AI Agents for Offensive Security you own this product

Understanding AI-powered attacks and how to stop them

Mark Foudy

MEAP began April 2026
Last updated April 2026
Publication in Fall 2026 (estimated)

ISBN 9781633434172
300 pages (estimated)

Included with a Manning Online subscription

printed in black & white

resources: Source code Book forum Source code on Github

table of content

PART 1: FOUNDATIONS OF AI-DRIVEN OFFENSIVE SECURITY

1 Threat-modeling agentic pipelines

1.1 Offensive Security

1.1.1 Traditional offensive security workflows

1.1.2 Best practices for offensive security

1.1.3 Why Tools Alone Are No Longer Enough

1.2 Large language models (LLMs) as security tools

1.2.1 Intelligence as a Component

1.3 Introducing AI Agents: Reasoning That Acts

1.3.1 What Is An AI Agent?

1.3.2 Why agents matter in offensive security

1.3.3 Agentic Offensive-Security Workflow

1.4 Pipelines: Information Routing Systems

1.4.1 Pipelines as the Organizing Principle

1.4.2 From Autonomy to Architecture

1.4.3 Why pipelines matter

1.5 Artifacts provide precise decision-making in offensive security

1.5.1 Artifacts as the Unit of Movement

1.5.2 Where Intelligence Enters the System

1.6 Why This Matters to You

1.6.1 Penetration Testers and Red Teams

1.6.2 Purple Teams and Detection Engineers

1.6.3 Blue Teams and SOC Analysts

1.7 Summary

2 Building your first AI agent

2.1 Limitations of script-based automation

2.2 What is an agent?

2.3 Anatomy of an agent

2.3.1 Core components

2.3.2 The ReAct agent loop

2.3.3 The scope and responsibility of an agent

2.4 The minimal agent specification

2.5 Building the minimal agent

2.5.1 What this agent does

2.5.2 Messages and observations

2.5.3 Tools

2.5.4 Tool A: extract URLs

2.5.5 Tool B: summarize URLs

2.5.6 Artifacts and logging

2.5.7 The minimal agent loop

2.5.8 Putting it together

2.6 Safety and governance

2.6.1 Why safety matters

2.6.2 Building safety gates

2.6.3 Sandboxing and isolation

2.6.4 Comprehensive logging

2.6.5 Operational policies

2.6.6 Implementing kill switches

2.6.7 Safety and governance summary

2.7 The triage agent

2.7.1 What is triage?

2.7.2 nmap output

2.7.3 Agent decision scope and constraints

2.7.4 Triage artifacts

2.7.5 Practical benefits and safety constraints

2.8 Summary

3 Multi-agent pipelines and orchestration

3.1 Why multi-agent systems?

3.2 Multi-agent mental model

3.3 Artifacts as agent interfaces

3.4 Artifact provenance, replay, and auditability

3.5 Agent orchestration and execution control

3.5.1 What the orchestrator does

3.5.2 3.6.2 Why do we need an orchestrator?

3.6 Shared state and memory boundaries

3.7 Safety gates and authorization control

3.7.1 Applying safety gates in multi-agent systems

3.7.2 Human in the loop

3.8 Error handling and resilience

3.8.1 Retry logic and exponential backoff

3.8.2 Checkpointing

3.8.3 Error classes and mitigation strategies

3.8.4 Monitoring, metrics, and alerts

3.8.5 Building confidence in AI agents through resilience

3.9 Metric visualization and auditing AI agents

3.9.1 Generating simple traces

3.9.2 Graph-based views

3.9.3 Correlating artifacts and logs

3.9.4 Defense through transparency

3.9.5 Practical visualization tips

3.10 Reconnaissance multi-agent pipeline

3.10.1 Pipeline overview

3.10.2 ReconNormalizeAgent

3.10.3 TriageAgent

3.10.4 ReportAgent

3.11 Failure modes in multi-agent systems

3.11.1 Silent artifact drift

3.11.2 Orchestration hidden inside agents

3.11.3 Safety gates treated as formalities

3.11.4 Memory accumulation without correction

3.11.5 Overloaded agents

3.12 Summary

PART 2: RECONNAISSANCE PIPELINES

4 AI-driven reconnaissance pipelines

PART 3: VULNERABILITY DISCOVERY & EXPLOITATION PIPELINES

5 AI-assisted vulnerability discovery

6 Agent-assisted exploitation strategies

PART 4: OPERATIONAL SYNTHESIS & PURPLE TEAMING

7 Intelligent report generation

8 Orchestrating multi-agent workflows

9 The purple-team loop & detection engineering

Appendices

Appendix A: Building your AI lab

Appendix B: Self-hosting & deployment

Appendix C: Hacking the prompt — Advanced prompt engineering for attackers

Overview

1 Threat-modeling agentic pipelines

This chapter explains how modern AI reshapes offensive security by adding reasoning and structure to work that was once linear, manual, and brittle. Where traditional pipelines moved from data collection to a one-time decision, agentic systems bring contextual judgment to each stage, turning vast, noisy outputs into prioritized, reproducible next steps. The focus is on artifacts—the concrete, structured findings produced by tools—and on disciplined routing of those artifacts through controlled, auditable pipelines. AI serves as decision support: humans define objectives and approve escalation; tools still execute; agents reduce cognitive load by interpreting results, correlating weak signals, and proposing strategy shifts as environments change.

The chapter demystifies the technical building blocks behind that shift. Large language models are positioned as probabilistic reasoning engines that can summarize, explain, and triage—but also hallucinate and remain non-deterministic, requiring human oversight. Agents extend LLMs with orchestration, tools, memory, and a knowledge base so they can plan, act, and adapt toward goals, not just answer prompts. Pipelines then provide the governing architecture: they formalize intake, interpretation, controlled action, evaluation, and reporting, with safety gates and logging at each hop. Treating artifacts as first-class objects separates evidence from judgment, yields clarity (tools execute, agents interpret, pipelines route), and replaces ad-hoc stitching with reproducible, accountable operations.

Ethical and operational guardrails are integral: test only within authorized scope, avoid production harm, follow the law, keep humans in the loop for risky actions, protect sensitive data, document everything, and practice responsible disclosure. With these boundaries, agentic pipelines scale precision and consistency across roles: solo hunters gain throughput and better write-ups; red teams capture engagements as reusable playbooks; blue and purple teams convert offensive traces into richer detections and training; leaders get measurable, auditable evidence of scope, controls, and outcomes. In short, the chapter shows how to move from clever prompts to dependable systems—turning creative exploration into controlled, data-driven security practice that preserves human judgment while amplifying impact.

The conventional triage pipeline mental model.This diagram provides a high-level (macro) view of the conventional, human-driven security triage pipeline, as sketched in the notebook. It serves as a roadmap for this linear workflow, starting with data collection and proceeding sequentially through vulnerability assessment, risk scoring, and attack path planning. This entire, predictable sequence traditionally concludes with a human operator making a final decision or handoff.

Seven best practices for offensive security. 1) Authorized scope only: to ensure we do not cause damage or expose sensitive information, we need to work within pre-defined, scoped boundaries. 2) No production harm: do not do things that will negatively affect production traffic. 3) Follow the law: we must stay compliant and follow regulations. 4) Human oversight: humans must be in the loop to review and validate findings. 5) Protect sensitive data: proper processes must be set up to ensure personal and identifiable information is not exposed. 6) Document everything: we must store logs, traces, and other artifacts that will allow us to audit our systems. 7) Reasonable disclosure: We should give the affected party a reasonable amount of time to fix issues before publicly revealing them. These best practices ensure that offensive security teams consistently deliver value and maintain professionalism within their organization.

An illustrative example of how an LLM generates the next token. As the LLM generates a sentence, it considers the context of the previous words that were generated. The LLM takes in the last token and assesses the probability of the next token. In the example above, since green has the highest logit value, it is the next word to be generated in the sentence.

An overview of AI agent systems. AI agents consist of 4 components that are orchestrated together to produce an outcome: 1) the model, which is a foundation model, 2) tools, which are functions that the LLM can use to interact with the world (e.g., custom functions, APIs, MCP servers), 3) memory, where previous interactions are stored either in the context window or in a vector database, and 4) the knowledgebase, where additional context (documents, old conversations, etc) are stored in a vector database.

The Dynamic AI Agent System Mental Model. This diagram models the more dynamic system that results from introducing an AI Agent, representing the technology and its surrounding world. Unlike the linear sequence in Model 1, the central Agent creates a cyclical, event-driven workflow that allows it to initiate reconnaissance, penetration testing, or triage in response to new data. This model provides a framework for understanding the complex, parallel interactions and feedback loops unique to the AI-driven system. A reader can use this model to predict the AI's behavior or debug its emergent actions.

An example: reconnaissance agent pipeline. An AI agent system consists of 1) a data pipeline that feeds an LLM logs and other inputs from the system, 2) a reasoning component that allows AI models to determine appropriate actions and steps, 3) an evaluation component that assesses the impact of the changes, and 4) a reporting system for the security professionals.1.4.2. Core Components of an AI Security Pipeline

Summary

Large language models (LLMs) introduce contextual reasoning to security testing, turning raw data into actionable intelligence when guided by skilled professionals.
Because LLMs are probabilistic systems, their outputs can be unreliable without validation; human oversight is essential to ensure accuracy and safety.
AI agents build on LLMs by adding memory, planning, and tool-use capabilities, enabling reasoning systems that can act rather than merely respond.
Pipelines provide the structure agents need to remain reliable and accountable—defining clear stages for input, reasoning, action, evaluation, and reporting.
AI agent pipelines allow offensive security teams to scale intelligence without losing control—empowering individuals, red teams, and CISOs alike to achieve measurable, repeatable outcomes.

FAQ

What problem do AI agent pipelines solve in offensive security?

They close the gap between fast execution and informed decision-making. By formalizing how information moves from reconnaissance to action, pipelines turn AI-assisted insights into controlled, repeatable, and auditable workflows—reducing chaos while preserving human oversight.

How are AI agents different from traditional security automation?

Traditional tooling runs predefined commands and rules; AI agents add reasoning, planning, and adaptation. Agents use a model plus tools, memory, and goals to iteratively choose next steps, evaluate results, and adjust strategies—without replacing existing scanners or exploits.

What are “artifacts” and why are they central to the pipeline?

Artifacts are durable records of observations (for example, open ports, response headers, discovered endpoints, or authentication behaviors). Pipelines route these artifacts from one stage to the next, while agents decide which artifacts matter—separating raw evidence from interpretation and keeping decisions traceable.

Where do large language models (LLMs) fit, and what are their limitations?

LLMs provide contextual reasoning—summarizing outputs, prioritizing findings, and explaining what results mean. They are probabilistic and can hallucinate or vary across runs, so teams should treat them as powerful but fallible components with human review, safety checks, and clean data inputs.

How do pipelines keep offensive testing ethical and contained?

They embed decision gates and approvals, enforce scoped boundaries, and generate comprehensive logs. Combined with best practices—authorized scope, no production harm, legal compliance, human oversight, data protection, documentation, and responsible disclosure—pipelines help ensure safe, professional operations.

How does an agentic workflow differ from the classic pentest pipeline?

The classic flow is linear and deterministic (collect → assess → score → plan → decide). Agentic workflows are cyclical and event-driven: an agent initiates tasks, triages results, adapts strategy in real time, and loops—bringing feedback and reasoning into each step.

What are the core components of an AI agent system?

An agent combines: 1) a model for reasoning, 2) tools for taking actions, 3) memory to retain context, and 4) a knowledge base to ground decisions—coordinated by orchestration logic that plans and sequences the next step toward a goal.

Why use pipelines instead of ad‑hoc scripts?

Pipelines bring speed, standardization, and scale; they support continuous monitoring, reduce costs through automation, and double as living documentation. They also add clarity (tools execute, agents interpret, pipelines route), scalability (fewer manual handoffs), and accountability (every decision tied to an artifact).

Who benefits from AI agent pipelines, and how?

Solo researchers gain force-multiplying triage and reporting; red teams capture repeatable playbooks; purple/detection teams reuse offensive traces to tune defenses; blue/SOC teams safely replay scenarios; leaders get measurable, auditable evidence of scope, controls, and outcomes.

What does a reconnaissance pipeline look like in practice?

Data flows in from trusted tools and logs, an agent interprets context, controlled actions run against selected targets, results are evaluated against rules or safety checks, and findings are reported. For example, web-relevant services from a port scan advance to HTTP probing explicitly, with human approvals gating any risky steps.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

Introductory offer
Save 50% for a limited time!

eBook

pdf, ePub, online

$55.99 $27.99

you save $28.00 (50%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

Introductory offer
Save 50% for a limited time!

eBook

$55.99 $27.99

you save $28.00 (50%)

Introductory offer
Save 50% for a limited time!

eBook

pdf, ePub, online

$55.99 $27.99

you save $28.00 (50%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more