▲ VISUALISATION — a reconstruction assembled from the real VEDA engagement output
(report VEDA-20260702-100808, 9 findings, 45 ledger events). Not a live screen recording.
PROJECT VEDA // boottarget: localhost:8000/api/v1 · PTOLEMAIOS sandbox
Vulnerability Exploitation Detection Architecture — an HITL-governed, multi-agent
autonomous red-team framework, evaluated against the Singa Bank BFSI sandbox.
The five Gundam-named agents come online inside the network-isolated Docker sandbox.
EXIA
Infrastructure & boundary recon
↳ CAI
DYNAMES
App / API security testing
↳ Strix
VIRTUE
Ed25519 scope-gate
↳ HexStrike
VEDA Core
Orchestration & synthesis
↳ Hermes (Claude)
PTOLEMAIOS
Isolated Docker sandbox
↳ veda_only net
02Cryptographic Scope Gate — VIRTUE
Six Ed25519-signed predicates must ALL pass (default-deny) before any packet reaches the target.
✓
Valid Ed25519 signaturemanifest body verified against veda_verify.key
✓
Within validity windowmanifest not expired
✓
Target in-scopelocalhost ∈ in_scope list
✓
Not excludedlocalhost ∉ exclusion list
✓
Technique within ceilingapi_* ≤ MEDIUM intensity
✓
HITL token presentrequired for write/test techniques
03Human-in-the-Loop — blocking checkpoints
The pipeline cannot advance past CP1 / CP4 without an explicit human APPROVE — recorded, non-repudiable.
RISK: CRITICAL
⚠ HITL CHECKPOINT — CP1 · ACTIVE_EXPLOITATION
EXIA → DYNAMES is about to transition from passive reconnaissance to active,
payload-bearing exploitation against localhost:8000. All traffic will be logged to the audit ledger.
Type APPROVE to authorise:
04Attacking the bank — DYNAMES fires
Nine single-request flaws detected across the OWASP API Top-10 surface. Each finding is hash-logged.
ID
Finding
Endpoint
OWASP
Sev
ATT&CK
05Report & scorecard — VEDA Core synthesises
Findings scored against the 10-row ground-truth matrix. V10 (race) is the honest, documented false negative.
0
Precision
TP / (TP+FP)
0
Recall
TP / (TP+FN)
0
Specificity*
secure-mode run
0
F1 score
harmonic mean
GT: Vulnerable
GT: Secure
Detected
TP = 9
FP = 0
Not detected
FN = 1 (V10)
TN = 0
* Specificity is measured in the separate secure-mode run (all flags off);
with all 10 armed it is reported n/a. 9 findings · 4 Critical · 5 High · engagement 30.3 s.
06Governance & assurance
Every action is written to an append-only, SHA-256 hash-chained audit ledger — tamper-evident by design.
ledger/veda_audit.jsonl · 45 immutable entries · each SHA-256 chained to the previous
MAS TRM §13 — VA & Penetration Testing → EXIA→HITL→DYNAMES pipeline
MAS TRM §12 — Security logging → 45-entry hash-chained ledger
Project VEDA — MBA Cybersecurity thesis · Xaltius Academy / BHS Switzerland
Visualisation reconstructed from real engagement data · findings, metrics and ledger counts are actual outputs.