Listen to this Post

Introduction:
The line between AI-assisted development and autonomous offensive security has just been erased. T3MP3ST (pronounced “TEMPEST”) is an open-source, AGPL-3.0 licensed meta-harness that takes the AI coding agent you already run—whether it’s Claude Code, OpenAI Codex, Hermes, or a fully local model via Ollama or vLLM—and transforms it into a dedicated, autonomous penetration testing operator. With zero required API keys, no cloud infrastructure, and full offline capability, this framework executes a complete recon-to-exploit kill chain while strictly containing itself to authorized targets.
Learning Objectives:
- Understand the architectural design and multi-agent orchestration layer that powers T3MP3ST’s autonomous red-teaming capabilities
- Master the deployment and configuration of T3MP3ST with both cloud-based and fully local AI models
- Learn to execute a complete penetration testing kill chain—from reconnaissance to exploitation to reporting—using AI-driven automation
- Understanding the T3MP3ST Architecture: The Multi-Agent Orchestration Layer
T3MP3ST is not a vulnerability scanner in the traditional sense. It is a multi-agent orchestration layer that builds a complete operational system around AI agents, encompassing task orchestration, tool calling, evidence management, and OPSEC control. At its heart lies the `TempestCommand` central dispatcher—an event-driven system based on EventEmitter that drives the entire mission loop.
Key Architectural Components:
| Subsystem | Location | Responsibility |
|–|-|-|
| TempestCommand | `src/index.ts` | Lifecycle management, tick execution loop, event forwarding, intelligence synchronization |
| OperatorCell | `src/operators/index.ts` | Agent pool management, spawning/destruction, state aggregation |
| MissionControl | `src/mission/index.ts` | Task queueing, phase transitions, target tracking, Rules of Engagement (RoE) enforcement |
| TargetEnvironment | `src/target/index.ts` | Attack surface modeling, target state machine |
| EvidenceVault | `src/evidence/index.ts` | Findings storage, credential management, CVSS scoring, chain-of-custody |
| Arsenal | `src/arsenal/index.ts` | Tool registry, filtering, execution history, toolchain orchestration |
| LLMBackbone | `src/llm/index.ts` | Multi-provider abstraction, model fallback chains, token budget control |
The 8-Operator Kill Chain:
The framework designs eight distinct operator roles mapped to the MITRE ATT&CK framework and Cyber Kill Chain:
– Recon (TA0043): OSINT, network discovery, asset enumeration
– Scanner (TA0007): Vulnerability scanning, service fingerprinting
– Exploiter (TA0001): Exploit development and payload delivery
– Infiltrator (TA0008): Lateral movement, privilege escalation
– Exfiltrator (TA0009/10): Data extraction, credential harvesting
– Ghost (TA0003): Persistence, stealth, cleanup
– Coordinator (TA0011): Task control, orchestration
– Analyst: Pattern analysis, report generation
Critical Note: While the framework envisions full 8-operator swarm coordination, the benchmarked results (90.1% on XBEN) currently come from the single-agent ReAct loop, not the full multi-agent swarm. The coordinated swarm remains experimental.
2. Keyless Warfare: Deployment Without API Keys
T3MP3ST’s most disruptive feature is its Keyless design. Traditional automated penetration testing platforms require users to configure OpenAI API keys, Anthropic keys, or other cloud model credentials. T3MP3ST eliminates this entirely.
How It Works:
Instead of requesting new API keys, T3MP3ST connects to AI coding agents already authenticated and running on your local machine through their respective official CLIs. The framework communicates via local inter-process communication or the MCP (Model Context Protocol) standard interface.
Deployment Options:
- Cloud-Based Agents: Connect to already-authenticated Claude Code, OpenAI Codex, or Hermes sessions
- Fully Local Models: Run entirely offline using vLLM or Ollama with models like Llama, Mistral, or any GGUF-quantized model
Zero-Trust Containment:
The framework enforces egress-scope containment—networked tools automatically refuse to touch off-scope public hosts. This means even if the AI agent attempts to reach beyond the authorized target, the framework’s OPSEC layer blocks it.
- Step-by-Step: Deploying T3MP3ST with Ollama (Fully Local, Offline)
This guide walks you through deploying T3MP3ST with a fully local Ollama model for completely air-gapped operation.
Prerequisites:
- Node.js (v18 or higher)
- Ollama installed and running
- A local model pulled (e.g., `llama3.1:8b` or
mistral:7b)
Step 1: Clone the Repository
git clone https://github.com/elder-plinius/T3MP3ST.git cd T3MP3ST
Step 2: Install Dependencies
npm install
Step 3: Configure Ollama Connection
Ensure Ollama is running locally (default port 11434):
ollama serve
Verify your model is available:
ollama list
Step 4: Configure T3MP3ST for Local LLM
Create or modify the configuration to point to your local Ollama instance. The framework’s LLMBackbone supports multiple providers with fallback chains:
{
"llm": {
"provider": "ollama",
"endpoint": "http://localhost:11434",
"model": "llama3.1:8b",
"fallback": [
{ "provider": "ollama", "model": "mistral:7b" }
]
}
}
Step 5: Launch the Web War Room
npm run dev
Access the web interface at `http://localhost:3000`. The War Room provides a real-time dashboard showing agent activity, findings, and the attack progression.
Step 6: Define Your Target
Through the War Room or CLI, specify your authorized target:
npm run target -- --url https://your-test-target.com
Step 7: Execute the Mission
npm run mission -- --mode recon
For full kill chain:
npm run mission -- --mode full
Step 8: Verify Results
Every claim in the T3MP3ST README is reproducible. Run the verification command:
npm run verify-claims
This recomputes all benchmark scores from committed data.
4. Benchmark Performance: What T3MP3ST Actually Achieves
The framework has been rigorously tested across multiple benchmarks with impressive results:
XBEN Suite (104 Challenges):
- 90.1% pass@1—outperforming XBOW’s own self-reported baseline of ~85%
- Every solve graded against a committed flag oracle
- Fully reproducible via `verify-claims` command
Cybench Academic Benchmark (40 Tasks):
- 23/40 hint-free solves using single-agent ReAct loop
Real-World CVE Detection (2026 CVEs, 7 Languages):
- Single agent pinned 8/10 vulnerabilities to exact file, line, and CWE classification
- Full tool pack surfaced all 10 CVEs
- Critical distinction: These CVEs were disclosed after the model’s training cutoff, ruling out memorization
What This Means:
The framework isn’t just regurgitating known patterns—it’s demonstrating genuine zero-day hunting capability against previously unseen vulnerabilities.
5. Linux Commands for T3MP3ST Operations
Beyond the npm commands, here are essential Linux commands for managing T3MP3ST operations:
Network Reconnaissance (Used by Recon Operator):
Port scanning with nmap nmap -sV -p- --open <target-ip> Subdomain enumeration subfinder -d <target-domain> -o subdomains.txt Directory brute-forcing gobuster dir -u <target-url> -w /usr/share/wordlists/dirb/common.txt
Service Fingerprinting:
WhatWeb for web technology detection whatweb <target-url> SSL/TLS enumeration sslscan <target-ip>
Vulnerability Scanning:
Basic vulnerability scan with nmap scripts nmap --script vuln <target-ip> Nikto web server scanner nikto -h <target-url>
Evidence Collection:
Capture network traffic tcpdump -i eth0 -w capture.pcap Log analysis journalctl -u <service> --since "1 hour ago"
OPSEC and Containment:
Verify T3MP3ST is only communicating with authorized targets sudo netstat -tunap | grep node Monitor outbound connections sudo ss -tunap | grep ESTABLISHED
6. Windows Commands for T3MP3ST Operations
For Windows-based deployments, use these PowerShell commands:
Network Discovery:
Port scanning with Test-1etConnection
1..1024 | ForEach-Object { Test-1etConnection -ComputerName <target-ip> -Port $_ }
DNS enumeration
Resolve-DnsName <target-domain>
Service Enumeration:
Get open ports with netstat
netstat -ano | findstr LISTENING
Service information
Get-Service | Where-Object {$_.Status -eq "Running"}
File System Reconnaissance:
Find sensitive files Get-ChildItem -Path C:\ -Recurse -Include .config,.xml,.json -ErrorAction SilentlyContinue Search for credentials in files Select-String -Path "C:\.config" -Pattern "password|secret|key"
Process Monitoring:
List all running processes with network connections Get-1etTCPConnection | Select-Object LocalAddress,LocalPort,RemoteAddress,RemotePort,State,OwningProcess Get process details Get-Process -Id <PID>
- The Cognitive Architecture: Why T3MP3ST Doesn’t Give Up
Traditional ReAct (Reasoning + Acting) agents often fail in security testing because they give up too early:
Agent: "Let me try SQL injection..." → Failure Agent: "Let me try XSS..." → Failure Agent: "Maybe this target is secure?" → GIVES UP ❌
T3MP3ST’s cognitive architecture enforces persistence. It doesn’t tell the agent “how” to hack—it forces the agent to adhere to a persistence framework that recognizes:
- 80% of success comes from persistence—the first five attempts often fail, the sixth succeeds
- Error messages are intelligence—failure provides information about what doesn’t work, narrowing the attack surface
- False assumptions can be experimentally falsified—the agent must test hypotheses rather than abandon them
The framework provides a “cognitive scaffold” that enforces these principles through its mission control and evidence vault subsystems.
What Undercode Say:
- Key Takeaway 1: T3MP3ST represents a fundamental shift in how security testing is accessed. By eliminating API keys and cloud dependencies, it democratizes advanced penetration testing—any developer with an AI coding assistant can now run autonomous red-team operations against their own applications. The 90.1% XBEN score proves this isn’t theoretical; it’s production-ready for authorized testing scenarios.
-
Key Takeaway 2: The framework’s cognitive architecture is arguably more important than its toolset. By forcing agents to persist through failure and treating errors as intelligence, T3MP3ST solves the core problem that plagues most AI security tools: premature abandonment. The 8/10 real CVE detection rate on post-cutoff vulnerabilities demonstrates genuine zero-day hunting capability, not pattern matching.
Analysis: The open-source release of T3MP3ST under AGPL-3.0 is a double-edged sword. On one hand, it gives security researchers and defensive teams an unprecedented ability to test their own systems autonomously and cost-effectively. On the other, the same capabilities are available to threat actors. The framework’s built-in OPSEC containment is commendable, but it’s software—containment can be modified. The security community must treat this like any other powerful tool: embrace it for defense while remaining vigilant about its potential misuse. The keyless, local-first design is a masterstroke for accessibility, but organizations should implement strict policies around who can deploy T3MP3ST and against which targets. The framework’s reproducibility guarantee—every claim recomputable via verify-claims—sets a new standard for transparency in AI security tools.
Prediction:
- +1 T3MP3ST will accelerate the adoption of AI-driven security testing in DevOps pipelines, reducing the cost and expertise barrier for continuous security validation. Within 12 months, expect CI/CD integrations that run T3MP3ST autonomously against staging environments before every production deployment.
-
+1 The framework’s modular, operator-based architecture will inspire a new ecosystem of specialized AI security agents. Third-party developers will create custom operators for specific domains (cloud infrastructure, IoT, smart contracts), turning T3MP3ST into a plugin platform for AI-driven security.
-
-1 The democratization of autonomous hacking will lead to an increase in unauthorized testing incidents. Well-meaning developers may accidentally scan out-of-scope targets, while malicious actors will repurpose the framework for criminal activity. The security industry must develop automated detection for T3MP3ST-like activity patterns.
-
+1 The “keyless” paradigm will pressure commercial AI security tools to eliminate API-key dependencies, driving down costs and increasing accessibility across the industry. Competitors will be forced to offer local-first, offline-capable alternatives.
-
-1 Organizations that deploy T3MP3ST without proper governance will create new attack surfaces. The AI agent, if misconfigured, could inadvertently expose internal network details or trigger rate-limiting defenses that disrupt production services. Strict RoE enforcement and human-in-the-loop oversight will be essential.
-
+1 The framework’s reproducible benchmarking (via
verify-claims) establishes a new gold standard for AI security tool evaluation. Future tools will be judged not by vendor claims but by verifiable, reproducible benchmark scores—a win for transparency and accountability.
▶️ Related Video (76% Match):
https://www.youtube.com/watch?v=21G406w0RuU
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Charlywargnier 4000 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


