Agent Types — Specialized Sub-Agents
AllySec Forge deploys 17 specialized AI sub-agents that work in parallel to execute penetration testing operations. Each agent has a dedicated workflow and toolset optimized for its domain.
Coordinators (3)
Coordinators orchestrate engagements and dispatch specialized executors. They never execute attacks directly.
| Agent | Role |
|---|---|
| Pentester Orchestrator | Coordinates pen-test engagements. Deploys executor agents, monitors progress, aggregates findings, generates reports. |
| Zero-Day Orchestrator | Orchestrates white-box zero-day hunting. Clones repos, runs SAST tools, generates vulnerability hypotheses via LLM, validates candidates, dispatches confirmed findings to exploit agents. |
| HackerOne Hunter | Bug bounty automation. Parses scope, deploys orchestrator per asset, validates PoCs, generates platform-ready submission reports. |
Specialized Executors (11)
Each executor follows a 4-phase workflow: Recon → Experiment → Test → Verify. They operate in parallel and can be isolated in git worktrees.
Web Application
| Agent | Domain |
|---|---|
| Injection Executor | SQL, NoSQL, Command, SSTI, XXE, LDAP, XPath injection |
| Client-Side Executor | XSS, CSRF, Clickjacking, CORS, Prototype Pollution |
| Server-Side Executor | SSRF, HTTP Smuggling, Path Traversal, File Upload, Deserialization |
| Authentication Executor | Auth bypass, JWT attacks, OAuth, Password, 2FA, Sessions |
| API Security Executor | GraphQL, REST, WebSocket, Web LLM API testing |
| Web App Logic Executor | Business Logic, Race Conditions, Access Control, Cache Poisoning |
Infrastructure
| Agent | Domain |
|---|---|
| Cloud Infrastructure Executor | AWS, Azure, GCP, Docker, Kubernetes exploitation |
| Post-Exploitation Executor | 5-phase post-ex: Stabilize → Escalate → Move → Persist → Exfiltrate |
Blockchain / DeFi
| Agent | Domain |
|---|---|
| Blockchain Exploit Executor | DeFi exploitation: flash loans, oracle manipulation, nonce cracking, proxy attacks, bridge exploits, MEV extraction |
| Crypto Audit Executor | Smart contract security: Solidity/EVM, Rust/CosmWasm, Move/Aptos, ZK circuits, wallet security |
Support Agents (3)
| Agent | Role |
|---|---|
| Vuln Hypothesis Generator | Stage 2 of zero-day hunting: deterministic + LLM candidate extraction. Maximum recall. |
| Candidate Validator | Stage 3: Two-pass LLM validation. CVSS v3.1 scoring, CWE classification, MITRE ATT&CK mapping. |
| Code Chunker | Acquires target repo, produces structured codebase output. Runs SAST pre-scans (graudit, semgrep, gitleaks, trivy, syft, bandit, brakeman, checkov). |
Delegation Rules
- Single target, single vuln type → Deploy specialized executor directly (skip orchestrator)
- Single target, unknown vulns → Single orchestrator → specialized executors
- Multiple targets → Orchestrator → executor per target
- Bug bounty → HackerOne Hunter → N orchestrators → executors
- Never nest orchestrators more than 2 levels deep
Execution Model
Agents can run in:
- Foreground — blocking, sequential
- Background — non-blocking, notification on completion
- Worktree isolation — isolated git worktree for safe parallel operations
After recon completes, exploitation proceeds immediately — no intermediate approval required.