Documentation Index
Fetch the complete documentation index at: https://mintlify.com/gadievron/raptor/llms.txt
Use this file to discover all available pages before exploring further.
Overview
The Autonomous package transforms RAPTOR from automation into true autonomy. It provides intelligent planning, learning from past experiences, multi-turn reasoning, and goal-directed behavior for security testing.
Purpose
Enable autonomous behavior through:
- Intelligent planning: Decisions based on fuzzing state, not fixed pipelines
- Learning: Remember what works and what doesn’t
- Multi-turn reasoning: Deep LLM conversations for complex analysis
- Goal-directed: Focus on specific objectives (RCE, info leak, etc.)
- Adaptive strategies: Change approach based on feedback
Architecture
packages/autonomous/
├── planner.py # Intelligent decision-making
├── memory.py # Knowledge persistence
├── dialogue.py # Multi-turn LLM reasoning
├── goal_planner.py # Goal-directed planning
├── exploit_validator.py # Exploit validation
└── corpus_generator.py # Intelligent corpus generation
Quick Start
Autonomous Fuzzing
from packages.autonomous import FuzzingPlanner, FuzzingState
from pathlib import Path
import time
# Initialize planner
planner = FuzzingPlanner()
# Create initial state
state = FuzzingState(
start_time=time.time(),
current_time=time.time(),
binary_path=Path("target_binary"),
has_asan=True,
has_afl_instrumentation=True
)
# Let planner decide what to do
action = planner.decide_next_action(state)
print(f"Decision: {action}")
print(f"Reasoning: {planner.get_reasoning()}")
With Memory
from packages.autonomous import FuzzingPlanner, FuzzingMemory
# Initialize with memory for learning
memory = FuzzingMemory(storage_path=Path(".raptor/memory"))
planner = FuzzingPlanner(memory=memory)
# Planner learns from past campaigns
action = planner.decide_next_action(state)
# Record outcome
planner.record_success(action, state)
Multi-Turn Analysis
from packages.autonomous import MultiTurnAnalyser
from pathlib import Path
analyser = MultiTurnAnalyser(
repo_path=Path("/path/to/code"),
out_dir=Path("out/analysis")
)
# Deep analysis with multiple LLM turns
result = analyser.analyze_vulnerability(
finding_id="sqli-001",
initial_context="SQL injection in user login",
max_turns=5
)
print(f"Turns: {result['turns']}")
print(f"Conclusion: {result['conclusion']}")
print(f"Confidence: {result['confidence']}")
Core Classes
FuzzingPlanner
Autonomous decision-making for fuzzing campaigns.
class FuzzingPlanner:
def __init__(self, memory: Optional[FuzzingMemory] = None)
def decide_next_action(
self,
state: FuzzingState
) -> Action
def record_success(
self,
action: Action,
state: FuzzingState
) -> None
def record_failure(
self,
action: Action,
state: FuzzingState,
reason: str
) -> None
def get_reasoning(self) -> str
Memory instance for learning (enables knowledge persistence)
FuzzingState
Complete state for autonomous decision-making.
Unique crashes (deduplicated)
Target goal (e.g., “RCE”, “info_leak”)
Action
Actions the fuzzer can take autonomously.
class Action(Enum):
# Fuzzing strategy
CONTINUE_FUZZING = "continue_fuzzing"
STOP_FUZZING = "stop_fuzzing"
INCREASE_DURATION = "increase_duration"
CHANGE_MUTATOR = "change_mutator"
ADD_DICTIONARY = "add_dictionary"
INTENSIFY_CORPUS = "intensify_corpus"
# Analysis
DEEP_ANALYSE_CRASH = "deep_analyse_crash"
SKIP_DUPLICATE_CRASH = "skip_duplicate_crash"
PRIORITISE_CRASH = "prioritise_crash"
# Exploit development
VALIDATE_EXPLOIT = "validate_exploit"
REFINE_EXPLOIT = "refine_exploit"
TRY_ALTERNATIVE_TECHNIQUE = "try_alternative_technique"
# Learning
SAVE_STRATEGY = "save_strategy"
LOAD_STRATEGY = "load_strategy"
# Goal-directed
FOCUS_ON_PARSER = "focus_on_parser"
FOCUS_ON_NETWORK = "focus_on_network"
SEARCH_FOR_RCE = "search_for_rce"
FuzzingMemory
Persistent knowledge storage.
class FuzzingMemory:
def __init__(self, storage_path: Path)
def record_campaign(
self,
binary_path: Path,
strategy: str,
outcome: Dict[str, Any]
) -> None
def get_successful_strategies(
self,
binary_path: Path
) -> List[str]
def get_similar_campaigns(
self,
binary_path: Path,
limit: int = 5
) -> List[Dict[str, Any]]
def save(self) -> None
MultiTurnAnalyser
Deep multi-turn LLM reasoning.
class MultiTurnAnalyser:
def __init__(
self,
repo_path: Path,
out_dir: Path,
llm_config: Optional[LLMConfig] = None
)
def analyze_vulnerability(
self,
finding_id: str,
initial_context: str,
max_turns: int = 5
) -> Dict[str, Any]
def analyze_crash(
self,
crash_context: CrashContext,
max_turns: int = 5
) -> Dict[str, Any]
Number of LLM conversation turns
Full conversation history
Final analysis conclusion
Confidence score (0.0-1.0)
GoalPlanner
Goal-directed planning.
class GoalPlanner:
def __init__(self, memory: Optional[FuzzingMemory] = None)
def set_goal(
self,
goal_type: GoalType,
target: str,
constraints: Dict[str, Any] = None
) -> Goal
def plan_steps(
self,
goal: Goal,
current_state: FuzzingState
) -> List[Action]
def update_progress(
self,
goal: Goal,
state: FuzzingState
) -> float
GoalType
Supported goal types.
class GoalType(Enum):
RCE = "rce" # Remote code execution
INFO_LEAK = "info_leak" # Information disclosure
PRIVILEGE_ESCALATION = "privesc" # Privilege escalation
DOS = "dos" # Denial of service
AUTH_BYPASS = "auth_bypass" # Authentication bypass
DATA_CORRUPTION = "data_corruption" # Data integrity
Autonomous Workflow
Complete Autonomous Campaign
from packages.autonomous import (
FuzzingPlanner,
FuzzingState,
FuzzingMemory,
GoalPlanner,
GoalType
)
from packages.fuzzing import AFLRunner
from packages.binary_analysis import CrashAnalyser
import time
from pathlib import Path
# 1. Initialize autonomous components
memory = FuzzingMemory(Path(".raptor/memory"))
planner = FuzzingPlanner(memory=memory)
goal_planner = GoalPlanner(memory=memory)
# 2. Set goal
goal = goal_planner.set_goal(
goal_type=GoalType.RCE,
target="network_parser"
)
# 3. Initial state
state = FuzzingState(
start_time=time.time(),
current_time=time.time(),
binary_path=Path("target"),
target_goal="RCE"
)
# 4. Autonomous fuzzing loop
runner = AFLRunner(binary_path=Path("target"))
analyser = CrashAnalyser(Path("target"))
while True:
# Decide next action
action = planner.decide_next_action(state)
print(f"\n[DECISION] {action}")
print(f"[REASONING] {planner.get_reasoning()}")
# Execute action
if action == Action.CONTINUE_FUZZING:
result = runner.run_single_fuzzer(duration_seconds=60)
# Update state
state.current_time = time.time()
state.total_execs += result['total_execs']
state.total_crashes += result['crashes']
# Check goal progress
progress = goal_planner.update_progress(goal, state)
print(f"[PROGRESS] Goal: {progress:.1%}")
elif action == Action.DEEP_ANALYSE_CRASH:
# Analyze crashes deeply
crashes = runner.collect_crashes()
for crash in crashes[:3]:
context = analyser.analyze_crash(crash.input_file, crash.signal)
if context.exploitability == "exploitable":
print(f"[FOUND] Exploitable crash: {crash.crash_id}")
planner.record_success(action, state)
break
elif action == Action.STOP_FUZZING:
print("[COMPLETE] Autonomous fuzzing complete")
break
# Record outcome
if state.exploitable_crashes > 0:
planner.record_success(action, state)
# Sleep between iterations
time.sleep(5)
# 5. Save learned knowledge
memory.save()
print(f"\n[SAVED] Knowledge persisted for future campaigns")
Decision Making
Example Decision Tree
The planner uses reasoning like:
# Priority 1: Found interesting crashes recently
if state.crashes_last_minute > 0:
return Action.CONTINUE_FUZZING # Keep going!
# Priority 2: Coverage has stalled
elif state.is_coverage_stalled(threshold_seconds=300):
if state.current_strategy == "default":
return Action.CHANGE_MUTATOR # Try different approach
else:
return Action.ADD_DICTIONARY # Add structure
# Priority 3: Goal progress
elif state.target_goal and goal_progress < 0.5:
return goal_planner.next_action(goal, state)
# Priority 4: Time limit
elif state.elapsed_time() > 3600: # 1 hour
return Action.STOP_FUZZING
# Default: Keep fuzzing
else:
return Action.CONTINUE_FUZZING
Multi-Turn Analysis
Deep Reasoning Example
from packages.autonomous import MultiTurnAnalyser
analyser = MultiTurnAnalyser(
repo_path=Path("/path/to/code"),
out_dir=Path("out/analysis")
)
# Turn 1: Initial assessment
# "Is this SQL injection exploitable?"
# Turn 2: Follow-up question
# "What sanitization is present?"
# Turn 3: Validation
# "Can we bypass the sanitization?"
# Turn 4: Exploit strategy
# "What's the exploitation path?"
# Turn 5: Conclusion
# "Final exploitability verdict"
result = analyser.analyze_vulnerability(
finding_id="sqli-001",
initial_context="SQL injection in login form",
max_turns=5
)
print("\n=== Multi-Turn Analysis ===")
for i, turn in enumerate(result['conversation'], 1):
print(f"\nTurn {i}:")
print(f"Q: {turn['question']}")
print(f"A: {turn['answer'][:200]}...")
print(f"\n=== Conclusion ===")
print(result['conclusion'])
print(f"Confidence: {result['confidence']:.1%}")
Corpus Generation
Intelligent Seed Generation
from packages.autonomous import CorpusGenerator
from pathlib import Path
generator = CorpusGenerator(
target_binary=Path("target"),
output_dir=Path("corpus/"),
use_llm=True # LLM-guided generation
)
# Generate seeds based on binary analysis
seeds = generator.generate_intelligent_seeds(
num_seeds=50,
focus="parser" # Focus on parser inputs
)
print(f"Generated {len(seeds)} intelligent seeds")
LLM-Guided Generation
# Use LLM to understand input format
seeds = generator.generate_from_format_analysis(
sample_inputs=[Path("sample1.txt"), Path("sample2.txt")],
num_variants=20
)
Exploit Validation
Validate Generated Exploits
from packages.autonomous import ExploitValidator, ValidationResult
from pathlib import Path
validator = ExploitValidator(
binary_path=Path("target"),
timeout=30
)
# Validate exploit code
exploit_code = """
#!/usr/bin/env python3
import socket
# ... exploit code ...
"""
result = validator.validate_exploit(
exploit_code=exploit_code,
expected_outcome="shell"
)
if result.success:
print("Exploit validated successfully!")
print(f"Outcome: {result.outcome}")
print(f"Evidence: {result.evidence}")
else:
print(f"Exploit failed: {result.error}")
Memory Persistence
Knowledge Storage
memory = FuzzingMemory(Path(".raptor/memory"))
# Record successful campaign
memory.record_campaign(
binary_path=Path("target"),
strategy="havoc_with_dict",
outcome={
"crashes": 15,
"exploitable": 3,
"duration": 3600,
"coverage": 12500
}
)
# Query past success
successful = memory.get_successful_strategies(
binary_path=Path("similar_target")
)
print(f"Previously successful strategies: {successful}")
Similar Campaign Lookup
# Find similar past campaigns
similar = memory.get_similar_campaigns(
binary_path=Path("new_target"),
limit=5
)
for campaign in similar:
print(f"Binary: {campaign['binary']}")
print(f"Strategy: {campaign['strategy']}")
print(f"Success rate: {campaign['success_rate']}")
Goal-Directed Behavior
Set and Track Goals
from packages.autonomous import GoalPlanner, GoalType, Goal
goal_planner = GoalPlanner()
# Set RCE goal
goal = goal_planner.set_goal(
goal_type=GoalType.RCE,
target="network_parser",
constraints={
"max_time": 7200, # 2 hours
"max_attempts": 100
}
)
# Plan steps to achieve goal
steps = goal_planner.plan_steps(goal, current_state)
for i, step in enumerate(steps, 1):
print(f"Step {i}: {step}")
# Track progress
progress = goal_planner.update_progress(goal, current_state)
print(f"Goal progress: {progress:.1%}")
Configuration
Planner Configuration
# Customize decision thresholds
planner = FuzzingPlanner(memory=memory)
planner.coverage_stall_threshold = 600 # 10 minutes
planner.min_crashes_per_minute = 1
planner.max_campaign_duration = 7200 # 2 hours
Memory Configuration
memory = FuzzingMemory(
storage_path=Path(".raptor/memory"),
max_campaigns=100, # Keep last 100 campaigns
similarity_threshold=0.7
)
Integration
With Fuzzing
from packages.fuzzing import AFLRunner
from packages.autonomous import FuzzingPlanner, FuzzingState
# Replace fixed duration with autonomous decisions
runner = AFLRunner(...)
planner = FuzzingPlanner()
state = FuzzingState(...)
while planner.decide_next_action(state) != Action.STOP_FUZZING:
runner.run_single_fuzzer(duration_seconds=60)
# Update state...
With LLM Analysis
from packages.llm_analysis import AutonomousSecurityAgentV2
from packages.autonomous import MultiTurnAnalyser
# Use multi-turn for complex vulnerabilities
analyser = MultiTurnAnalyser(...)
result = analyser.analyze_vulnerability(...)
# Then generate exploit
agent = AutonomousSecurityAgentV2(...)
exploit = agent.generate_exploit(...)
Decision Speed
- Decision making: <100ms per decision
- Memory lookup: <50ms per query
- Multi-turn analysis: 30-120 seconds (depends on turns)
Best Practices
- Enable memory for learning across campaigns
- Set clear goals for focused testing
- Use multi-turn for complex vulnerabilities
- Record outcomes for continuous improvement
- Let the planner decide - don’t override without reason
