@elder_plinius: INTRODUCING: T3MP3ST!!! AUTONOMOUS HACKBOT STRIKE FORCE BRING THE STORM your favorite coding agent is now a full-stack …

X AI KOLs Timeline Tools

Summary

T3MP3ST is an open-source harness that turns AI coding agents like Claude Code and Codex into autonomous red team tools, achieving high pass rates on security benchmarks and real CVE detection.

INTRODUCING: T3MP3ST!!! AUTONOMOUS HACKBOT STRIKE FORCE BRING THE STORM your favorite coding agent is now a full-stack red team http://github.com/elder-plinius/T3MP3ST… that AI agent already humming in your terminal? well now it has FANGS. strap a full offensive-security harness onto the agents you already pay for — Claude Code, Codex, Hermes, etc. — point it at an authorized target, and in a few clicks you're watching it hunt real vulns autonomously! T3MP3ST is a harness of harnesses, with prompting that unlocks offensive-cyber workflows + a full arsenal of exploit tooling that'd make any seasoned hacker smirk. simple, yet powerful. support for: web apps, APIs, OWASP Top 10 network recon + fingerprinting (live nmap/DNS/HTTP); lateral + privesc experimental source code audits, white-box vuln hunting CTFs, wargames, challenge ranges smart contracts / DeFi / Solidity (reproduction — Damn Vulnerable DeFi, not novel discovery) embedded, IoT, OT/SCADA, robotics OSS … and more in development! now let's talk numbers XBEN — XBOW's own 104-challenge suite: • black-box: 90.1% pass@1 from the single-agent exploit loop (worst single sweep 91/104 = 87.5%) — clearing XBOW's past self-reported 85% on their own suite. gpt-5.5. • white-box (source staged, reported separately): 98.7% pass@1, worst single sweep 102/104 = 98.1%. every solved flag graded reported-vs-expected against the challenge's own committed flag oracle — `verify-claims` recomputes the pass/fail from committed artifacts. looks like we need new benchmarks Cybench — the 40-task academic bench (Opus 4.8, hints + writeups stripped): 23/40 = 58% single-run, hint-free pass@1 — real exploits (format-string pwn, eval-jail escapes, crypto oracles), every flag graded vs a committed oracle. (Anthropic reports 76.5% pass@10) CVE-Zero — we pointed it COLD at real CVEs disclosed in 2026, AFTER the model's training cutoff: 10 unseen 2026 CVEs across 7 languages — prompts never tuned on them. a single agent pinned 8/10 to exact file/line/CWE (stable under re-scoring); the full pack surfaced all 10. memorization AND overfitting, both off the table — it's finding real vulns whose disclosures landed AFTER the model's training cutoff. (n=10, reported honest & directional) the architecture: either run as a SINGLE agent (already the benchmarked, incredibly-capable path) — or pack-hunt with dozens of agents running on 8 specialist operator classes keyed to Cyber Kill Chain + MITRE ATT&CK phases: recon → scan → exploit → lateral → exfil → persistence → C2 → report. an Op Admiral plans the whole op from a plain-english target. flip on coordination (experimental) and the operators share a blackboard — a tool-verified finding spawns the next move. full swarm or solo one operator, your call. the admiral can also update the prompts, tools, and configs of the other agents on the fly, and T3MP3ST gets stronger the more memories you build! the Arsenal is comprehensive — nmap / nuclei / semgrep / ffuf / gobuster + more. 35 wired by default (the clean bench runs bash-only for a comparable number), 83 with the opt-in full arsenal (T3MP3ST_FULL_ARSENAL), and the spicy post-ex drivers (metasploit, hydra) gated behind human approval. exposed via CLI + HTTP API; recon (security_recon) is also live over MCP so your agent invokes it natively. where this goes: a self-improving swarm of specialist operators wielding a full Kali+ arsenal, learning which loadouts + configs are the most efficient tactics available, WITH a held-out train/test split baked in so it can never fool itself on its own eval. built in the open, one re-derivable number at a time. this is v1, and parts are still under active development. chunks of the arsenal, the coordinated swarm, and some ranges are still being wired up. it's built in the open, and the receipts tell you exactly what's live vs what's roadmap. offensive security shouldn't be pay-to-play. T3MP3ST puts a red team in the hands of anyone with a coding agent. what's the first target you're feeding it? DISCLAIMER: FOR AUTHORIZED USE ONLY. point it only at systems you own or have explicit written permission to test. unauthorized access can be a crime, and that call is yours alone. shipped as-is under AGPL-3.0: no warranty, no liability, zero endorsement of misuse. get permission. stay in scope. open source. AGPL-3.0. 100% free. FORTES FORTUNA IUVAT gg
Original Article
View Cached Full Text

Cached at: 07/06/26, 02:14 PM

INTRODUCING: T3MP3ST!!!

AUTONOMOUS HACKBOT STRIKE FORCE BRING THE STORM

your favorite coding agent is now a full-stack red team

http://github.com/elder-plinius/T3MP3ST…

that AI agent already humming in your terminal? well now it has FANGS. strap a full offensive-security harness onto the agents you already pay for — Claude Code, Codex, Hermes, etc. — point it at an authorized target, and in a few clicks you’re watching it hunt real vulns autonomously!

T3MP3ST is a harness of harnesses, with prompting that unlocks offensive-cyber workflows + a full arsenal of exploit tooling that’d make any seasoned hacker smirk. simple, yet powerful.

support for: web apps, APIs, OWASP Top 10 network recon + fingerprinting (live nmap/DNS/HTTP); lateral + privesc experimental source code audits, white-box vuln hunting CTFs, wargames, challenge ranges smart contracts / DeFi / Solidity (reproduction — Damn Vulnerable DeFi, not novel discovery) embedded, IoT, OT/SCADA, robotics OSS … and more in development!

now let’s talk numbers

XBEN — XBOW’s own 104-challenge suite: • black-box: 90.1% pass@1 from the single-agent exploit loop (worst single sweep 91/104 = 87.5%) — clearing XBOW’s past self-reported 85% on their own suite. gpt-5.5. • white-box (source staged, reported separately): 98.7% pass@1, worst single sweep 102/104 = 98.1%. every solved flag graded reported-vs-expected against the challenge’s own committed flag oracle — verify-claims recomputes the pass/fail from committed artifacts. looks like we need new benchmarks

Cybench — the 40-task academic bench (Opus 4.8, hints + writeups stripped): 23/40 = 58% single-run, hint-free pass@1 — real exploits (format-string pwn, eval-jail escapes, crypto oracles), every flag graded vs a committed oracle. (Anthropic reports 76.5% pass@10)

CVE-Zero — we pointed it COLD at real CVEs disclosed in 2026, AFTER the model’s training cutoff: 10 unseen 2026 CVEs across 7 languages — prompts never tuned on them. a single agent pinned 8/10 to exact file/line/CWE (stable under re-scoring); the full pack surfaced all 10. memorization AND overfitting, both off the table — it’s finding real vulns whose disclosures landed AFTER the model’s training cutoff. (n=10, reported honest & directional)

the architecture: either run as a SINGLE agent (already the benchmarked, incredibly-capable path) — or pack-hunt with dozens of agents running on 8 specialist operator classes keyed to Cyber Kill Chain + MITRE ATT&CK phases: recon → scan → exploit → lateral → exfil → persistence → C2 → report.

an Op Admiral plans the whole op from a plain-english target. flip on coordination (experimental) and the operators share a blackboard — a tool-verified finding spawns the next move. full swarm or solo one operator, your call. the admiral can also update the prompts, tools, and configs of the other agents on the fly, and T3MP3ST gets stronger the more memories you build!

the Arsenal is comprehensive — nmap / nuclei / semgrep / ffuf / gobuster + more. 35 wired by default (the clean bench runs bash-only for a comparable number), 83 with the opt-in full arsenal (T3MP3ST_FULL_ARSENAL), and the spicy post-ex drivers (metasploit, hydra) gated behind human approval. exposed via CLI + HTTP API; recon (security_recon) is also live over MCP so your agent invokes it natively.

where this goes: a self-improving swarm of specialist operators wielding a full Kali+ arsenal, learning which loadouts + configs are the most efficient tactics available, WITH a held-out train/test split baked in so it can never fool itself on its own eval. built in the open, one re-derivable number at a time.

this is v1, and parts are still under active development. chunks of the arsenal, the coordinated swarm, and some ranges are still being wired up. it’s built in the open, and the receipts tell you exactly what’s live vs what’s roadmap.

offensive security shouldn’t be pay-to-play. T3MP3ST puts a red team in the hands of anyone with a coding agent.

what’s the first target you’re feeding it?

DISCLAIMER: FOR AUTHORIZED USE ONLY. point it only at systems you own or have explicit written permission to test. unauthorized access can be a crime, and that call is yours alone. shipped as-is under AGPL-3.0: no warranty, no liability, zero endorsement of misuse. get permission. stay in scope.

open source. AGPL-3.0. 100% free.

FORTES FORTUNA IUVAT

gg


elder-plinius/T3MP3ST

Source: https://github.com/elder-plinius/T3MP3ST

🌩️ T3MP3ST

 ▄▄▄█████▓▓█████  ███▄ ▄███▓ ██▓███  ▓█████   ██████ ▄▄▄█████▓
 ▓  ██▒ ▓▒▓█   ▀ ▓██▒▀█▀ ██▒▓██░  ██▒▓█   ▀ ▒██    ▒ ▓  ██▒ ▓▒
 ▒ ▓██░ ▒░▒███   ▓██    ▓██░▓██░ ██▓▒▒███   ░ ▓██▄   ▒ ▓██░ ▒░
 ░ ▓██▓ ░ ▒▓█  ▄ ▒██    ▒██ ▒██▄█▓▒ ▒▒▓█  ▄   ▒   ██▒░ ▓██▓ ░
   ▒██▒ ░ ░▒████▒▒██▒   ░██▒▒██▒ ░  ░░▒████▒▒██████▒▒  ▒██▒ ░
   ▒ ░░   ░░ ▒░ ░░ ▒░   ░  ░▒▓▒░ ░  ░░░ ▒░ ░▒ ▒▓▒ ▒ ░  ▒ ░░
     ░     ░ ░  ░░  ░      ░░▒ ░      ░ ░  ░░ ░▒  ░ ░    ░
   ░         ░   ░      ░   ░░          ░   ░  ░  ░    ░
             ░  ░       ░               ░  ░      ░

A multi-agent offensive-security framework, built to turn the AI coding agent you already run into a zero-day hunter.

scores: re-derivable   verify-claims 24/24   PRs welcome   License: AGPL-3.0

Your AI coding agent is already a hacker — T3MP3ST hands it an arsenal.

Point it at an authorized target and the kill chain runs itself: recon → exploit → report, from a browser War Room or the CLI, driven by the agent you’re already signed into — Claude Code, Codex, Hermes — or a model you run fully offline (Ollama, LM Studio, vLLM). No new API keys, no cloud tenant, no second bill. Your agent is the brain; T3MP3ST is the war machine bolted around it. Self-hosted storm. Keyless warfare.

And it won’t ask you to take its word for it. On XBOW’s own 104-challenge suite it scores 90.1% pass@1 — above XBOW’s self-reported 85% — alongside hint-free CTF solves and a cold hunt on real, post-cutoff CVEs the model had never seen. Every number in this README recomputes from committed data with one command (npm run verify-claims). Loud about the mission, honest about the build — the status table says exactly what’s live, what’s scaffolding, and what’s still roadmap; full receipts in Benchmarks.

Three things set it apart:

  1. Reproducible. Every number in this README recomputes from committed data — npm run verify-claims re-derives all of them, 24/24 green. A claim that can’t be reproduced doesn’t ship. No trust-me numbers, ever.
  2. Keyless. The AI coding agent already on your machine is the backbone. No API keys, no second bill, no gatekeeper.
  3. Honest about scope. The status table marks exactly what’s stable, experimental, or roadmap — because red-teaming shouldn’t be a priesthood, and it damn sure shouldn’t run on vibes.

Jump toQuick start · What it hunts · What ships today · Benchmarks · Architecture · Docs

⚠️ Authorized use only

T3MP3ST is an offensive security tool, built for authorized testing, research, and education. Point it only at systems you own or have explicit, written permission to test. Unauthorized access to computers, networks, or data is illegal in most jurisdictions — you alone are responsible for how you use this software and for staying inside the law and your rules of engagement. Bring the storm to your targets, not someone else’s.

T3MP3ST is provided as-is under the AGPL-3.0 license, with no warranty and no liability for any damage, loss, or misuse. The authors do not endorse, support, or condone unauthorized activity. Get permission. Stay in scope. Don’t be a menace. 🫡

Why it exists

Offensive security sits behind years of practice and expensive tooling. The bet behind T3MP3ST is that a coordinated agent swarm puts real bug-hunting in reach of people who never got the invite, across web apps, CTFs, smart contracts, source code, and embedded/robotics OSS. That is an ambitious bet, and the sections below are careful to separate what already works from what is still a bet.

What it hunts

DomainWhat it doesStatus
🕸️ Web appsBlack-box, external-attacker recon → exploit (XBEN suite)✅ Stable
🚩 CTFHint-free, sandbox-jailed solves (Cybench)✅ Stable
🤖 Robotics / OT / embeddedCoordinated-disclosure pipeline for OSS vuln hunting (OSV + live-PoC + refuter)✅ Pipeline stable
📂 Source codeWhite-box repo analysis with blind master-builder decomposition⚠️ Python-only ingest
💰 Smart contractsDamn Vulnerable DeFi⚠️ reproduction, not novel discovery

Quick start

Fastest path to a running War Room (keyless, ~2 min to set up; mission time depends on the target):

npm install
npm run server        # War Room → http://127.0.0.1:3333/ui/

In the War Room, open Settings and connect a local agent (Claude Code / Codex / Hermes). Then describe a target to Op Admiral in plain English and launch. The agent you connected is the brain. No key required.

Prefer to bring a key? Set one and skip the connect step:

export OPENROUTER_API_KEY=...     # or VENICE_API_KEY / ANTHROPIC_API_KEY / OPENAI_API_KEY
export XAI_API_KEY=...            # Grok Build (grok-build-0.1) — xAI's coding model, native tool-calling

Or run it fully offline on your own model — no key, no cloud. Defaults to Ollama; point it at any OpenAI-compatible server (LM Studio, vLLM, llama.cpp):

ollama serve && ollama pull llama3                          # or an OpenAI-compatible server
export TEMPEST_LOCAL_BASE_URL=http://localhost:11434/api    # LM Studio: http://localhost:1234/v1
export TEMPEST_LOCAL_MODEL=llama3
npx tempest config                                          # → "Change default provider" → local

Tool-calling works on any local model (it’s driven over text), so the Arsenal runs even on models without native function-calling.

Check the numbers for yourself:

npm run verify-claims             # re-derives every headline from committed JSON in bench/

Library/SDK usage, the full HTTP API, and MCP setup live in docs/.

What ships today

The framework is an 8-operator kill chain, and this table won’t blow smoke about it. Recon is a live, tool-backed engine — and the teeth are already real: 90.1% pass@1 on XBEN, 8/10 held-out post-cutoff CVEs pinned to exact file/line/CWE, and a coordinated-disclosure pipeline that’s live enough to have drafts held for vendor coordination right now. What’s not proven is the swarm. Each downstream operator — Exploiter, Infiltrator, Exfiltrator, Ghost — runs the same real, tool-backed ReAct loop as recon (real exploit tools, not stubs), but the headline numbers came from a single agent, not the coordinated 8-operator cell, and end-to-end swarm exploitation is unbenchmarked and still unreliable. The engine is real; the swarm is the part still earning its stripes. Loud where we’ve earned it, blunt about the rest.

ComponentStatusNotes
Re-derivable measurement (verify-claims)✅ Stableevery headline recomputes from committed artifacts
Recon engine✅ Stabledrives nmap / DNS / HTTP / fingerprinting; every finding traces to real tool output
Mission engine + War Room + Op Admiral✅ Stablekeyless through a connected local agent
Arsenal, MCP server, HTTP API✅ Stable35 built-in tools by default; 83 with the opt-in T3MP3ST_FULL_ARSENAL (+48 adapters, with the dangerous post-ex drivers — metasploit, hydra — behind a human-approval gate) — both counts re-derive via verify-claims. security_recon over MCP
Egress-scope containment✅ Stable (on by default)once a mission target is set, built-in networked tools refuse off-scope public hosts — not the target/subdomains, not loopback/private (SCOPE DENIED) — a tightened default, not a bare tool runner
Coordinated-disclosure pipeline✅ StableOSV novelty + live PoC + refuter panel + CVSS; drafts only, a human sends
White-box source analysis⚠️ ExperimentalPython-only regex ingest; multi-model decomposition costs more tokens, not fewer
DeFi (Damn Vulnerable DeFi)⚠️ Experimentalreproduces known exploit classes; not novel discovery
Exploiter / Infiltrator / Exfiltrator / Ghost⚠️ Experimentalrun the real tool-backed ReAct loop (same engine as recon); unproven as a coordinated swarm — single-agent is the benchmarked path, live swarm exploitation still unreliable
Advanced modules (cloud, persistence, swarm, cognition)🚧 Plannedinterface-only in src/stubs/
Self-improvement loop🧪 Researchrecords lessons + proposals today; feeding them back into planning is roadmap

Full feature-by-feature breakdown: FEATURES.md.

Coverage by domain

Where the storm reaches today — and where it’s headed. Same discipline as everything else: a domain is ✅ only when there’s a receipt behind it.

DomainWhat it coversStatus
🕸️ Webapps, APIs, auth flows, OWASP Top 10Core — XBEN 90.1% pass@1
📂 Codewhite-box source audits, SAST-style vuln huntingProven (hunt result) — held-out CVE-Zero: single-agent 8/10 exact file/line/CWE, 10/10 found (7 languages); the repo-ingest engine itself is still ⚠️ experimental
🚩 CTFwargames, practice ranges, challengesProven — Cybench 23/40 hint-free
🔌 Network / Infrarecon, service/stack fingerprinting; lateral + privesc✅ recon (live nmap/DNS/HTTP engine) · ⚠️ lateral/privesc experimental
🤖 Embedded / IoT / OTfirmware, robotics, ICS/SCADA OSSCVE pipeline live — coordinated-disclosure drafts held for vendors
📦 Supply chaindependency audits, install-without-confirmation⚠️ Real — dedicated class; hit a CWE-829 on the held-out set
💰 Blockchainsmart contracts, DeFi, Solidity⚠️ Reproduction only — Damn Vulnerable DeFi, not novel discovery
☁️ CloudAWS/GCP/Azure misconfig, IAM, serverless🚧 In development
📱 MobileAndroid/iOS app security🚧 In development
🏢 Identity / ADKerberos, pass-the-hash, AD attacks🚧 In development
🔐 Binary / REoverflows, ROP, exploit dev🚧 In development — needs specialized tooling

The class/squad architecture means new domains compose rather than fork — each is a loadout (specialist classes + arsenal + target adapter + a benchmark). 🚧 domains ship dark until they have a number.

Benchmarks

Headline results. Each recomputes from the committed JSON with npm run verify-claims; full methodology and caveats are in the linked docs.

SuiteResultContext
XBEN — XBOW’s 104-challenge suite, black-boxpass@1 mean 90.1% (Wilson-95 86.2–92.9), floor 91/104 · gpt-5.5XBOW self-reports 85% on the same suite; ours re-derives the graded verdict from committed artifacts (raw transcripts stripped for privacy)
XBEN — white-box (reported separately)pass@1 98.7%, best-ball 104/104 · gpt-5.5never blended with the black-box number
Cybench — 40-task academic bench, Opus 4.8, no hints23/40 (58%) hint-free, single-run pass@1 (verify-claims-enforced)not the raw-score record (Anthropic: 76.5% pass@10); every flag graded against the committed oracle
CVE-Zero — 10 real post-cutoff (2026) CVEs, held-out, 7 languagessingle-agent 8/10 exact file/line/CWE (verified all-exact, stable) · 10/10 found (full pack)memorization- & fitting-proof: post-cutoff, and the hardened prompts were never tuned on these; verify-claims recomputes it. n=10, directional; the swarm’s edge here is recall, not a coordination-beats-solo proof

How to read these:

  • Every solved flag is graded against a committed ground-truth oracle — not a self-report — and verify-claims recomputes the pass/fail. Raw per-step transcripts are stripped for operator privacy, so you re-check the graded verdict, not the raw tool output. Zero fabricated, enforced by an anti-fitting guard that runs on every push.
  • Black-box (source withheld) and white-box (source staged) are reported separately and never blended.
  • These ran a single-agent ReAct loop, not the 8-operator swarm. The swarm is framework architecture; it is not what scored these numbers.
  • Results are system-vs-system: this harness driving a strong current model, not an isolated-harness claim.

The number isn’t the flex — the receipt is. A keyless, open-source harness that hands you the re-run instead of asking you to trust it: clone it, run npm run verify-claims, and every verdict above recomputes from its committed oracle in front of you.

Deeper reading: WALL_FORENSICS (per-challenge misses), CYBENCH, INTEGRITY_LEDGER (contamination audit and every retraction), OBSIDIVM (our own live web range).

Documentation

DocContents
FEATURES.mdfeature-by-feature status ([x] shipped / [~] partial / [ ] planned)
SCOPE_AND_AUTHORIZATIONauthority model, scope receipts, evidence and retest rules
TEAM_PREVIEWfirst-run path and review script
INSTALL_MATRIXmacOS / Linux readiness table
ARSENAL_ACTIVATION_PLANoptional external-tool setup
CYBENCH · WALL_FORENSICS · INTEGRITY_LEDGER · COGNITIVE_ARCHITECTUREbenchmark methodology
RELEASE_CHECKLISTthe gates a release must pass

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                        T3MP3ST COMMAND                          │
├─────────────────────────────────────────────────────────────────┤
│   MISSION CONTROL  ◄──  TARGET MODEL  ──►  ARSENAL (TOOLS)       │
│                          ▲                                       │
│   AGENT CELL:  RECON · SCANNER · EXPLOITER · INFILTRATOR ·       │
│                EXFILTRATOR · GHOST · COORDINATOR · ANALYST       │
│                          ▲                                       │
│   EVIDENCE VAULT  ·  CREDENTIAL STORE  ·  FINDINGS LEDGER        │
│                          ▲                                       │
│   OPSEC LAYER  ·  COMMS CHANNEL  ·  LLM BACKBONE                 │
└─────────────────────────────────────────────────────────────────┘

Operators map to MITRE ATT&CK and Cyber Kill Chain phases (recon is live; later phases are scaffolded):

OperatorPhaseMITREFunction
ReconReconnaissanceTA0043OSINT, network discovery, asset enumeration
ScannerDiscoveryTA0007vulnerability scanning, service fingerprinting
ExploiterInitial AccessTA0001exploitation, payload delivery
InfiltratorLateral MovementTA0008post-exploitation, privilege escalation
ExfiltratorCollection / ExfilTA0009/10data extraction, credential harvesting
GhostPersistenceTA0003persistence, stealth, cleanup
CoordinatorCommand & ControlTA0011mission control, orchestration
AnalystAnalysispattern analysis, reporting

Providers: OpenRouter, Venice, Anthropic, OpenAI, or a keyless local agent (Claude Code / Codex / Hermes). Set OPENROUTER_API_KEY / VENICE_API_KEY / ANTHROPIC_API_KEY, or connect an agent in Settings.

Integrations: node dist/mcp-server.js exposes security_recon to MCP-aware agents. npm run server starts the HTTP API (POST /api/mission/start, GET /api/mission/status, and more). Full reference in docs/.

Contributing — join the swarm

Red-teaming shouldn’t be a priesthood. Bring an adapter, a prompt pack, a runbook, a new arsenal tool, or a bug report.

One rule, non-negotiable: everything here is for authorized testing only. Owned, scoped, or consenting targets. Build for defenders, or don’t build it here.

  1. Fork it, branch it.
  2. Open a PR with tests. If you touch a headline number, npm run verify-claims has to stay green.

Release process and gates: RELEASE_CHECKLIST.

License

AGPL-3.0. See LICENSE.


Fortes fortuna iuvat — fortune favors the bold.

⊰•-•✧ LOVE PLINY ✧•-•⊱ 🌩️

Similar Articles

pingdotgg/t3code

GitHub Trending (daily)

T3 Code is a minimal web GUI for coding agents supporting Codex and Claude, available as a desktop app and CLI tool across multiple platforms.