Roadmap¶

Priorities shift as the landscape changes. This page tracks themes we're actively investing in — not fixed version schedules. For what's currently in flight, see the active milestones on GitHub. For commercial / hosted-platform work, see the ZIRAN Cloud planning notes.

Recently Delivered¶

v0.1 — Foundation¶

Multi-Phase Trust Exploitation methodology (8 phases)
NetworkX-based attack knowledge graph
Attack library with YAML-defined vectors
LangChain and CrewAI adapters
Rich CLI with HTML/Markdown/JSON reports
Tool chain analysis (30+ dangerous patterns)
Skill CVE database (15 seed CVEs)

v0.2 — Intelligence¶

LLM-powered dynamic attack vector generation
Static analysis engine (10 offline checks, SA001–SA010)
PoC exploit generator (Python, cURL, Markdown)
Policy engine with configurable rules
CI/CD quality gate with SARIF output
Amazon Bedrock adapter
Expanded attack library with OWASP LLM Top 10 mapping

v0.3 — Remote Scanning¶

Remote agent scanning over HTTPS (REST, OpenAI, MCP, A2A handlers with auto-detection)
Target YAML configuration with auth, TLS, retry
GitHub Action (taoq-ai/ziran@v0)

v0.4 — Multi-Vendor & LLM Backbone¶

Multi-vendor LLM support via LiteLLM (OpenAI, Anthropic, AWS Bedrock, Google, and more)
LLM-as-a-Judge detection for nuanced semantic analysis
Amazon Bedrock Agent and AgentCore adapters

v0.5 — Adaptive Intelligence¶

Streaming support (SSE, WebSocket)
Multi-agent coordination — topology discovery, cross-agent scanning
Adaptive campaign strategies — fixed, rule-based, and LLM-driven phase orchestration
327 multi-agent attack vectors covering cross-agent injection, delegation-chain manipulation, shared-memory poisoning

v0.6 — Autonomous Pentesting Agent¶

LangGraph-based pentesting agent (planner, executor, reasoner, reporter)
Attack-chain reasoning across multi-step exploits
Interactive red-team mode
Finding deduplication across automated and agent-driven scans

v0.7 — Browser Scanning¶

Headless Playwright adapter for agents behind web chat UIs
Network interception + DOM-fallback extraction

v0.8 — Depth & Ecosystem¶

Expanded tool chain patterns — grew from 32 to 102 dangerous patterns across 15 categories (cloud services, MCP, A2A, CI/CD, browser, crypto, and more)
Encoding / obfuscation engine — 12 encoding types (Base64, ROT13, leetspeak, homoglyph, hex, whitespace, mixed case, payload split, pig latin, reverse, word shuffle, token boundary)
Multi-turn jailbreak tactics — crescendo, context buildup, persona shift, distraction tactics for progressive escalation
BOLA / BFLA authorization testing — 20 attack vectors for Broken Object / Function Level Authorization
Promptfoo provider bridge — use ZIRAN as a custom Python provider in Promptfoo YAML test cases
OpenTelemetry tracing — opt-in distributed tracing for campaigns, phases, attacks, and detection

v0.9 — Business Impact & Resilience Metrics¶

Business impact categorisation — findings tagged with 7 categories (financial loss, reputation damage, privacy violation, unauthorised actions, system compromise, misinformation, property loss)
AILuminate-style resilience gap metric — baseline vs under-attack performance delta
Utility-under-attack measurement — legitimate-task performance degradation during campaigns
Closed three critical benchmark gaps surfaced by early external review

v0.10 — Benchmark Breadth¶

100% ALERT benchmark coverage (32 micro categories)
100% JailbreakBench coverage (all 10 JBB categories)
R-Judge risk scenario coverage (10 risk types)
Harmful multi-step task scenarios — AgentHarm-aligned
OWASP LLM04 (Model DoS) — dedicated attack vectors
Expanded jailbreak tactic library + benchmark coverage comparison report generator

v0.11 — Detection Accuracy & Quality Metrics¶

Precision / recall / F1 metrics for detection accuracy on labelled datasets
StrongREJECT-style quality-aware jailbreak scoring (refusal + specificity + convincingness composite)
MCPTox tool-poisoning coverage expanded to 100+ vectors
AgentHarm multi-step vector coverage expanded to 161 vectors
Historical benchmark tracking + trend analysis
Comparative analysis against Promptfoo, Garak, and other tools

v0.12 — Performance & Reliability Hardening¶

Test suite 4.7× speedup (7 min → 1.5 min)
HTTP 429 rate-limit handling with Retry-After header support
Memory-bounded campaigns — attack-result growth capped
Combined refusal patterns into a single mega-regex (significant detector speedup)
Cached betweenness centrality in chain analyzer
Parallelised protocol auto-detection and multi-agent scans
Campaign checkpoint / resume for long-running scans
Circuit breaker pattern for failing remote agents
CLI --dry-run + validate command for configuration sanity checks

v0.13 — Web UI Foundation¶

Web UI — React + Vite frontend, FastAPI + SQLAlchemy backend, PostgreSQL
Findings management — filtering, triage, OWASP compliance view
Attack library browser — filter by category, severity, OWASP, tags
Knowledge graph visualisation — interactive vis-network rendering
Settings page — agent configuration + scan preferences
TaoQ design system — shadcn/ui + Tailwind, dark-mode-ready
Docker multi-stage build + Playwright E2E tests

v0.14 — Runtime Bridge¶

Policy export — OPA/Rego, Cedar, NeMo Colang, Invariant Labs DSL bundles
Trace analysis — ingest OTel / Langfuse production traces, match against dangerous chains
MCP registry watcher — poll manifests, detect drift, flag typosquats
CI/CD templates for GitHub, GitLab, Jenkins, CircleCI, Azure Pipelines
Agent Security Landscape concept page — where ZIRAN fits in the pre-deploy / runtime / observability stack

v0.15 — Benchmark Maturity¶

100% OWASP LLM Top 10 coverage (10/10 categories, all strong+)
MITRE ATLAS mapping on every vector (72/86 techniques, 14/14 agent-specific)
Defence profile schema + evasion-rate metric (schema + metric field; evaluator adapters follow in the next cycle)
RAG-poisoning attack category — retrieval-aware indirect injection vectors
Benchmark expansion — TensorTrust, WildJailbreak, ToolEmu, CyberSecEval coverage lifts

See the benchmark coverage comparison for the full dashboard.

In Flight & Next Up¶

Work is organised into themes, each tracked by an open GitHub milestone. The themes are the stable commitment; which release tag they end up shipping under is whatever release-please decides when the work lands — that's intentionally not pinned here because priorities shift.

Theme: Runtime Loop¶

Close the pre-deploy → runtime → observability loop that v0.8 sketched. Today the runtime-bridge commands (export-policy, analyze-traces, watch-registry) ship infrastructure but leave the integration endpoints to humans. This theme wires them through to real systems.

[ ] NeMo Guardrails evaluator adapter — makes evasion_rate computable for the first concrete guardrail; unblocks Lakera and Invariant follow-ups (#271)
[ ] Registry-watcher alerting — Slack + GitHub issue output adapters when MCP drift is detected (#272)
[ ] Policy auto-refresh GitHub Action — PR-based refresh of exported policies when the library or target config changes (#273)
[ ] Trace-analysis → GitHub issues — auto-file issues when production traces match dangerous chains (#274)

Theme: Detection Depth¶

Close frontier attack gaps (gradient-based attacks, many-shot jailbreaks, tool-schema confusion) and detection-quality gaps (multilingual refusal, untuned thresholds, no precision/recall baseline). Benchmark what ZIRAN claims against labelled ground truth.

[ ] Gradient-based adversarial attacks (GCG / PAIR) — new AdvancedAttackGenerator subsystem for optimiser-based attacks (#275)
[ ] Many-shot jailbreaking category — exploits long-context windows with hundreds of shots (#276)
[ ] Tool-schema confusion category — malformed schemas, parameter type confusion, enum injection (#277)
[ ] Multilingual refusal detection — extend the refusal detector beyond English (Chinese, Spanish, German, French, Japanese) (#278)
[ ] Precision/recall/F1 benchmark per detector — labelled ground-truth eval, threshold tuning methodology (#279)
[ ] Pentesting-agent ground-truth evaluation — does the autonomous agent find vulnerabilities the rule-based scanner misses? (#280)

Theme: Production Scale¶

Harden the runtime for enterprise production use — rate-limiting, structured logging, resumable checkpoints, proper metrics.

[ ] Rate-limiting + retry with backoff — per-provider token bucket, exponential retry on 429s, scale beyond the current 5-concurrent default (#281)
[ ] Structured JSON logging (structlog) — machine-queryable audit trail for ELK / Datadog / Splunk ingestion (#282)
[ ] Partial-phase checkpoint resume — save progress within a phase; don't lose 30 min of work on a crash (#283)
[ ] OTel metrics export (Prometheus-compatible) — counters, gauges, histograms beyond the existing span export (#284)

Theme: Ecosystem + Enterprise¶

Expand framework reach and unlock enterprise-facing positioning: incremental scanning for dev-loop speed, compliance evidence bundles for procurement.

[ ] AutoGen adapter — Microsoft's multi-agent framework (#285)
[ ] Anthropic SDK native adapter — direct path, no LangChain wrapping (#286)
[ ] Langfuse API trace ingestor — live pulls, not file exports (#287)
[ ] Incremental / diff scanning — only re-test changed vectors; unlock pre-commit-hook and fast-CI-gate use (#288)
[ ] Compliance evidence bundles — EU AI Act / NIST AI RMF / ISO 42001 mapping + export (#289)

Opportunistic — Not in a theme¶

These don't block a milestone but are worth landing when someone has a slot:

[ ] Attack library community submission workflow — clear contributor path, PR template, CI schema linter (#290) — good first issue
[ ] Supply-chain signing — cosign signatures on releases, CycloneDX SBOM, SLSA provenance (#291)
[ ] ziran init scaffolding command — one-liner onboarding (#292) — good first issue
[ ] Expand ATLAS coverage to remaining tactics — AI Model Access, AI Attack Staging (#264)
[ ] asqav signing integration sketch — downstream signing of ZIRAN outputs (#259)
[ ] HTML report graph pagination — perf improvement for large campaigns (#217)

UI Hardening¶

Tracked as a parallel stream. See UI-labelled issues.

Longer Term¶

Directions we're watching but not yet committed to a milestone on. These are the places where the shape of the work isn't settled yet — what ships depends on signal from users and on what the surrounding ecosystem does.

Multimodal prompt injection — image / document / audio attack surface, once multimodal agents are common production targets
Custom chain rule language — user-defined tool chain patterns complementing auto-discovery
AgentSecBench — purpose-built benchmark of deliberately-vulnerable agents with known tool-chain vulnerabilities; demonstrates what ZIRAN catches that other tools miss
Tool chain methodology paper — publish the discovery-based approach as research
Red-team / blue-team split mode — meaningful once the DefenceProfile evaluator ecosystem has multiple implementations (waits for #271 and the next evaluator)
Federated agent trust boundary modelling — cross-org / cross-network agent topologies

ZIRAN Cloud¶

A hosted platform layer is planned for commercial / enterprise use cases. OSS ZIRAN remains the foundation — Cloud builds on top rather than replacing anything. Current direction is tracked privately but the capabilities under consideration include:

Managed parallel scanning — campaigns fan out across worker pools with global rate-limiting; no self-hosted Ray/Celery required
Curated premium threat-intel feed — continuously updated vector library with researcher provenance, SLA-backed, complementing the open community-submission path
Multi-tenant RBAC — red-team / blue-team role dashboards, audit logs, team-based compliance workflows

These are deliberately not in the OSS roadmap because they either require hosted infrastructure to be useful or would conflict with the partner ecosystem (NeMo, Lakera, Invariant, Langfuse) that OSS ZIRAN works with, not against.

How to Influence the Roadmap¶

Vote on issues — issues that matter to you; we read the vote counts when prioritising
Open feature requests — feature request template
Contribute code — PRs for any of the themed issues above are very welcome; look for good first issue labels
Share feedback — Discussions