Technical Whitepaper

How we engineered
the
Strobes AI
harness

The architecture behind the Strobes AI harness, and how it proves findings, enforces scope, and runs a full engagement without a human in the loop.

READ TIME

~25min

LENGTH

29pages

DEPTH

18sections

Free · instant access · no spam

Strobesstrobes
Technical Whitepaper

Strobes AI · Architecture

How We Engineered

the

Strobes AI Harness

A model can find a vulnerability. The harness around it proves the finding, enforces scope, and sustains a full engagement.

DOCUMENTArchitecture
VERSION1.0
LENGTH29 pages
READ~25 min
strobes.co
82.9% sustained cache hit rate
Scope enforced at the network layer
What the architecture covers

Inside the paper.

04The agent loop and interleaved reasoning
05Context engineering: trim, mask, compact, clear
08Multi-agent orchestration and per-task model routing
09Verification: the proving subsystem
12Network-layer scope enforcement
17An engagement that builds itself

“The harness is the part you own, where reliability, cost, scope control, and correctness are decided. The harness is the product.

— Strobes AI · Architecture Whitepaper v1.0
The Problem

Signature scanners never replaced human testers. The gap is structural.

A model given a CVE write-up exploits one-day bugs ~87% of the time. Remove the write-up and discovery drops to ~7%. Finding a candidate is reasoning. Proving it in a live system is execution, and that is exactly where bare models fail.

The numbers behind the engineering.

0Of critical web bugs are business-logic flaws like IDOR and BOLA, the class scanners cannot touch and the harness is built to prove.
0Sustained cache hit rate, held month over month, measured from split cache-read vs cache-write accounting.
0Cut on the largest cost line. A cached read costs roughly 10% of a fresh read at current provider pricing.
What's inside the harness

An unreliable model, made to behave like a reliable product.

The harness is the deterministic system wrapped around a non-deterministic model. It is the sum of six subsystems, each one code you own and version.

The agent loop

Interleaved reasoning after every tool result. Disable it and every multi-step attack dies the moment the model emits text.

Context engineering

Trim, mask, compact, clear. The whole window is managed as a stack so the model stays sharp across a six-hour run.

Prompt caching

A stack layout that splits static from volatile content, holding an 82.9% sustained cache hit rate and ~10x off the largest cost line.

Tools vs skills

Build a tool only when the harness must own the result. Everything else is a skill the model reads and runs via the shell.

Verification

An adversarial verifier sub-agent cross-examines every claim. No proof, no finding. A low false-positive rate is the differentiator.

Scope enforcement

Enforced at the network layer, not in the prompt. Out-of-scope requests are blocked before a packet leaves.

The shape of a run

Scope, fan out, verify, report.

Four phases. Every engagement follows the same shape, whether it runs for two hours or six.

Step 01 / 04
01

Scope & plan

The coordinator scopes the engagement and plans the work before any agent touches a target.

Step 02 / 04
02

Fan out

A fleet of isolated sub-agents works many targets in parallel, each in its own context.

Step 03 / 04
03

Human handoff

Hand a live browser to a person for MFA or SSO, then the agent picks the session back up.

Step 04 / 04
04

Verify & report

Verified findings and a report, with every claim proven by the adversarial verifier.

Watch the walkthrough

How we built the Strobes AI
harness.

A walkthrough of the architecture behind the Strobes AI harness, from the agent loop and context engineering to the verification subsystem and network-layer scope enforcement.

Strobes Security · Architecture Walkthrough

The one-line takeaway

The harness is the product.

Read how Strobes AI turns model output into verified offensive work.

See the harness run against your target

The architecture paper is the map. A live run is the proof. Talk to us about running the Strobes AI harness against your own application — network, API, cloud, or source-level review in one workspace.

Join 150+ security teams already reducing exposure with Strobes