Inspiration
AI frameworks are being deployed with a new class of vulnerabilities — unauthenticated inference endpoints, prompt injection, agent trust assumptions — that no existing scanner was built to find. CVE-2025-3248 gave anyone unauthenticated RCE on Langflow. Nobody caught it before it shipped.
What it does
Give PHANTOM a GitHub URL. It reads the codebase, maps attack surfaces, fires real HTTP exploits against the live app, confirms vulnerabilities with actual evidence, writes the patch, opens a PR, and calls your phone.
How we built it
FastAPI pipeline with Claude for code comprehension and patch generation, Macroscope for static graph analysis, Ghost for attack data storage, OSV and pip-audit for CVE scanning, Bland AI for phone alerts, and a Next.js real-time dashboard.
Challenges we ran into
Confirmation. Flagging a potential vulnerability is easy — proving it's exploitable requires firing the real exploit and capturing live evidence without false positives.
Accomplishments that we're proud of
PHANTOM autonomously confirmed CVE-2025-3248 in Langflow with live HTTP proof, wrote the fix, submitted the PR, and rang a phone on stage. No human in the loop.
What we learned
The gap between "probably vulnerable" and "confirmed exploitable" is everything. Grounding Claude's reasoning in live HTTP evidence is what turns noise into signal.
What's next for PHANTOM
CI/CD integration that blocks merges on confirmed exploits, continuous monitoring for new CVEs, full AI framework coverage, and a signed security certification layer.
Log in or sign up for Devpost to join the conversation.