cool-solution — dev.blog
Technologies

Repo of the day: T3MP3ST, autonomous red teaming driven by AI agents

It was flagged to me by one of the most respected IT people I know, and it's worth a look. T3MP3ST (read «tempest») takes the AI agent you already run — Claude Code, Codex or a model running locally — and turns it into an autonomous red team: point the framework at an authorized target and the chain runs itself, recon → exploit → report, from a browser «War Room» or the command line. With over 4,000 stars and an AGPL-3.0 license, it's less a product to buy and more a signal: the cost of an automated attack is collapsing, and anyone who builds software should know it. A necessary note, repeated by the authors themselves: use it only on systems you own or have written permission to test.

$ claude "refactor user.service to async/await" reading src/services/user.service.ts... proposing 12 edits across 3 files ✓ tests still pass (47 / 47) applying patch...AI PAIRsupervised

💡 What T3MP3ST is: a multi-agent offensive «meta-harness»

T3MP3ST is a multi-agent offensive-security framework: it isn't a new model and it isn't an exploit, it's the scaffolding that coordinates several AI agents around a red teaming goal. The idea, in the project's own words, is that «your coding agent is already a hacker»: T3MP3ST bolts an arsenal of tools and a command layer around it. It's written in TypeScript, is open source under the AGPL-3.0 license and has over 4,000 stars on GitHub.

You start it locally — `npm install` and `npm run server` — and open a War Room in the browser: you connect the agent you already use, describe an authorized target in plain English and the mission launches. The first line of the README isn't a feature but a warning, and I repeat it in the right spirit: it's an offensive tool, to be pointed only at systems you own or have written permission to test. Unauthorized access to other people's systems is illegal in most jurisdictions.

Terminal · start the War Room locally (authorized testing)
# 1) install and start the local server
npm install
npm run server        # War Room → http://127.0.0.1:3333/ui/

# 2) in the War Room connect an agent (Claude Code / Codex / Hermes)
#    and describe a target you own or are authorized to test
# 3) verify the numbers the project claims
npm run verify-claims  # re-derives every benchmark from committed data

Official repo · elder-plinius/T3MP3ST

Keyless: it uses the AI agent you already have. No new API keys, no cloud tenant.

🔓 Why it matters (even if you'll never run a pentest)

Offensive security has always been a specialist's craft: years of practice and expensive tooling. T3MP3ST's bet is that a coordinated agent swarm lowers that barrier — web apps, CTFs, smart contracts, source code, embedded OSS. You may or may not agree it's a good idea, but the direction is clear and concerns everyone: if attacking keeps getting cheaper, defending becomes a daily problem, not just one for big companies.

And that's the value for those who don't do penetration testing for a living: it's a reminder about the threat model. Your systems — and increasingly your AI-based systems — will be probed by automated, tireless, low-cost agents. Understanding how an offensive harness reasons is the first step to closing the right doors. You don't need to know how to attack: you need to know that attacking, today, is being automated.

How offensive security is changing

Yesterday

  • Rare skills, a long learning curve
  • Expensive, fragmented tooling
  • One human operator per phase
  • Pace capped by person-hours

With an agent harness

  • The barrier to entry drops
  • A single arsenal, orchestrated by AI
  • Several coordinated agent «operators»
  • Pace capped by hardware and permissions, not hours

It isn't encouragement to attack: it's a picture of the threat model defenders must assume.

⚙️ How it works: an 8-operator kill chain on MITRE ATT&CK

The architecture is an eight-operator chain, each mapped to a phase of the Cyber Kill Chain and the MITRE ATT&CK framework: Recon, Scanner, Exploiter, Infiltrator, Exfiltrator, Ghost, Coordinator and Analyst. It's the standard vocabulary defenders use to describe an attack — seeing it used as an agent-orchestration schema is, in itself, a good security lesson.

The most honest thing about the project is its status table: it says exactly what's real and what's scaffolding. Today the recon engine is stable and tool-backed (nmap, DNS, HTTP, fingerprinting), while the later phases run the same ReAct loop but stay experimental, and the coordinated «swarm» is openly still unproven. No inflated promises: what isn't demonstrated gets marked as such.

The 8 operators, mapped to the phases of an attack
  1. 01
    Reconreconnaissance and mapping (stable)
  2. 02
    Scannerscanning and fingerprinting
  3. 03
    Exploiterinitial access (experimental)
  4. 04
    Infiltratorlateral movement
  5. 05
    Analystanalysis and reporting

The vocabulary is MITRE ATT&CK's: a schema defenders know well.

🛡️ The safety rails: authorization, scope and a human gate

A tool like this has to be judged also — above all — by its brakes. And T3MP3ST has serious ones, on by default. The first is egress-scope containment: once the mission target is set, the built-in networked tools refuse off-scope hosts (they answer `SCOPE DENIED`) — no loopback, no private networks, only the declared target. The second is the human-approval gate on the most dangerous drivers: the base arsenal has 35 tools, but the advanced post-exploitation modules (like Metasploit and Hydra) activate only with a person's explicit confirmation.

Then there's a coordinated-disclosure pipeline: when a real vulnerability surfaces, the framework drafts the report, but a human always sends it. The rule the authors put in writing is one and non-negotiable: «build for defenders, or don't build it here». For an SMB the practical message is that, if you ever test something, you do it inside scope, with authorization and with the brakes engaged.

  • Authorized targets only: your own systems or written permission. Responsibility lies with the user.
  • Scope containment on by default: off-scope hosts are refused (`SCOPE DENIED`).
  • Human gate: dangerous offensive tools require a person's explicit confirmation.
  • Coordinated disclosure: the framework drafts reports, a human does the sending.

📊 Reproducible numbers: the detail that sets it apart

In a field full of loud announcements, T3MP3ST does something rare: it hands you the means to recompute the numbers. Every figure in the README re-derives from committed data with one command (`npm run verify-claims`, 24 checks out of 24 green), and an anti-fitting guard runs on every push. If a number isn't reproducible, it doesn't ship. It's the same editorial principle I apply here: a measurement is only as good as its methodology.

On benchmarks, the claimed results are notable — 90.1% pass@1 on XBOW's XBEN suite (above XBOW's self-reported 85%), 23/40 hint-free on Cybench, and on 10 real post-cutoff CVEs the model had never seen, 8/10 pinned to exact file, line and CWE. But here too the honesty is part of the product: those numbers come from a single agent, not the coordinated swarm, and the project says so in black and white.

The repo's ID card
repo       elder-plinius/T3MP3ST
stars      ~4,400 · AGPL-3.0 license · no warranty
stack      TypeScript · JavaScript · Node.js
agents     Claude Code · Codex · Hermes · local models
engine     tool-backed recon (stable) · later phases experimental
proof      npm run verify-claims → every number re-derives

Security policy · authorized, responsible use

Snapshot in mid-July 2026: real traction and, above all, verifiable numbers.

🧰 Keyless and offline: the agent (and model) you already have

Two technical choices make it interesting to study. The first is the keyless approach: T3MP3ST asks for no new API keys and no cloud tenant, it uses the coding agent you've already connected. The second is the fully offline mode: you can point it at a local model served by Ollama, LM Studio or vLLM, and tool-calling works over text even with models that lack native function-calling. Nothing has to leave your machine.

For an SMB, that's the point that carries weight: a security test — on your own, authorized systems — can run in house, without shipping anything to external services. It's also a nice integration case study: T3MP3ST exposes `security_recon` as an MCP server — the same protocol I've covered many times — plus an HTTP API to orchestrate missions.

Terminal · run it on a local model (offline)
# no key, no cloud: the model runs locally
ollama serve && ollama pull llama3
export TEMPEST_LOCAL_BASE_URL=http://localhost:11434/api
export TEMPEST_LOCAL_MODEL=llama3
npx tempest   # then: “Change default provider” → local

Docs · scope and authorization

Offline and keyless: useful when the data and systems under test must not leave the network.

🏢 What to learn from it, for developers and SMBs

For developers, T3MP3ST is a small crash course on several fronts: multi-agent orchestration with real ReAct loops, mapping onto MITRE ATT&CK, and above all a measurement discipline (numbers that re-derive, anti-fitting guards) worth copying well beyond security. Even just reading how it separates «what works» from «what's still a bet» is instructive.

For an SMB the reading is defensive, and simple: adversaries are automating, so security hygiene is no longer a luxury. Testing your own systems (with professionals and authorization), updating dependencies, securing your AI deployments: these are activities the falling cost of attack makes more urgent, not less. The tool isn't there to scare you, but to frame the risk properly and spend your security energy where it counts.

⚠️ What to know before you approach it

Let's dot the i's. T3MP3ST is an offensive tool: unauthorized use is illegal and responsibility lies entirely with the user. It's distributed as-is under AGPL-3.0, with no warranty and no liability for damage or misuse. It isn't a toy and it isn't a «find the bugs» button to press at random.

On the technical side, remember that the coordinated swarm is still unproven: the numbers come from a single agent, and many domains (cloud, mobile, binary/RE, Active Directory) are openly in development or mere scaffolding. It can trigger real exploit tools, so the brakes — scope containment and the human gate — must stay engaged, always. Treat it the way you treat a dangerous instrument: with competence, a defined perimeter and authorizations.

  • Legal only if authorized: your own systems or written permission, within the rules of engagement.
  • AGPL-3.0, as-is: no warranty, no liability on the authors' part.
  • Uneven maturity: recon stable, the swarm and many domains still experimental or roadmap.
  • Brakes always on: scope containment and human approval on dangerous tools.

🗺️ Where to start (safely)

The responsible path starts with the documents, not the commands: read the `SECURITY.md` and the `SCOPE_AND_AUTHORIZATION` guide first, so it's clear what «authorized» means. Then, if you really want to try it, do it on your own lab or an explicitly authorized perimeter, with scope containment on and dangerous tools behind the human gate. The right goal isn't «attack something», but to understand the threat model of the agent era.

If you work at a company, the message is even simpler: involve professionals and put the authorization in writing. And to frame the topic more broadly, the deep dives below cover AI governance in the enterprise, authorizing agents via MCP, and agentic AI in business processes. Understanding how an automated adversary moves is worth more than any single exploit.

Frequently asked questions about T3MP3ST

What is T3MP3ST?

T3MP3ST (elder-plinius/T3MP3ST) is an open-source, multi-agent offensive-security framework under the AGPL-3.0 license. It turns an AI coding agent you already use — Claude Code, Codex, Hermes — or a local model into an autonomous «red team» that runs a recon → exploit → report chain from a browser War Room or the CLI. Use it only on your own or authorized systems.

Is it legal to use?

The tool is legal, but using it is legal only on systems you own or have written permission to test. It's an offensive tool: unauthorized access to computers, networks or data is illegal in most jurisdictions, and responsibility lies entirely with the user. The authors themselves insist on authorization, scope and staying within the law.

Do I need API keys or a cloud?

No. T3MP3ST is keyless: it uses the AI agent you've already connected, with no new keys and no cloud tenant. It can also run fully offline on a local model served by Ollama, LM Studio or vLLM, so nothing leaves your machine. It also exposes security_recon as an MCP server and an HTTP API to orchestrate missions.

What are the safety rails?

By default, scope containment refuses off-scope hosts (SCOPE DENIED), the most dangerous post-exploitation tools (like Metasploit and Hydra) require a person's explicit approval, and the coordinated-disclosure pipeline drafts reports only: the sending stays with a human. The stated rule is «build for defenders».

Let's talk

If this topic is relevant to you, write to me: comparing notes on code and AI is always time well spent.

All articles

More articles from the blog

function-calling-microsoft-extensions-ai-dotnet.mdJuly 13, 2026tips-claude-resume-luglio-2026.mdJuly 10, 2026claude-code-hooks-quality-gate-2026.mdJuly 9, 2026