Autonomous Exploit Generation

Autonomous Exploit Generation (AEG) — the automated construction of working, validated exploits from vulnerability descriptions or disclosures, without human analyst involvement in the derivation of the exploit logic. In 2026, frontier AI models have shifted AEG from a research curiosity to a production-operational capability exercised at CISA KEV scale.

Defining Properties

Autonomous exploit generation requires three properties to be meaningful:

  1. No pre-existing POC dependency: the system must derive the exploit from the vulnerability description and patch diff alone, not from prior public proof-of-concept code. Systems that “exploit” CVEs by re-packaging existing POCs are not AEG.
  2. Validated execution: the exploit must be confirmed to work against a vulnerable target and fail against the patched version. Claimed exploits without execution validation are theoretical.
  3. Without human exploit logic: human review of pipeline outputs (HITL for safety or quality) is permitted; human derivation of the exploitation chain is not.

Production Instances (2026)

SystemOperatorKEV/CVE Success RateMethodStatus
MOAK EngineMOAK (stealth startup)174/178 KEVs (97.8%); 98% on post-cutoff benchmark (Claude Opus 4.6)5-agent pipeline; multi-model Researcher swarm; Docker CTF validation; Judge supervisionClosed; live dashboard
XBOW / MythosXBOW + Anthropic181 working Firefox exploits vs Opus 4.6’s 2; 72% exploit success rate (Apr 2026 preview)Frontier-model + XBOW harnessPrivate preview
Codex SecurityOpenAI10 CVEs from OSS responsible disclosure; 92% recall on internal golden reposAgentic pipeline; sandboxed validationCommercial preview
OpenAntKnosticDiscovery-side; exploitation verification stage includedSix-stage pipeline; Adversarial Reflexion FP controlOSS

The MOAK Architecture as Reference Pattern

The MOAK pipeline is the most fully documented AEG system published to date. Its key architectural choices have generalizable lessons:

Guardrailed information access — the Collector is restricted to no-POC sources; downstream agents operate without external access. This enforces the “no POC dependency” property above and is claimed as a first for full new-CVE simulation.

Primitive-chain graph research — the Researcher constructs a directed graph of exploitation primitive chains before attempting to code the exploit. Multi-model swarm with rotating roles (Prioritizer / Lead Researchers / Contrarian / Verifier) prevents groupthink from anchoring on a single exploitation path.

CTF-style validation — the Builder provisions a vulnerable + patched Docker environment pair with a secret flag. The Exploiter must capture the flag and fail on the patched environment. This eliminates false positives at the validation layer (not via prompt engineering).

Judge supervision — a dedicated adversarial checker verifies that the exploit uses the actual vulnerability rather than accidentally-provided workarounds (e.g., admin credentials the Builder exposed). Analogous in function to Adversarial Reflexion but applied to the Builder/Exploiter relationship rather than discovery.

Capability Threshold (2026)

The MOAK model benchmark documents a sharp capability inflection between models with Sep ‘25 cutoffs (15–22% exploitation rate) and models released in Feb–Mar ‘26 (76–98%). The frontier cohort as of early 2026:

  • Claude Opus 4.6: 98%
  • GPT 5.4: 90%
  • Gemini 3.1 Pro: 76%

The 4–6× jump within approximately five months (Sep ‘25 → Feb ‘26) is the empirical marker of AEG crossing the operational threshold. Below ~75%, AEG requires extensive HITL to be production-useful. Above ~90%, the human bottleneck is removed for the containerizable/high-level-language CVE class.

Scope Limits (2026)

Current AEG systems converge on the same acknowledged limits:

  • Complex closed-source frameworks (e.g., Firefox, proprietary enterprise software) — require more HITL or specialized tooling.
  • Low-level / native code CVEs at scale — achievable but harder; MOAK reports “similar results” for C CVEs in containers.
  • Non-containerizable environments — architectural; the CTF validation pattern requires an isolated executable environment.

Defender Implications

AEG at 97%+ success on KEVs is the mechanistic explanation for the Zero Day Clock’s 9-hour mean TTE in 2026. The human analyst bottleneck — the traditional reason exploits took days or weeks to develop post-disclosure — is removed. Defenders can no longer rely on exploitation-development time as a patch-window buffer.

Operational response: VulnOps — a continuous, automated vulnerability-operations function designed to match machine-speed discovery with machine-speed remediation. Periodic patch management (weekly or quarterly cycles) is structurally outmatched by AEG at scale.

Open: non-KEV CVEs and disclosure-to-exploit pipeline latency

MOAK and published systems focus on CISA KEVs — vulnerabilities already confirmed exploited in the wild. The more concerning question — what fraction of all new CVEs are autonomously exploitable within hours of disclosure — is not yet publicly measured. The KEV success rate is a lower bound on the broader exploitability surface.