Security Research
In-depth analysis, insights, and best practices from our security team
JAN 16, 2026-5 MIN READ
Using AI Agents to Reverse CVEs
Security Research
Using AI Agents to Reverse CVEs
How Strobes Intelligence Turns Vulnerability Data into Validated Exploits
We don't just tell you what's vulnerable. We prove it.
When a new CVE drops, security teams ask the same question. Is this actually exploitable, or just noise?
CVSS gives you severity. EPSS gives you probability. But neither gives you proof.
We rebuilt Strobes Intelligence to answer that question definitively. Our AI agents read advisories, reason through exploitation requirements, spin up labs, and validate exploitability through actual exploitation attempts.
Here's how it works.
The Pipeline
Rendering diagram...
Four components work together. Extended thinking for deep analysis. Skills for specialized exploitation knowledge. Sandboxed labs for safe testing. Autonomous loops for persistent iteration.
Extended Thinking
Before attempting exploitation, the agent reasons through the vulnerability systematically.
Text
1┌─────────────────────────────────────────────────────────────┐
2│ THINKING │
3├─────────────────────────────────────────────────────────────┤
4│ │
5│ I need to understand this vulnerability before testing. │
6│ │
7│ ROOT CAUSE │
8│ The patch shows input validation was added to the parser. │
9│ User-controlled data was passed directly to unsafe function.│
10│ │
11│ PREREQUISITES │
12│ - Must reach the vulnerable endpoint │
13│ - Must send data in expected format │
14│ - Authentication may or may not be required │
15│ │
16│ HYPOTHESIS │
17│ If authentication is required, can a low-privilege user │
18│ still trigger this? That would be privilege escalation. │
19│ │
20│ PLAN │
21│ 1. Test with no authentication │
22│ 2. Test with minimal privileges │
23│ 3. Document which configurations are vulnerable │
24│ │
25└─────────────────────────────────────────────────────────────┘This isn't pattern matching. The agent builds a mental model of the vulnerability and plans its approach before touching a lab.
Skills
Skills are modular expertise packages. When the agent encounters a Java deserialization flaw, it activates Java exploitation skills. When it finds an API vulnerability, it loads API security skills.
Text
1┌─────────────────────────────────────────────────────────────┐
2│ SKILL ACTIVATION │
3├─────────────────────────────────────────────────────────────┤
4│ │
5│ Detected: Java application with custom binary protocol │
6│ │
7│ Activating: │
8│ ✓ java_deserialization_skill │
9│ ✓ binary_protocol_skill │
10│ │
11│ Loading: │
12│ - Known gadget chains │
13│ - Payload templates │
14│ - Bypass techniques │
15│ │
16│ Ready for exploitation attempt. │
17│ │
18└─────────────────────────────────────────────────────────────┘Each skill encodes knowledge that would take a researcher hours to assemble.
Sandboxed Labs
The agent spins up isolated environments matching the target configuration and attempts real exploitation.
Text
1┌─────────────────────────────────────────────────────────────┐
2│ LAB SESSION │
3├─────────────────────────────────────────────────────────────┤
4│ │
5│ [Deploying] Target application v2.7.3 │
6│ [Config] Network isolated, no internet access │
7│ [Config] Resource limits applied │
8│ │
9│ [Agent] Target is up. Sending payload... │
10│ │
11│ [Alert] Anomaly detected on target │
12│ - Unexpected process spawned │
13│ - Connection attempted (blocked by sandbox) │
14│ │
15│ [Result] EXPLOITATION CONFIRMED │
16│ - Evidence captured │
17│ - Reproduction steps documented │
18│ │
19└─────────────────────────────────────────────────────────────┘No simulation. Real exploitation in a safe environment.
Autonomous Iteration
Real attackers don't try once and give up. Neither do our agents.
Rendering diagram...
If a payload fails, the agent analyzes why. Wrong format? Try another. Blocked by WAF? Attempt bypass. Different endpoint vulnerable? Test it.
Text
1┌─────────────────────────────────────────────────────────────┐
2│ ITERATION LOG │
3├─────────────────────────────────────────────────────────────┤
4│ │
5│ Attempt 1: Standard payload │
6│ Result: Blocked - format not recognized │
7│ Analysis: Application uses custom format, not standard │
8│ │
9│ Attempt 2: Custom format payload │
10│ Result: Blocked - authentication required │
11│ Analysis: Need valid credentials │
12│ │
13│ Attempt 3: Authenticate as low-privilege user │
14│ Result: SUCCESS - code execution achieved │
15│ Finding: Privilege escalation confirmed │
16│ │
17└─────────────────────────────────────────────────────────────┘This persistence is what separates validated intelligence from theoretical risk.
What You Get
Instead of "CVE-XXXX affects 47 assets," you get validated findings with evidence.
Text
1┌─────────────────────────────────────────────────────────────┐
2│ VALIDATED FINDING │
3├─────────────────────────────────────────────────────────────┤
4│ │
5│ CVE: CVE-2024-XXXXX │
6│ Status: CONFIRMED EXPLOITABLE │
7│ │
8│ Tested Configurations: │
9│ Default install (no auth): VULNERABLE │
10│ With auth (admin user): VULNERABLE │
11│ With auth (read-only user): VULNERABLE │
12│ │
13│ Impact: Any authenticated user can crash the server │
14│ Evidence: Reproduction steps + packet capture attached │
15│ │
16│ Affected Assets in Your Environment: 4 │
17│ - 2 internet-facing (CRITICAL) │
18│ - 2 internal (HIGH) │
19│ │
20└─────────────────────────────────────────────────────────────┘Coming Soon. Apache Solr Vulnerabilities
We recently used this methodology to discover and validate several critical vulnerabilities in Apache Solr.
Our agents identified multiple privilege escalation paths, denial of service vectors, and attack chains that affect default and authenticated configurations. We've reported these findings to the Apache Security team through responsible disclosure.
Once the vulnerabilities are patched and disclosed, we'll publish a detailed technical breakdown showing exactly how our AI agents found them.
Stay tuned.
Try It Yourself
If you're a Strobes customer, this capability is live in your Threat Intelligence module.
"Analyze this CVE for exploitability in my environment"
Watch the thinking process unfold. See the lab spin up. Get validated results.
Not a customer yet? Request a demo to see it in action.
Strobes Intelligence. Not just what's vulnerable. What's actually exploitable.
Cite This Page
APA Format
Akhil Reni. (2026). Using AI Agents to Reverse CVEs. Strobes VI Research. Retrieved January 26, 2026, from https://vi.strobes.co/research/ai-agents-to-reverse-cves
Quick copy link + title
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.