How T3MP3ST's multi-agent architecture automates offensive security testing. Compare traditional pentesting vs autonomous AI-driven red teams.
TL;DR: T3MP3ST is an open-source multi-agent meta-harness for autonomous red teaming that orchestrates specialized AI agents across reconnaissance, exploitation, and post-exploitation phases. Unlike traditional pentesting tools that require manual operator decisions at each step, T3MP3ST's agent swarm makes tactical decisions autonomously while respecting engagement rules and safety boundaries. It combines LangGraph orchestration with specialized security tools to automate the complete offensive security lifecycle from initial reconnaissance through vulnerability exploitation and lateral movement.
T3MP3ST (elder-plinius/T3MP3ST on GitHub) is an experimental framework that applies multi-agent AI orchestration to offensive security testing. Red teaming — authorized adversarial testing of an organization's security posture — has historically been a manual, expert-driven process where security professionals make tactical decisions at each step based on reconnaissance findings, exploitation results, and defensive responses. T3MP3ST automates this decision-making process by deploying a swarm of specialized AI agents that autonomously navigate the attack lifecycle.
This matters because modern attack surfaces are too complex for manual testing to achieve comprehensive coverage. A typical enterprise has thousands of endpoints, dozens of services, and constantly changing configurations. Traditional pentesting engagements involve skilled operators spending days or weeks manually exploring this surface, but they can only test a fraction of potential attack paths within budget and time constraints. T3MP3ST's autonomous agents can explore orders of magnitude more paths simultaneously, adapting their approach in real-time based on what they discover.
The technical challenge T3MP3ST solves is coordination. A single LLM prompted to "hack this network" fails because offensive security requires deep tool knowledge, environmental context, and multi-step planning with backtracking when approaches fail. T3MP3ST's architecture instead uses:
The result is a system that can receive a high-level objective ("gain domain admin access in the test environment") and autonomously plan and execute multi-phase attacks while documenting every action for compliance and learning purposes.
T3MP3ST is built as a meta-harness, meaning it orchestrates multiple specialized agents rather than being a single monolithic agent. The architecture follows the Cyber Kill Chain model, with distinct agent types mapped to reconnaissance, weaponization, delivery, exploitation, and post-exploitation phases.
Reconnaissance Agent: Discovers and enumerates target systems, services, and potential attack surfaces. It coordinates active scanning tools (Nmap, Masscan) with passive OSINT collection (Shodan, certificate transparency logs). The agent maintains a knowledge graph of discovered assets with service versions, open ports, and technology stack fingerprints. Critically, it prioritizes which targets to investigate deeper based on value signals like privileged service accounts or administrative interfaces.
Exploitation Agent: Receives prioritized targets from reconnaissance and attempts to gain initial access or escalate privileges. It searches CVE databases for known vulnerabilities matching discovered service versions, generates and tests exploits using Metasploit and custom tooling, and validates successful exploitation by checking callback connections or command execution. The agent uses a decision tree to try exploits in order of likelihood and stealth, backing off if defensive responses are detected.
Post-Exploitation Agent: Operates after initial access is achieved. Its goals include maintaining persistence, escalating privileges, moving laterally to other systems, and exfiltrating data or demonstrating impact. It uses tools like BloodHound for Active Directory path analysis, Mimikatz for credential extraction, and custom living-off-the-land (LOL) techniques to avoid detection. The agent coordinates with reconnaissance to pivot to newly discovered internal networks.
Coordination Agent: Sits above the specialized agents and makes strategic decisions about resource allocation and objective prioritization. If the exploitation agent is blocked by a WAF, the coordination agent might direct reconnaissance to find an alternate entry point or pivot the engagement to social engineering vectors. This meta-level planning is where T3MP3ST's autonomy provides the most value — it adapts the overall campaign strategy rather than just executing pre-planned steps.
T3MP3ST uses LangGraph (LangChain's stateful agent orchestration framework) to manage the shared state that all agents read from and write to. This state includes:
LangGraph's state checkpointing enables agents to backtrack when approaches fail. If the exploitation agent tries five CVEs against a target and all fail, it can rewind state and notify reconnaissance to gather deeper version information or look for alternate services on the same host. This is impossible with linear tool-use agents that cannot revise decisions.
The state also serves as the authoritative audit log. Every agent action, tool invocation, and decision is recorded with timestamps and reasoning traces. This satisfies compliance requirements for authorized red team engagements and provides rich training data for improving agent performance.
T3MP3ST agents do not directly execute shell commands or arbitrary code. Instead, they interact with security tools through a controlled tool abstraction layer that enforces safety boundaries.
The framework includes integrations for:
Each tool is wrapped in a standardized interface that agents call through LangGraph tool nodes. For example, instead of an agent running nmap -sV -p- target.com, it invokes reconnaissance_tool.scan(target='target.com', scan_type='version_detection', port_range='all'). The wrapper validates that target.com is within engagement scope before executing the actual Nmap command.
T3MP3ST implements multiple layers of safety controls:
The goal is defense in depth: even if an LLM hallucinates or is manipulated into attempting unauthorized actions, the tool layer prevents them from executing.
Traditional penetration testing follows a largely manual process:
Each step requires human decision-making. The analyst decides which ports to investigate deeper, which vulnerabilities are worth exploiting, how to pivot after initial access, and when to stop. This expertise is what makes pentesting effective but also limits scale and speed.
T3MP3ST automates the decision process while keeping the human operator in a supervisory role:
The human operator monitors progress through a live dashboard, can intervene to adjust objectives or approve high-risk actions, and reviews the final report. But the moment-to-moment tactical decisions are made by agents.
In a traditional 5-day pentest engagement, a skilled analyst might:
T3MP3ST's autonomous agents in the same timeframe could:
The agent swarm explores far more of the attack surface, but the human analyst provides irreplaceable value in understanding business context, prioritizing findings by risk, and communicating results to stakeholders. T3MP3ST is a force multiplier, not a replacement.
T3MP3ST is an experimental framework, and autonomous red teaming faces significant technical hurdles:
Security tools often produce cryptic output that requires deep domain knowledge to interpret. An Nmap scan might show port 445 open with SMBv1 enabled — a trained analyst immediately recognizes this as a critical EternalBlue vulnerability vector. An LLM-based agent might miss this connection without extensive prompt engineering or RAG over vulnerability databases. T3MP3ST addresses this through specialized agents with domain-specific prompts and tool output parsers, but reliability remains a challenge.
Attackers defending against T3MP3ST could potentially manipulate agent behavior through crafted service banners, honeypots that return misleading data, or even prompt injection attacks embedded in web pages the exploitation agent analyzes. The framework mitigates this through tool output sanitization and redundant verification (e.g., validating exploits succeeded by running multiple checks), but adversarial robustness is an open research problem.
Running multiple LLM-based agents continuously for multi-day engagements incurs significant API costs and latency. T3MP3ST's architecture allows mixing models — using smaller/faster models for routine decisions (Claude Haiku, GPT-4o Mini) and larger models for complex planning (Claude Opus, GPT-4) — but cost optimization remains a practical deployment concern.
Autonomous agents make thousands of micro-decisions during an engagement. Even with complete audit logs, reconstructing why an agent chose a particular exploit path or pivot decision can be difficult. This is a challenge for compliance-heavy industries where every pentest action must be justified. T3MP3ST's LangGraph state tracking helps, but explainability is not solved.
While T3MP3ST implements multiple sandboxing layers, any system that gives LLMs access to exploitation tools carries risk. Bugs in scope validation, tool wrappers, or orchestration logic could allow agents to take unauthorized actions. The framework is suitable for isolated test environments with explicit authorization, but deploying it in production-adjacent networks requires extreme caution.
T3MP3ST is currently best suited for:
Researchers building or evaluating security tools can use T3MP3ST to automate regression testing. Instead of manually running exploit PoCs against vulnerable VMs, the framework can autonomously validate that patches actually prevent exploitation and document attack paths.
Organizations training junior red team operators can use T3MP3ST to demonstrate multi-phase attacks in safe lab environments. Watching autonomous agents plan and execute campaigns provides pedagogical value and exposes trainees to techniques they might not have discovered manually.
Companies with large, dynamic infrastructure (cloud-native apps, microservices) can deploy T3MP3ST in isolated staging environments as a continuous red teaming agent. It runs autonomously on a schedule, attempting to exploit misconfigurations or new vulnerabilities as they are introduced, and alerts security teams when it succeeds.
Security consultancies conducting many similar engagements (e.g., standard web app pentests, cloud configuration reviews) could use T3MP3ST to automate the initial reconnaissance and common exploitation phases, allowing human analysts to focus on custom logic vulnerabilities and business impact analysis.
This framework is not suitable for:
Autonomous red teaming is a powerful capability but requires mature security practices to deploy safely.
The security industry has long used automation for individual tasks — vulnerability scanners, fuzzing, static analysis. T3MP3ST represents the next evolution: automating the offensive security operator's decision process itself. This is happening in parallel across multiple domains:
While T3MP3ST focuses on offensive security, defensive AI agents are emerging to autonomously respond to incidents, triage alerts, and hunt threats. Platforms like Darktrace and Microsoft Copilot for Security use LLMs to assist SOC analysts. The long-term vision is autonomous red and blue team agents continuously testing and improving security posture.
Projects like Anthropic's computer-use agents and OpenAI's function-calling models can already write code and execute tools. Security researchers are exploring whether LLMs can autonomously discover zero-day vulnerabilities by generating and testing novel exploit techniques. T3MP3ST's tool sandboxing and safety mechanisms provide a template for how to allow LLMs offensive capabilities while maintaining control.
The DevSecOps movement emphasizes "security as code" — treating security policy as executable specifications. T3MP3ST extends this to "security testing as autonomous agents" where validation logic is expressed as agent objectives rather than static test scripts. This enables security testing to scale with cloud infrastructure's dynamic complexity.
As autonomous offensive security tools become more capable, regulatory and ethical questions intensify. Who is liable when an autonomous agent causes unintended harm? How do we ensure these tools are not weaponized? T3MP3ST's open-source nature allows security community scrutiny, but frameworks for responsible disclosure and access control will need to evolve.
For developers evaluating T3MP3ST for their security stack, understanding the implementation architecture is critical.
Agent Definitions: Each specialized agent is a Python class inheriting from BaseAgent with methods for planning, tool selection, and result interpretation. Agents are defined declaratively with their tool permissions and state access.
LangGraph Orchestration: The meta-harness uses LangGraph to define the agent interaction flow as a stateful graph where nodes are agent actions and edges are conditional transitions based on results.
Tool Abstraction Layer: Each security tool is wrapped in a standardized interface that enforces safety policies.
State Schema: The shared state is a structured object that agents read and modify atomically.
T3MP3ST is designed to run in an isolated control node that has network access to the target environment but is segmented from production systems. The recommended setup is:
Communication between components uses message queues (RabbitMQ or Kafka) to ensure asynchronous, auditable agent coordination.
T3MP3ST is open source under the MIT license at github.com/elder-plinius/T3MP3ST. The repository includes:
Prerequisites: Python 3.11+, Docker, AWS/Anthropic API key for LLM access.
The orchestrator will autonomously spawn reconnaissance agents, identify targets, test exploits, and document findings. You can monitor progress through the web dashboard at http://localhost:8080.
Developers can add custom agents for specific techniques:
Custom tools can be integrated by implementing the SecurityTool interface and registering them with the agent.
T3MP3ST is at the frontier of an emerging field. Several research and engineering directions will shape the future:
Current red teaming assumes a single threat actor. Future versions could simulate entire Advanced Persistent Threat (APT) campaigns with multiple specialized agent teams (initial access specialists, lateral movement specialists, data exfiltration specialists) coordinating over weeks or months. This would provide more realistic validation of defense-in-depth strategies.
Pairing autonomous red team agents with autonomous blue team agents creates an adversarial loop where both sides continuously improve. The red team adapts techniques to evade detection; the blue team tunes detection rules to catch new techniques. This co-evolution could dramatically accelerate security maturity.
Today's agents primarily use existing exploit tools. Future agents may autonomously develop novel exploits by analyzing source code, inferring vulnerability patterns, and generating PoCs. This requires significant advances in code understanding and vulnerability reasoning.
As these tools become more capable, governments and industry bodies will need to establish norms for responsible use, disclosure requirements, and liability. The security research community is beginning these conversations.
Purple teaming combines red team attack techniques with blue team defensive validation in a collaborative process. T3MP3ST-like agents could automate purple team exercises, continuously testing whether defensive controls actually block simulated attacks and providing immediate feedback loops.
T3MP3ST represents a significant architectural evolution in offensive security: from automating individual security tasks to automating the offensive operator's decision process itself. By orchestrating specialized AI agents with LangGraph, sandboxing tools within safety boundaries, and maintaining comprehensive audit trails, the framework demonstrates that autonomous red teaming is not only possible but practically deployable in controlled environments.
The implications extend beyond security testing. The patterns T3MP3ST introduces — multi-agent coordination through shared state, tool sandboxing for safe LLM tool use, declarative safety policies enforced by the harness rather than relying on LLM compliance — are applicable to any domain where AI agents need autonomy while operating within strict boundaries. We will see these patterns in autonomous DevOps agents, infrastructure management agents, and data pipeline agents.
For security teams, T3MP3ST is both a capability multiplier and a forcing function. It multiplies the effectiveness of skilled red team operators by automating reconnaissance and routine exploitation, allowing them to focus on novel attack paths and strategic analysis. It also forces organizations to confront a near-term future where adversaries have access to similarly capable autonomous attack tools and defenses must evolve accordingly.
The framework is production-ready for isolated test environments and research use cases, but bringing autonomous red teaming to large-scale production deployments will require continued work on safety, explainability, and cost optimization. If you are building security infrastructure and want to validate it against realistic multi-phase attacks at scale, T3MP3ST provides an open-source starting point worth investigating.
As AI agents become more capable of autonomous action in high-stakes domains, T3MP3ST's safety-first architecture — tool sandboxing, declarative policy enforcement, comprehensive audit trails — offers a model for how to give agents powerful capabilities while maintaining human oversight and control.
T3MP3ST is legal when used in authorized penetration testing engagements where you have explicit written permission to test the target systems. Using it against systems you do not own or have authorization to test is illegal in most jurisdictions under computer fraud and abuse laws. The framework includes safety mechanisms to enforce scope boundaries, but legal authorization is the user's responsibility.
No. T3MP3ST automates tactical reconnaissance and exploitation but lacks the business context, creative problem-solving, and stakeholder communication skills that human pentesters provide. It is a force multiplier that allows analysts to cover more ground and focus on high-value custom analysis.
T3MP3ST is model-agnostic and supports any LLM with tool-calling capabilities through LangChain integrations. Recommended models include Claude Sonnet/Opus (best reasoning for security contexts), GPT-4/GPT-4 Turbo (strong tool use), and Llama 3.1 70B+ (for on-premise deployments with sensitive data).
Costs depend on engagement duration and LLM API usage. A 5-day autonomous engagement might involve 10,000+ LLM calls across multiple agents. Using Claude Sonnet, this could cost $500-2000 in API fees, plus infrastructure costs for the control server and tool execution environment. Using smaller models (Claude Haiku, GPT-4o Mini) for routine decisions can reduce costs by 80%+.
Technically yes, but carefully review each program's rules. Some bug bounty programs prohibit automated testing or require disclosure of tools used. T3MP3ST's comprehensive audit logs help with disclosure requirements, but autonomous agents may violate rate limiting or "no denial of service" clauses if not properly configured. When in doubt, ask the program administrator before using automated offensive tools.
T3MP3ST includes configurable stealth modes that throttle scanning, randomize timing, and use evasion techniques like user-agent rotation and traffic obfuscation. However, any active security testing will generate detectable anomalies. For real-world red team engagements, the goal is often to test whether security controls detect and respond, so triggering them is expected behavior. In penetration tests where stealth is required, agents can be configured with low-and-slow parameters.
Yes, T3MP3ST is open source and welcomes contributions. The project is particularly interested in new specialized agents, tool integrations, safety mechanism improvements, and case studies from real engagements. See the CONTRIBUTING.md in the GitHub repository for guidelines.
Yes. T3MP3ST supports local LLM deployment through LangChain's Ollama and HuggingFace integrations. This is recommended for organizations with strict data sovereignty requirements or when testing highly sensitive infrastructure. Performance depends on model size — 70B+ parameter models provide quality comparable to cloud APIs.
Aaron is an engineering leader, software architect, and founder with 18 years building distributed systems and cloud infrastructure. Now focused on LLM-powered platforms, agent orchestration, and production AI. He shares hands-on technical guides and framework comparisons at fp8.co.
Compare 6 top AI agent frameworks — LangChain, AgentCore, LangGraph, CrewAI, AutoGen, Strands — on orchestration, memory, and cost to pick your stack.
AI Agent Development, Framework ComparisonCompare AgentCore and LangChain for AI agents. Architecture, pricing, and deployment trade-offs explained with code.
AI Engineering, Agent FrameworksBuild custom Claude Code Skills with 5 ready-to-use examples. Covers SKILL.md spec, security controls, plugin distribution, and team sharing workflows.
AI Development Tools, Developer Productivity, Claude Code