Inspiration

Modern security auditing is often fragmented—analysts have to manually bridge the gap between static memory artifacts and active network scanning. I was inspired to build Logic Guard Elite to create a unified "Agentic Reasoning" workflow. My goal was to build an engine that could autonomously pivot from forensic RAM traces to active business logic exploitation without human intervention.

What it does

Memory Forensics Pivot: It automatically scans raw RAM dumps (from compromised workstations) to find hidden API endpoints and leaked JWT session tokens that typical scanners would miss. Agentic Reasoning: It doesn't just run a script; it "thinks." If it hits a wall (like a 403 Forbidden error), it autonomously tries a different path—like switching from an admin token to a guest IDOR bypass. Business Logic Auditing: It specializes in finding IDOR (Insecure Direct Object Reference) vulnerabilities by testing how an API handles different User IDs. JWT Cryptographic Fuzzing: It audits session tokens for common flaws, including the "None" algorithm bypass and "KID" (Key ID) path traversal. Volumetric Stress Testing: It tests if an API can be "exhausted" via high-concurrency bursts, with a built-in "Circuit Breaker" to prevent getting blocked by rate limits. Forensic Reporting: Instead of just giving you a list of errors, it generates a "Forensic Narrative"—a professional report that explains the agent's reasoning, the evidence found, and the impact of the vulnerabilities. In short: It's a tool that finds "Logic Flaws" by combining forensic data with an AI-like reasoning loop.

How we built it

Modular Agentic Architecture: We built the system using a Controller-Module pattern. The AgentOrchestrator acts as the central brain, managing state and "reasoning" while delegating specific tasks (Memory Analysis, JWT Fuzzing, IDOR Testing) to dedicated sub-modules. The Reasoning & Self-Correction Loop: Instead of a linear script, we implemented a Retry-with-Pivot logic. If the initial audit fails due to a missing credential, the engine "reasons" that a guest bypass is the next best path and re-configures its parameters on the fly. Binary Memory Processing: To handle large RAM images (3GB+), we built a chunked binary reader that uses Regex-based pattern matching in memory. This allowed us to isolate JWTs and API URLs without crashing the host's system RAM. Cryptographic Audit Engine: We integrated a JWT fuzzer that handles base64-header manipulation, allowing the tool to autonomously test for algorithm confusion and path traversal in session tokens. Rich CLI & Reporting UX: To ensure the tool is actionable for pentesters, we used the Rich library to build a modern, color-coded CLI with real-time "Reasoning Trace" logs and a professional Markdown report generator. Key Technologies Used:

Python 3.12: For the core logic and orchestration. FastAPI: (If you're referencing the Workbench integration) for the backend control API. Regex & Binary IO: For the forensic memory dump analysis. Rich: For the high-fidelity CLI output and terminal panels.

Challenges we ran into

Binary Forensics at Scale: Parsing 3GB+ raw memory images on a standard workstation without causing system instability was a major hurdle. We had to implement a chunked binary reading system with optimized Regex pattern matching to ensure we could isolate JWTs and API URLs without overloading the host's RAM. Agentic Self-Correction Logic: Designing a "reasoning" loop that wasn't just a series of if/else statements was difficult. We had to build a state-aware orchestrator that could recognize a "Forbidden" or "Unauthorized" response not as a failure, but as a signal to pivot its attack strategy (e.g., switching from authenticated to guest IDOR testing). Windows Encoding Conflicts: We encountered significant issues with the Windows cp1252 terminal encoding, which caused the tool to crash when rendering our detailed emoji-based reasoning traces. We solved this by building a custom "Safe-Logger" that detects terminal capabilities and handles Unicode/UTF-8 gracefully. Cross-Platform Portability: Ensuring the "One-Click" experience worked across different SIFT environments required careful management of relative paths and dependency isolation, especially when dealing with the variety of forensic tools pre-installed on the workstation.

Accomplishments that we're proud of

The "Forensic-to-Active" Pivot: We successfully built a bridge between two traditionally separate security domains. Being able to take a raw, "dead" memory dump and automatically turn it into a "live" API attack path is something we are extremely proud of. True Agentic Self-Correction: We moved beyond simple "if/else" logic. Watching the tool detect a missing credential and autonomously decide to "pivot to a guest bypass" feels like a real step toward the future of agentic security. Efficient Big Data Handling: We engineered a way to parse massive 3GB+ memory images on standard hardware with high speed and low memory footprint, making deep forensics accessible to anyone. Actionable Narrative Output: Instead of just dumping raw data, our tool generates a human-readable Forensic Narrative. We are proud of making a highly technical tool that communicates its "thoughts" and findings clearly to a human analyst. Zero-Config Portability: We achieved a "one-click" deployment for a complex toolset that usually requires hours of environment setup, ensuring it works out-of-the-box for any pentester.

What we learned

The Power of Agentic AI in Pentesting: We learned that "Agentic Reasoning" is more than just a buzzword. By implementing a self-correction loop, we saw how much more effective a tool can be when it can autonomously adapt its strategy based on the server’s response. Volatile Data is a Goldmine: We gained a deep understanding of how web application artifacts (like JWTs and API endpoints) are stored in system RAM. We learned that a memory dump isn't just "history"—it's an active roadmap for an attack. Engineering for Portability: Building a "one-click" portable tool taught us the complexities of Windows environment management, path dependencies, and cross-platform encoding (UTF-8 vs. BOM). UX is a Security Feature: We learned that a security tool is only as good as its reporting. Spending time on the Rich CLI and the Forensic Narrative taught us that making complex data "readable" and "actionable" is just as important as the code that finds the bug. Error Handling as a Strategy: We learned to treat "failures" (like a 403 Forbidden) not as the end of a script, but as a data point for the next "reasoning" step in the investigation.

What's next for Logic Guard Elite: Agentic Forensic Engine

Local LLM Integration: We plan to move from hardcoded "reasoning" loops to integrating a local LLM (like Llama 3 or Mistral). This will allow the agent to perform truly dynamic decision-making and handle even more complex "Self-Correction" scenarios. Expanded Forensic Modules: We want to expand the "Memory Pivot" to include browser history extraction, session cookie recovery, and automated analysis of sensitive files found in RAM. Graph-Based Attack Visualization: Our goal is to build a web-based GUI that visualizes the "Agentic Path"—showing a graph of how the agent moved from a memory artifact to a specific vulnerability, making the "Reasoning" visible. Cloud-Native Auditing: We are looking into porting the engine to support cloud forensics (AWS/Azure/GCP), allowing the agent to audit serverless functions and cloud-based API logic. Advanced WAF Evasion: We plan to implement more sophisticated stealth modules, including automated request fragmentation and dynamic payload encoding, to bypass modern Web Application Firewalls (WAFs). Collaborative Agentic Swarms: In the future, we envision multiple Logic Guard agents working together in a "swarm," sharing discovered endpoints and tokens in real-time to audit massive enterprise networks simultaneously.

Logic Guard Elite was validated against the SRL-2018 Compromised Enterprise Network dataset from SANS. Evidence Source: base-admin-memory.img (5.3 GB) Finding Type Discovery Reasoning Pivot Memory Extraction http://appmap.trafficmanager.net/api/v1/parse High-priority infrastructure endpoint discovered in RAM. Memory Extraction https://cdpcs.microsoft.com/api/v1 Cloud Management API trace identified. Logic Audit Guest Bypass Triggered Agent detected missing JWT; pivoted to unauthenticated bypass testing. Vulnerability IDOR Confirmed REAL IDOR breach identified on discovered infrastructure; evidence extracted.

Accuracy Report

Confirmed Findings: 7 API Endpoints mapped from RAM.
Agentic Reasoning: Successfully pivoted from raw memory analysis to active logic auditing without manual intervention.
Traceability: All findings mapped to physical memory offsets and verified against the SIFT workstation baseline. 

Thanks for the View!

Built With

Share this project:

Updates