An LLM agent for vulnerability discovery and validation is more than a model. It combines three components: an LLM for code analysis, an agent harness such as Codex or OpenCode for navigation, tool use, and execution, and an audit playbook, domain-specific procedural knowledge that guides the LLM and harness toward vulnerability discovery. Prior work relies on human-supplied playbooks, including prompt engineering, manual workflows, knowledge bases, and heuristics. This raises two research questions: Acquisition - is human curation necessary, and can playbook creation be automated? Transfer - can an evolved playbook transfer the audit procedure to weaker agents, improving their capability? We present EvoHunt, a playbook evolution environment over open-source repositories for security auditing. Three agents drive the evolution loop: an audit agent rolls out the current playbook and produces findings; an evaluator scores outcomes against ground truth; and a reviser commits updates to the playbook based on failure analysis. The playbook format is unconstrained: starting empty, EvoHunt adds or removes workflows, heuristics, vulnerability knowledge, or domain-specific content. The evolved playbook requires only minor adaptation to run under a different LLM or harness. We evaluate EvoHunt on open-source security advisories. For acquisition, playbook evolution raises end-to-end exploits for Codex/GPT5.4-xhigh 6x, from 1.1% to 6.2%, and the evolved OpenCode/GLM5.1 playbook surpasses OpenAI Codex Security on every metric, with 11.3% vs. 9.2% target-match rate, showing open-source evolution can outperform a dedicated commercial product. For transfer, the GLM-evolved playbook gives the strongest student lift: Qwen3.6-27B improves from 2.4% to 6.5%, Qwen3.6-35B-A3B from 1.1% to 4.6%, and A3B obtains 2.4x more matches than GPT transfer.
翻译:用于漏洞发现与验证的大型语言模型代理远不止单一模型本身,它由三个组件构成:进行代码分析的大语言模型、执行导航、工具调用与交互的代理框架(如Codex或OpenCode),以及指导大语言模型和框架进行漏洞发现的领域特定程序化知识——审计剧本。此前研究依赖人工提供的剧本,包括提示工程、手动流程、知识库和启发式规则,由此引出两个研究问题:获取方面——人工编排是否必要?剧本创建能否自动化?迁移方面——演化后的剧本能否将审计流程迁移至能力较弱的代理,从而提升其性能?我们提出EvoHunt——一个基于开源仓库的剧本演化环境用于安全审计。三个代理驱动演化循环:审计代理执行当前剧本并产出发现结果;评估代理根据真实结果对输出进行评分;修订代理基于失败分析对剧本进行修改更新。剧本格式不受约束:从空剧本开始,EvoHunt可自主增删工作流、启发式规则、漏洞知识或领域特定内容。演化后的剧本仅需少量适配即可在不同大语言模型或框架下运行。我们在开源安全公告上评估EvoHunt。在获取方面,剧本演化使Codex/GPT5.4-xhigh的端到端利用成功率提升6倍(从1.1%升至6.2%),演化后的OpenCode/GLM5.1剧本在各项指标上均超越OpenAI Codex Security,目标匹配率达11.3% vs 9.2%,表明开源演化可超越专用商业产品。在迁移方面,GLM演化剧本带来最强学生模型提升:Qwen3.6-27B从2.4%提升至6.5%,Qwen3.6-35B-A3B从1.1%提升至4.6%,A3B的匹配次数达GPT迁移方案的2.4倍。