Forge: Multi-Agent Graduated Exploitation and Detection Engineering

Researchers have developed FORGE, a multi-agent system that bridges vulnerability exploitation, prioritization, and detection rule engineering by using graduated exploitation depth. The system achieved 67.8% end-to-end exploitation success across 603 CVEs at $1.50 per CVE, producing Sigma and Snort detection rules from behavioral traces. FORGE's tiered knowledge architecture accumulates intelligence across assessments, enabling consistent exploitation rates near 68% regardless of EPSS or CVSS scoring bands.

Computer Science Cryptography and Security Submitted on 2 Jun 2026 Title:FORGE: Multi-Agent Graduated Exploitation and Detection Engineering View PDF /pdf/2606.03453 HTML experimental https://arxiv.org/html/2606.03453v1 Abstract:Vulnerability disclosure volumes now far exceed organizational assessment capacity, yet three adjacent research communities proof-of-concept generation, vulnerability prioritization, and detection rule engineering operate largely in isolation. Existing automated exploit generation systems report binary pass/fail outcomes, discarding partial progress and producing no signal for the other two communities. This paper presents FORGE, a multi-agent system that bridges these three silos through graduated exploitation depth. Five specialized agents Intel, Generator, Planner, Exploit, and Detector execute in a fixed pipeline that 1 generates targeted vulnerable applications from CVE metadata, 2 conducts coached, multi-turn exploitation assessed by an LLM-primary oracle on a four-level taxonomy L0: no evidence through L3: full compromise , and 3 produces Sigma and Snort detection rules grounded in OpenTelemetry exploitation traces. Graduated depth is the bridging mechanism: deeper exploitation yields richer behavioral traces for detection engineering, while depth data across scoring bands provides ground truth for prioritization validation. A tiered knowledge architecture accumulates intelligence across assessments, transferring build and exploitation experience to subsequent CVEs. Evaluation on 603 CVEs from the CVE-GENIE dataset achieves 67.8% end-to-end L1+ exploitation at USD 1.50 per CVE across eight languages and 187 CWE types. Exploitation rates remain near 68% regardless of EPSS or CVSS band, indicating that pattern-level reachability is orthogonal to metadata-based prioritization. Detection rules from L2+ exploitation achieve significantly higher span-normalized grounding than L1-derived rules p=0.035 , and 93.4% of generated Snort rules produce zero false positives against a synthetic benign corpus. Current browse context: cs.CR References & Citations Loading... Bibliographic and Citation Tools Bibliographic Explorer What is the Explorer? https://info.arxiv.org/labs/showcase.html arxiv-bibliographic-explorer Connected Papers What is Connected Papers? https://www.connectedpapers.com/about Litmaps What is Litmaps? https://www.litmaps.co/ scite Smart Citations What are Smart Citations? https://www.scite.ai/ Code, Data and Media Associated with this Article alphaXiv What is alphaXiv? https://alphaxiv.org/ CatalyzeX Code Finder for Papers What is CatalyzeX? https://www.catalyzex.com DagsHub What is DagsHub? https://dagshub.com/ Gotit.pub What is GotitPub? http://gotit.pub/faq Hugging Face What is Huggingface? https://huggingface.co/huggingface ScienceCast What is ScienceCast? https://sciencecast.org/welcome Demos Recommenders and Search Tools Influence Flower What are Influence Flowers? https://influencemap.cmlab.dev/ CORE Recommender What is CORE? https://core.ac.uk/services/recommender arXivLabs: experimental projects with community collaborators arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website. Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them. Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs https://info.arxiv.org/labs/index.html .