What is the Penetration_Testing_CyberSecurityAD Agent?

A standalone Python FastAPI agent that collects CVE threat intel, enriches it via MITRE ATT&CK and NVD, scores deterministically, and — scope-gated — runs authorized scans with nmap and nuclei.

How does the agent avoid touching unauthorized systems?

Every active action passes through ScopeGuard: an allowlist that permits only pre-registered, owned assets. Actions are dry-run-gateable and recorded in an audit log.

Which tech stack does the agent use?

Python/FastAPI, SQLite, Qdrant, the NVD 2.0 REST API, MITRE ATT&CK (STIX 2.1 / TAXII 2.1), nmap, nuclei, and HackRF SDR for host-only signal analysis.

Agents & Pipeline

CyberSecurity AD is the Infrastructure Research layer of the Xcom.dev intel network. The Penetration_Testing_CyberSecurityAD Agent collects CVE threat intel, enriches and maps it via NVD and MITRE ATT&CK, scores deterministically, and — only within a registered scope allowlist — runs authorized scans.

The intel network

Xcom.dev

Intel Network

The threat-intel source: forum.xcom.dev/c/threat-intel feeds new CVE posts into the pipeline.

Agent-AIX.com

Intelligence Research

The reasoning layer where enriched intel becomes prioritized defense alerts.

CybersecurityAD.com

Infrastructure Research

The agent runtime: FastAPI, SQLite, Qdrant, ScopeGuard, and authorized nmap/nuclei validation.

The pipeline — phase by phase

Threat-intel ingest. The agent polls forum.xcom.dev/c/threat-intel via the Discourse admin API, extracts CVE identifiers (CVE-\d4-\d+), and deduplicates on the last-seen topic id.
Storage & vectorization. Posts, CVEs, mappings, and alerts are stored in SQLite; a Qdrant cve_intel collection keeps embeddings for semantic search.
MITRE ATT&CK + NVD enrichment. Each CVE is enriched via the NVD 2.0 API (CVSS, CWE, references) and mapped to techniques via MITRE ATT&CK (STIX 2.1 / TAXII 2.1).
Scoring & reasoning. Deterministic risk math (CVSS × exposure × technique prevalence) plus LLM reasoning over grounded facts compile a defense alert.
Scope-gated validation (openMythos). An alert can trigger a scoped scan plan: ScopeGuard checks the targets, nmap/nuclei validate within scope, findings flow back.
Reporting & audit. Alerts, findings, and audit records are exposed via FastAPI on port 8100; every action is traceable.

Safety model: ScopeGuard

The agent is scope-gated by design. Every active action is bounded by the following guarantees:

Scope allowlist as a hard boundary — only pre-registered, owned assets.
Dry-run by default, before a single packet is sent.
Binary allowlist for tools — never shell=True.
Deterministic scoring without eval or dynamic code execution.
Grounded LLM output — the language model determines no scores or actions.
Full audit log — every decision and action is traceable.
No exploitation or data exfiltration — decisions stay with the client.

Tech stack

Runtime

Python · FastAPI (port 8100) · SQLite · Qdrant

Intel & mapping

MITRE ATT&CK (STIX 2.1 / TAXII 2.1) · NVD 2.0 REST API (CVSS, CWE)

Recon & validation

nmap · nuclei · HackRF SDR (host-only)