{"slug": "forge-multi-agent-graduated-exploitation-and-detection-engineering", "title": "Forge: Multi-Agent Graduated Exploitation and Detection Engineering", "summary": "Researchers have developed FORGE, a multi-agent system that bridges vulnerability exploitation, prioritization, and detection rule engineering by using graduated exploitation depth. The system achieved 67.8% end-to-end exploitation success across 603 CVEs at $1.50 per CVE, producing Sigma and Snort detection rules from behavioral traces. FORGE's tiered knowledge architecture accumulates intelligence across assessments, enabling consistent exploitation rates near 68% regardless of EPSS or CVSS scoring bands.", "body_md": "# Computer Science > Cryptography and Security\n\n[Submitted on 2 Jun 2026]\n\n# Title:FORGE: Multi-Agent Graduated Exploitation and Detection Engineering\n\n[View PDF](/pdf/2606.03453)\n\n[HTML (experimental)](https://arxiv.org/html/2606.03453v1)\n\nAbstract:Vulnerability disclosure volumes now far exceed organizational assessment capacity, yet three adjacent research communities (proof-of-concept generation, vulnerability prioritization, and detection rule engineering) operate largely in isolation. Existing automated exploit generation systems report binary pass/fail outcomes, discarding partial progress and producing no signal for the other two communities. This paper presents FORGE, a multi-agent system that bridges these three silos through graduated exploitation depth. Five specialized agents (Intel, Generator, Planner, Exploit, and Detector) execute in a fixed pipeline that (1) generates targeted vulnerable applications from CVE metadata, (2) conducts coached, multi-turn exploitation assessed by an LLM-primary oracle on a four-level taxonomy (L0: no evidence through L3: full compromise), and (3) produces Sigma and Snort detection rules grounded in OpenTelemetry exploitation traces. Graduated depth is the bridging mechanism: deeper exploitation yields richer behavioral traces for detection engineering, while depth data across scoring bands provides ground truth for prioritization validation. A tiered knowledge architecture accumulates intelligence across assessments, transferring build and exploitation experience to subsequent CVEs. Evaluation on 603 CVEs from the CVE-GENIE dataset achieves 67.8% end-to-end L1+ exploitation at USD 1.50 per CVE across eight languages and 187 CWE types. Exploitation rates remain near 68% regardless of EPSS or CVSS band, indicating that pattern-level reachability is orthogonal to metadata-based prioritization. Detection rules from L2+ exploitation achieve significantly higher span-normalized grounding than L1-derived rules (p=0.035), and 93.4% of generated Snort rules produce zero false positives against a synthetic benign corpus.\n\n### Current browse context:\n\ncs.CR\n\n### References & Citations\n\nLoading...\n\n# Bibliographic and Citation Tools\n\nBibliographic Explorer\n\n*(*[What is the Explorer?](https://info.arxiv.org/labs/showcase.html#arxiv-bibliographic-explorer))\nConnected Papers\n\n*(*[What is Connected Papers?](https://www.connectedpapers.com/about))\nLitmaps\n\n*(*[What is Litmaps?](https://www.litmaps.co/))\nscite Smart Citations\n\n*(*[What are Smart Citations?](https://www.scite.ai/))# Code, Data and Media Associated with this Article\n\nalphaXiv\n\n*(*[What is alphaXiv?](https://alphaxiv.org/))\nCatalyzeX Code Finder for Papers\n\n*(*[What is CatalyzeX?](https://www.catalyzex.com))\nDagsHub\n\n*(*[What is DagsHub?](https://dagshub.com/))\nGotit.pub\n\n*(*[What is GotitPub?](http://gotit.pub/faq))\nHugging Face\n\n*(*[What is Huggingface?](https://huggingface.co/huggingface))\nScienceCast\n\n*(*[What is ScienceCast?](https://sciencecast.org/welcome))# Demos\n\n# Recommenders and Search Tools\n\nInfluence Flower\n\n*(*[What are Influence Flowers?](https://influencemap.cmlab.dev/))\nCORE Recommender\n\n*(*[What is CORE?](https://core.ac.uk/services/recommender))# arXivLabs: experimental projects with community collaborators\n\narXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.\n\nBoth individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.\n\nHave an idea for a project that will add value for arXiv's community? [ Learn more about arXivLabs](https://info.arxiv.org/labs/index.html).", "url": "https://wpnews.pro/news/forge-multi-agent-graduated-exploitation-and-detection-engineering", "canonical_source": "https://arxiv.org/abs/2606.03453", "published_at": "2026-06-04 05:30:10+00:00", "updated_at": "2026-06-04 05:47:15.443687+00:00", "lang": "en", "topics": ["artificial-intelligence", "machine-learning", "large-language-models", "ai-agents", "ai-safety"], "entities": ["FORGE", "Sigma", "Snort", "OpenTelemetry", "CVE"], "alternates": {"html": "https://wpnews.pro/news/forge-multi-agent-graduated-exploitation-and-detection-engineering", "markdown": "https://wpnews.pro/news/forge-multi-agent-graduated-exploitation-and-detection-engineering.md", "text": "https://wpnews.pro/news/forge-multi-agent-graduated-exploitation-and-detection-engineering.txt", "jsonld": "https://wpnews.pro/news/forge-multi-agent-graduated-exploitation-and-detection-engineering.jsonld"}}