{"slug": "wiring-real-agents-into-halo-from-stub-orchestrator-to-a-working-multi-agent", "title": "Wiring Real Agents Into Halo: From Stub Orchestrator to a Working Multi-Agent Pentest Pipeline", "summary": "A developer wired real agents into Halo, a multi-agent pentest pipeline, replacing stub agents with specialists for WAF fingerprinting, vulnerability classification, and validation. During a live run against a router, the pipeline encountered and fixed bugs where searchsploit received an IP instead of a service name and where empty recon results overwrote valid context. The final pipeline correctly reported no exploit found, demonstrating honest negative results.", "body_md": "Yesterday I had five agent roles sketched out on paper. Today I actually wired them together and watched them run a real engagement against a live target — and immediately hit (and fixed) the kind of bug you only find by running the thing for real.\n\nHalo's orchestrator has existed for a few days, but it was routing tasks to *stub* agents — fake stand-ins that printed a success message and moved on. That was intentional: prove the routing logic works before wiring in real specialists. Today was \"swap the stubs for the real thing\" day.\n\n**wafw00f integration.** Added WAF/security-solution fingerprinting as tool #25, slotted into the recon workflow right after initial HTTP probing — check for a WAF *before* throwing aggressive scans at a target, not after.\n\n**Attacker as a router, not a monolith.** The Attacker agent now branches into vuln-class specialists — SQLi, credential brute-forcing, IDOR, SSRF, XSS, and auth/session issues — instead of one generic \"go attack it\" prompt. Each branch maps to the tool actually suited for that vuln class.\n\n**A real Validator stage.** This is the piece that was missing entirely. Attacker's claimed findings now get checked against confirmation signals before they're counted — a \"confirmed vulnerable\" result requires the actual evidence (e.g. sqlmap explicitly confirming an injectable parameter), not just \"a tool ran and returned some text.\" Unconfirmed findings get flagged for manual review instead of silently disappearing or silently passing as real.\n\n**Real reporting.** Confirmed and unconfirmed findings now compile into a client-readable markdown report, written per-engagement.\n\nFirst live run against my own router: Attacker fired off `searchsploit`\n\n— with the target's raw IP address as the search keyword. Of course it found nothing; searchsploit needs a product/service name, not an IP.\n\nThe fix: pass Vuln Discovery's actual findings (service banners, versions) into Attacker as context, then extract just the relevant service string before it ever reaches searchsploit. Second bug surfaced immediately after: a later, empty recon result was *overwriting* an earlier good one before Attacker got to use it — classic last-write-wins. Fixed by only updating captured context when the new result is non-empty.\n\nEnd state: Attacker correctly searched `dnsmasq 2.83`\n\n, searchsploit correctly returned \"No Results,\" and Validator correctly logged it as unconfirmed. Not a flashy win — but an *honest* one. The pipeline reported the true state of the target instead of a hallucinated finding.\n\nA pentest agent that never says \"no exploit found\" isn't trustworthy. Building the validation and honest-negative-result path in from day one, rather than bolting it on later, was the actual point of today's work — not just to get more findings, but to get *correct* ones.\n\nSandbox execution for agent-written PoC/exploit code, so Attacker can go beyond canned tools when a target calls for something custom.", "url": "https://wpnews.pro/news/wiring-real-agents-into-halo-from-stub-orchestrator-to-a-working-multi-agent", "canonical_source": "https://dev.to/xenocoregiger31/-wiring-real-agents-into-halo-from-stub-orchestrator-to-a-working-multi-agent-pentest-pipeline-57k8", "published_at": "2026-07-08 16:58:41+00:00", "updated_at": "2026-07-08 17:11:51.363797+00:00", "lang": "en", "topics": ["artificial-intelligence", "ai-agents", "ai-tools"], "entities": ["Halo", "wafw00f", "searchsploit", "sqlmap", "dnsmasq"], "alternates": {"html": "https://wpnews.pro/news/wiring-real-agents-into-halo-from-stub-orchestrator-to-a-working-multi-agent", "markdown": "https://wpnews.pro/news/wiring-real-agents-into-halo-from-stub-orchestrator-to-a-working-multi-agent.md", "text": "https://wpnews.pro/news/wiring-real-agents-into-halo-from-stub-orchestrator-to-a-working-multi-agent.txt", "jsonld": "https://wpnews.pro/news/wiring-real-agents-into-halo-from-stub-orchestrator-to-a-working-multi-agent.jsonld"}}