Vigil — Defensive Cyber Agent with Autonomous Exploit Chaining

1,619 Live CVEs · 402 Exportable · 57 Threat Actors · 7 MCP Servers · 49 Tools · 228+ ECCN Classifications 85 Test Suites · 1,119 Tests · 0 Failures · DeepSeek V4 Pro Powered 28 PATCH_VERIFIED Exploit Chains · 24 Verified CVE Chains · 6 Trenchwork Proprietary Tools Built by Trenchwork · [email protected] Vigil CLI · Exploit Chains · Inventory · ECCN Chain · Variant Chain · Status

Vigil is a CND-gated defensive cyber agent that orchestrates Ghidra MCP and Kali MCP through three authorization tiers — CND (defense), CNE (exploitation), CNA (attack). Beyond variant and regression analysis, Vigil now features a full exploit chaining engine with 6 primitive classes, A*/beam search, evidence-graded chains, delta-debugging minimization, and minimum cut defensive remediation.

Core Capabilities

Exploit Chaining Engine (src/core/exploitChaining.ts — 600+ lines)

| Component | Description | |-----------|-------------| | 6 Primitive Classes | reachability, information_disclosure, memory_corruption, identity_authorization, isolation_escape, stability | | Chainability Matrix | M[i][j] = Compat(Post(Pᵢ), Pre(Pⱼ)) — scored 0..1 with evidence matches/gaps | | A/Beam Search* | Configurable depth (12), beam width (8), min confidence (0.4), assumption debt (5), timeout (30s) | | Chain Minimization | Delta debugging — removes redundant middle primitives while preserving ≥90% impact | | Evidence Grading | 6-level: CONCEPTUAL → ENVIRONMENT_SATISFIABLE → INDIVIDUALLY_REPRODUCED → END_TO_END_REPRODUCED → IMPACT_VALIDATED → PATCH_VERIFIED | | Minimum Cut | Shared precondition identification — cheapest fix that breaks ALL chains | | Assumption Debt | Rejects chains with >5 unverified environment assumptions | | Lexical Hallucination Rejection | Keyword matching ≠ chainability — requires verifiable state transfer | | CLI Display | formatChainDisplay() — evidence bars, compatibility %, gap warnings, min cut |

/loop AI Self-Prompting

DeepSeek V4 Pro generates optimal, unique prompts each /loop iteration across 6 domains (CND, cybersecurity, CNE, exploit-chaining, general coding, CNA). Pre-generation pipeline eliminates round-trip latency. Circuit breaker after 3 consecutive API failures.

Parallel Tool Execution

Automatic parallel tool resolution (resolveToolCalls) with chunked execution (8 per batch), tool result caching with TTL eviction, behavioral loop detection, and semantic deduplication.

Multi-Agent Spawning

AgentWorkerPool with round-robin/least-busy/priority/random load balancing. Sub-agent timeout (30s), output truncation (8K chars), worker failure recovery, and graceful pool destruction.

Trenchwork Proprietary Tools

| Tool | Class | Capability | |------|-------|------------| | Anvilwing CLI | Offensive Security CLI | Autonomous pentesting, Ink UI, DeepSeek V4 Pro, Kali MCP, JA4 rotation (20 profiles) | | Forge | Payload Factory | Polymorphic shellcode, Ghidra binary diff, CNA-gated, self-destruct timers | | Glasshouse | OSINT / Attack Surface Mapper | 15+ data sources, AI-powered analysis, structured reporting | | Crucible | Binary Hardening Verifier | ELF/PE/Mach-O audit, CIS/STIG/PCI-DSS compliance, AI remediation flags | | Chimera | C2 Multi-Protocol Fabric | 8 protocols, automatic failover, JA4 rotation (50 profiles), ChaCha20-Poly1305 | | Oculus | Vulnerability Research Engine | AFL++ fuzzing, angr symbolic execution, CodeQL, AI PoC generation |

Verified Systems (June 2026)

28 PATCH_VERIFIED exploit chains across 15 system categories:

| System | Chains | Coverage | |--------|--------|----------| | Linux Kernel 6.x | 3 | FGKASLR, glibc+KVM, BPF hardening | | Windows NT 10+ / AD | 3 | SMB+LDAP, AD CS ESC1, EWS hardening | | macOS XNU / SIP / TCC | 3 | TCC+IOKit, launchd sig, MDM payload | | Cloud / Container | 4 | IMDSv2, RBAC+seccomp, WIF, cosign+Kyverno | | Web / API | 2 | SSRF+KMS, GraphQL introspection | | Database | 3 | scram+isolation, ACL+seccomp, TLS+X.509 | | Mobile (Android/iOS) | 2 | seccomp+KASLR+PAC, JIT+APGA+KTRR | | Embedded / IoT | 1 | Secure boot+W^X+Ed25519 | | Network (BGP) | 1 | RPKI+BGPsec | | Hypervisor (KVM/QEMU) | 1 | SEV-SNP+seccomp | | Firmware (UEFI) | 1 | Boot Guard+SMM lock | | CI/CD (GitHub Actions) | 1 | OIDC+Environments | | EDR/XDR | 1 | VBS+HVCI+Tamper | | Cryptographic (TLS) | 1 | PSK binder+0-RTT disable | | Identity (Okta/Entra) | 1 | SAML sig+token binding |

Full inventory: exploit-chain-inventory/

How Vigil Orchestrates Ghidra & Kali

                      VIGIL
         intent · authorization · policy · audit
                   /                    \
                  ▼                      ▼
          Ghidra MCP                  Kali MCP
        static understanding       runtime validation
                  \                      /
                   └──── evidence ──────┘

Beyond Variant Analysis — Ghidra MCP

| Stage | Ghidra Output | Vigil Orchestration | |---|---|---| | Patch diff | Changed basic blocks, new branches, modified constants | Maps to semantic invariant: what security property changed? | | Root cause | Affected function, vulnerable data/control flow | Generates bounded safe validator + differential test | | Variant discovery | Same-program siblings, branch variants, architecture variants | Ranks by reachability, patch-check absence, component reuse | | Code clone | Structurally similar functions across forks/downstream | Cross-references SBOM + CPE + dependency provenance | | Binary diff | Patched vs unpatched executables | Differential execution: positive on vulnerable, negative on fixed | | Exploit path | Access-control weakness, code path to privilege boundary | Maps to ATT&CK techniques + feeds exploit chaining engine |

Beyond Regression Analysis — Kali MCP

| Stage | Kali Output | Vigil Orchestration | |---|---|---| | Discovery | nmap service scan, nikto web assessment | Scoped to signed target authorization only | | Validation | Bounded test on disposable VM | Differential: vulnerable VM vs patched VM vs candidate variant | | Surface audit | Metasploit auxiliary modules (read-only) | Gated behind CNE authorization tier | | Active test | Service interaction, configuration probing | Gated behind CNE + human approval | | Effects | Payload generation, service modification | Gated behind CNA authorization tier | | Forensics | Packet capture, memory acquisition, log collection | Chain-of-custody artifacts for audit trail |

Authorization Tiers — CND · CNE · CNA

| Tier | Access | What It Unlocks | Gate | |---|---|---|---| | CND | All users | Vulnerability scanners, validators, SBOM, KEV/EPSS, detection engineering, threat hunting, Ghidra read-only binary analysis, Crucible hardening verifier | Default | | CNE | Admin-granted | Ghidra MCP full (decompile, binary diff, variant hunt), Kali MCP active scanning, exploit path mapping, ATT&CK chaining, target enumeration, Glasshouse OSINT, Oculus vulnerability research | [email protected] via Firebase | | CNA | Admin-granted | Full Kali MCP (metasploit, payload gen), Forge payload factory, Chimera C2 fabric, Anvilwing autonomous pentesting, cloud resource modification, autonomous effects | Direct [email protected] sign-off |

Vigil Ink CLI

npm install -g @trenchwork/vigil
vigil

Three commands: /login (Trenchwork account, server keys), /connections (provider keys + live validation), /model (DeepSeek V4 Pro/Flash). Authorization tiers displayed on welcome banner: CND: ✓ CNE: ✗ CNA: ✗. Request upgrade at trenchwork.org/access.

/loop command runs autonomous AI self-prompting across 6 domains. No manual prompting needed — DeepSeek V4 Pro generates optimal prompts each iteration.

Live CVE Catalog — 1,619 CVEs · ECCN Classified

Auto-ingested from CISA KEV every 6 hours. 1,205 EAR99 (public), 402 4D004-review (controlled, exportable under US law), 12 5D992 (mass-market crypto, NLR). 0 restricted CVEs in public catalog. Live: trenchwork.org/status.

Test Suite

85 test suites, 1,119 tests, 0 failures — every test generates dynamically unique prompts via DeepSeek V4 Pro. Key test files:

| File | Tests | Focus | |------|-------|-------| | exploitChaining.test.ts | 38 | Core engine: normalization, chainability, graph, search, minimization, evidence, display | | exploitChaining-long-horizon.test.ts | 26 | Ultra long-horizon: DeepSeek dyn gen, 50-iteration, debt overflow, explosion guards | | exploitChaining-real-systems.test.ts | 23 | Real systems: 8 OS platforms, cross-system comparison, AI-generated unique chains | | trenchwork-tools-extreme-horizon.test.ts | 27 | All 6 Trenchwork tools: Anvilwing, Forge, Glasshouse, Crucible, Chimera, Oculus | | agentWorkerPool.test.ts | 42 | Worker lifecycle, pool ops, load balancing, failure recovery, concurrency | | agentSpawningWiring.test.ts | 36 | Parallel sub-agent validation, timeouts, semaphores, cache atomicity | | ultra-long-horizon-parallel.test.ts | 44 | All 5 domains: coding pipeline, CND/CNE/CNA/cybersecurity parallel ops | | parallelCoordinator.test.ts | 42 | Worker pool + multi-agent + domain pipeline coverage |

Full Pipeline

• Exploit Chaining Engine — 6 primitive classes, A*/beam search, evidence grading, min cut
• Trenchwork Tools — Anvilwing, Forge, Glasshouse, Crucible, Chimera, Oculus
• ECCN Chain — 5-tier deterministic classification + Tavily OSINT + DeepSeek v4 Pro adjudication
• Variant Chain — CVE → Ghidra binary diff → 7 variant types → ATT&CK mapping → Kali validation → regression
• 57 Threat Actors — Microsoft weather designations, Mandiant APT numbers, CrowdStrike cross-references
• 7 MCP Servers — Kali tools, Ghidra, network defense, threat feed, endpoint defense, cloud security, API security
• EC2 Pipeline — Daily Spot instance (c6i.xlarge, ~$0.11/scan), self-terminating
• Exploit Chain Inventory — Full documentation at exploit-chain-inventory/ and trenchwork.org/inventory

License

Proprietary. © Trenchwork. trenchwork.org · [email protected]

ECCN 4D004. CND for all. CNE + CNA gated behind admin authorization.