Nara - Autonomous Red Teaming Agent

Inspiration

Every cybersecurity course teaches you what vulnerabilities look like, but almost none show you what happens when they are actually exploited. Tools like Semgrep and Bandit are great at surfacing problems, but they hand you a list and leave the rest to imagination.

We wanted to close that gap. When LLMs claim to find and exploit vulnerabilities, is it real, or just plausible-sounding output?

We were inspired by the real-world red team / blue team dynamic. Most tools only do one. We wanted to build a full Red Team platform that does both: autonomously discover, plan, and exploit vulnerabilities programmatically, then turn around and advise on how to defend against them.

That became NARA. A Red Team platform with end-to-end coverage: from vulnerability discovery and attack planning, to live exploitation running inside a secure, isolated Docker container. NARA gives you full visibility into the entire process, not just a list of vulnerabilities, but proof of them being actively exploited in a controlled environment. You see exactly what breaks, exactly how, and exactly what to do about it.

What it does

NARA is an autonomous penetration testing CLI that orchestrates four AI agents against an isolated Docker target:

Scanner - runs Semgrep and Bandit against a codebase (local path or GitHub URL), then uses an LLM to deduplicate and prioritize findings by exploitability, not just severity score.

Planner - takes those findings and designs an ordered kill chain mapped to MITRE ATT&CK tactics, always ending with ransomware deployment as the final stage.

Exploiter - provisions a disposable Docker container running Ubuntu 22.04 with an XFCE desktop, clones the vulnerable app inside it, then executes each kill chain step via docker exec. The LLM reads every result and adapts in real time - retrying, rewriting payloads, or aborting steps as needed.

Blue Team Advisor - after exploitation, feeds the findings and kill chain to TerpAI (UMD's internal AI platform) and streams back detailed remediation advice: risk explanations, code-level fixes, detection strategies, and hardening recommendations for every vulnerability found.

The entire attack plays out visually on a live noVNC desktop in your browser at localhost:6080. Ransom notes drop, files get renamed to .NARA_ENCRYPTED, the wallpaper gets hijacked, popup dialogs scatter across the screen - all in a fully sandboxed environment you can reset with one command.

How we built it

The system is built around a shared session dictionary that flows through each agent in sequence - every agent reads its inputs and writes its outputs back to the same state object, so the full context of the attack is always available.

Agent layer - each agent (scanner.py, planner.py, exploiter.py, blue_team.py) has a single run() entry point and is completely decoupled from the others. They communicate only through the session dict, which made parallel development across four people feasible in 36 hours.

LLM abstraction - a unified LLMClient supports three backends with zero code changes: Featherless (Phi-4-mini, our default), Claude API, and local Ollama. The entire backend is controlled by a single .env variable.

Ransomware payload - written entirely in Python stdlib, no external dependencies. It generates Team Rocket R icons from scratch using raw PNG bytes, registers a custom .NARA_ENCRYPTED MIME type, hijacks XFCE desktop shortcuts via xfconf, scatters zenity dialogs across the screen, and replaces the wallpaper using the XFCE session's DBus address - all inside the container.

TerpAI integration - we reverse-engineered TerpAI's internal API entirely through DevTools network inspection, discovering it streams responses as Server-Sent Events with base64-encoded token chunks. The blue team agent streams the full response in real time using requests with stream=True and a custom SSE parser.

Infrastructure - the target runs in a Docker container with Ubuntu 22.04, XFCE, TigerVNC, and noVNC. The Exploiter provisions it at runtime, clones the vulnerable app inside, and executes the kill chain via docker exec. A VNC terminal window tails the exploit log live so judges can watch every command as it fires.

CLI - a full interactive REPL built with prompt_toolkit and Rich, with an intent router that handles both explicit commands (pipeline, scan, plan, exploit, report) and natural language conversation about the session state.

Challenges we ran into

LLM output reliability - getting the Planner to return valid, executable shell commands (not pseudocode or placeholder endpoints) required significant prompt engineering, a fallback hardcoded kill chain for weaker models, and a robust JSON parser that handles markdown fences, think blocks, and wrapped objects.

Blind command injection - the primary exploit path on the vulnerable app is a blind injection: the curl response looks like normal JSON even when the payload fires. Small models consistently marked these steps as failed. We added a heuristic layer that detects blind injection patterns and overrides the LLM's assessment, with the side effect verified in the next step.

TerpAI SSE discovery - we initially assumed TerpAI used a standard REST API. When we tested the blue team agent we discovered it streams Server-Sent Events with base64-encoded payloads, and had to rewrite the entire client from a polling loop to a streaming SSE parser.

Ransomware visual reliability - getting icons, wallpaper, and shortcuts to actually update on the XFCE desktop inside the container required inheriting the correct DBus session address from xfce4-session, building a custom NARA-Ransomware GTK icon theme, and restarting xfdesktop to force a cache flush. Getting this right took most of the night.

SSL on macOS - Python 3.13 via Homebrew doesn't link to the macOS system keychain, which broke HTTPS requests to external APIs. Fixed with certifi.

Accomplishments we're proud of

Built a fully functional end-to-end autonomous red team pipeline in 36 hours
Discovered and reverse-engineered TerpAI's undocumented internal API entirely through DevTools network inspection
Found a real stored XSS vulnerability in TerpAI during testing and responsibly disclosed it to UMD's security team
The noVNC live demo is genuinely striking - watching ransomware deploy autonomously on a live desktop is a visceral way to communicate why security matters
The blue team advisor creates a real feedback loop: the same platform that attacks also defends
The LLM backend abstraction means the entire system runs free with local Ollama - no API keys required

What we learned

Multi-agent systems need strong contracts - the session dict pattern worked, but early on we had agents assuming keys that didn't exist yet
LLMs are surprisingly good at adapting shell commands when given real error output, but need very precise prompting to stay on target
Reverse engineering an API from DevTools is completely viable and teaches you a lot about how modern web apps actually work
The line between a useful security research tool and an irresponsible one is mostly about scope and authorization - we spent real time on the ethics of every feature
Responsible disclosure is the right call even at a hackathon - reporting the TerpAI XSS felt more important than anything else we shipped

What's next

Authenticated scanning - test APIs and authenticated endpoints, not just static code
Attack Session Recording & Playback - Record the entire red team session from discovery to exploitation and replay it at any time, giving teams a frame-by-frame breakdown of how vulnerabilities were chained and exploited
PDF report export - full pentest report with executive summary, technical findings, and remediation roadmap
CI/CD integration - run NARA as part of a pull request pipeline to catch vulnerabilities before they ship
Blue team expansion - deeper TerpAI integration with follow-up questions, patch verification, and compliance mapping (OWASP, NIST)