Skip to content

Roadmap

Released

v0.1 — Foundation

  • ✅ Multi-Phase Trust Exploitation methodology (8 phases)
  • ✅ NetworkX-based attack knowledge graph
  • ✅ Attack library with YAML-defined vectors
  • ✅ LangChain and CrewAI adapters
  • ✅ Rich CLI with HTML/Markdown/JSON reports
  • ✅ Tool chain analysis (30+ dangerous patterns)
  • ✅ Skill CVE database (15 seed CVEs)

v0.2 — Intelligence

  • ✅ LLM-powered dynamic attack vector generation
  • ✅ Static analysis engine (10 offline checks, SA001–SA010)
  • ✅ PoC exploit generator (Python, cURL, Markdown)
  • ✅ Policy engine with configurable rules
  • ✅ CI/CD quality gate with SARIF output
  • ✅ Amazon Bedrock adapter
  • ✅ Expanded attack library (137 vectors across 9 files)
  • ✅ OWASP LLM Top 10 mapping for all vectors

v0.3 — Remote Scanning

  • ✅ Remote agent scanning over HTTPS
  • ✅ REST protocol handler (generic HTTP APIs)
  • ✅ OpenAI-compatible protocol handler
  • ✅ MCP (Model Context Protocol) handler
  • ✅ A2A (Agent-to-Agent) protocol handler
  • ✅ Auto-protocol detection
  • ✅ Target YAML configuration with auth, TLS, retry
  • ✅ GitHub Action (taoq-ai/ziran@v0)
  • ✅ 11 dedicated A2A attack vectors
  • ✅ 15 runnable examples

v0.4 — Multi-Vendor & LLM Backbone

  • ✅ Multi-vendor LLM support via LiteLLM (OpenAI, Anthropic, AWS Bedrock, Google, and more)
  • ✅ LLM-as-a-Judge detection for nuanced semantic analysis
  • ✅ Amazon Bedrock Agent and AgentCore adapters
  • ✅ Dependency capping and compatibility hardening

v0.5 — Adaptive Intelligence

  • ✅ Streaming support — SSE and WebSocket protocol handlers for real-time attack monitoring
  • ✅ Multi-agent coordination — Topology discovery, individual and cross-agent scanning for supervisor, router, peer-to-peer, hierarchical, and pipeline architectures
  • ✅ Adaptive campaigns — Three execution strategies: fixed (sequential), adaptive (rule-based), and LLM-adaptive (LLM-driven phase orchestration)
  • ✅ Campaign strategy protocol — Extensible interface for custom campaign strategies
  • ✅ 327 multi-agent attack vectors — Cross-agent prompt injection, delegation chain manipulation, shared memory poisoning
  • ✅ 18 runnable examples — Including multi-agent, streaming, and adaptive campaign demos

v0.6 — Pentesting Agent

  • ✅ Autonomous pentesting agent — An LLM-powered agent that plans, executes, and adapts attack campaigns with minimal human intervention
  • ✅ Attack chain reasoning — The agent reasons about discovered vulnerabilities to chain multi-step exploits
  • ✅ Interactive red-team mode — Collaborate with the pentesting agent in a conversational interface
  • ✅ Finding deduplication — Intelligent merging of related findings across automated and agent-driven scans

v0.7 — Browser Scanning

  • ✅ Browser-based agent scanning — Headless Playwright adapter for testing agents exposed via web chat UIs
  • ✅ Network interception — Primary extraction via intercepted API calls (WebSocket, SSE, HTTP)
  • ✅ DOM fallback — Secondary extraction from rendered page content when network interception is unavailable

v0.8 — Depth & Ecosystem

  • ✅ Expanded tool chain patterns — Grew from 32 to 102 dangerous patterns across 15 categories (cloud services, MCP, A2A, CI/CD, browser, crypto, and more) via YAML registry with custom pattern support
  • ✅ Encoding/obfuscation engine — 8 encoding types (Base64, ROT13, leetspeak, homoglyph, hex, whitespace, mixed case, payload split) with composable pipelines via --encoding flag
  • ✅ Multi-turn jailbreak tactics — Crescendo, context buildup, persona shift, and distraction tactics for progressive escalation within campaign phases
  • ✅ BOLA/BFLA authorization testing — Authorization bypass detector and 20 attack vectors for Broken Object/Function Level Authorization testing
  • ✅ Promptfoo provider bridge — Use ZIRAN as a custom Python provider for Promptfoo, enabling configuration-driven security testing with YAML test cases
  • ✅ OpenTelemetry tracing — Opt-in distributed tracing for campaigns, phases, attacks, and detection with zero overhead when disabled

v0.9 — Remediation Engine

  • [ ] Auto-generated fix suggestions — Concrete code patches and guardrail configurations for discovered vulnerabilities
  • [ ] Guardrail templates — Pre-built guardrail configurations for common agent frameworks
  • [ ] Remediation validation — Re-scan after applying fixes to verify remediation effectiveness
  • [ ] Security policy generator — Generate policy files from scan results

v0.10 — MCP Server Mode

  • [ ] ZIRAN as an MCP server — Expose scanning capabilities via the Model Context Protocol, enabling any MCP-compatible client to trigger scans
  • [ ] Tool-based scanning interface — Scan agents, browse results, and manage campaigns through MCP tool calls
  • [ ] Integration with AI IDEs — Use ZIRAN directly from Cursor, Windsurf, Claude Desktop, and other MCP clients
  • [ ] Continuous monitoring — Long-running MCP server mode for periodic security assessments

Future

  • [ ] Custom chain rule language — User-defined tool chain patterns complementing ZIRAN's auto-discovery
  • [ ] Community chain patterns — Crowdsourced dangerous tool chain submissions (like Skill CVEs but for tool compositions)
  • [ ] AgentSecBench — Purpose-built benchmark: vulnerable agents with known tool chain vulnerabilities, demonstrating what ZIRAN catches that other tools miss
  • [ ] Tool chain methodology paper — Publish the discovery-based approach as research
  • [ ] Community CVE portal — Web-based CVE submission and search
  • [ ] Agent benchmarking — Comparative security scoring across agent versions
  • [ ] Compliance reports — SOC 2, ISO 27001, and NIST AI RMF report templates

How to Influence the Roadmap

  • Vote on issues👍 issues that matter to you
  • Open feature requestsFeature request template
  • Contribute code — PRs for roadmap items are very welcome
  • Share feedbackDiscussions