A critical vulnerability chain in a codebase is the same kind of object as an attack on a cryptographic scheme: a sequence of operations that composes into something dangerous, drawn from a space too large for manual enumeration. Static analysis finds known patterns. We are building systems that search for novel ones.
Our offensive security work uses structured program representations (code property graphs, taint analysis, binary lifting) as the substrate over which AI agents operate. The agents do not classify known vulnerability types. They search for multi-step exploitation paths that no predefined signature would match, scored against the actual behavior of the target system.
This is a second application of the same thesis: evolutionary search over a combinatorial space of programs, guided by a domain-specific oracle. In cryptanalysis, the oracle is the Lattice Estimator. In offensive security, the oracle is the target system itself.