHub!

── more in #artificial-intelligence 4 stories · sorted by recency
── more on @qwen 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/building-a-10-agent-…] indexed:0 read:2min 2026-07-04 ·