VulnerAI

AutoPatch-Agent: An autonomous, threat-intelligent state machine that converts raw vulnerability alerts into verified, self-healing infrastructure patches in real-time.

Comment

Inspiration

Cloud security teams are currently drowning in a sea of passive vulnerability alerts. Traditional scanners flag thousands of CVEs, but they lack critical real-world context: Is this application actually internet-exposed? Is there an active, weaponized exploit in the wild right now?

Security engineers waste hours manually validating alerts while attackers take advantage of the window of exposure. We built AutoPatch-Agent to completely eliminate this manual triage lag. We wanted to create an autonomous agentic system that doesn't just alert, but actively probes, dynamically verifies real-world exposure, and executes self-healing remediation in real time.

What it does

AutoPatch-Agent is an autonomous, threat-intelligent vulnerability triage and remediation system.

Ingest & Parse: The agent monitors Datadog Cloud Security Management for new CVE alerts and intercepts raw GitHub Actions deployment logs to parse target infrastructure metadata (AWS Region, Instance ID, Public IP).

Threat Verification: It orchestrates the Nimble API to run dual-track validations: crawling the open web (NVD, security blogs, GitHub advisories) for live exploit availability while simultaneously performing a targeted network probe to confirm live internet exposure.

High-Speed Triage: All incoming infrastructure states and threat data are instantly streamed into ClickHouse. The system executes an analytical join to instantly separate low-priority alerts from critical, internet-exposed vector threats.

Autonomous Self-Healing: For critical items, the agent triggers targeted automated remediation scripts (such as patching configs or isolation protocols) via AWS SSM or Docker control layers.

Grounded Reporting: Finally, the full telemetry lifecycle is compiled by the Senso.ai API into a beautifully formatted, heavily cited Markdown report (cited.md), which updates a live React dashboard hosted on Vercel.

How we built it

Our technical stack is tightly integrated to prioritize raw execution speed, data integrity, and grounded AI generation:

State Engine & Triage: ClickHouse serves as our ultra-fast analytical backbone. Instead of a slow relational database, ClickHouse handles simultaneous writes of log data, CVE details, and scraping telemetry, letting us evaluate infrastructure risk profiles instantaneously.

External Intelligence & Probing: We used the Nimble API to safely bypass the complexities of web scraping and network probing. It seamlessly handles both structured NVD data acquisition and direct connectivity checks against target IPs.

Grounded Reporting: We used Senso.ai to generate our audit logs. Senso ensures that every automated patch is accompanied by a reliable text summary that cites exact external sources found by Nimble, eliminating LLM hallucinations entirely.

Deterministic Triage Logic: Rather than relying on arbitrary risk scores, we engineered a deterministic triage layer directly inside ClickHouse using relational joins. The engine tags a vulnerability as CRITICAL PRIORITY if and only if the application has an active CVE and Nimble verifies it is actively exposed to the public internet. If the application is internal or unexposed, ClickHouse flags it as LOW PRIORITY, safely deferring it and protecting production stability.

Challenges we ran into

Parsing unformatted, raw GitHub Actions deployment blocks without brittle regex patterns was a major early obstacle. We solved this by deploying a lightweight LLM tool-calling utility specifically trained to locate and format the DEPLOYMENT_METADATA block safely.

Additionally, navigating rate-limits and anti-bot protections on diverse security blogs while hunting for zero-day threat intelligence threatened to slow our agent down. Integrating the Nimble API completely resolved this, abstracting away proxy rotation and target rendering so our agent could focus purely on data analysis.

Finally, guaranteeing that autonomous remediation scripts would never accidentally break an internal production application required strict deterministic gating rules inside our ClickHouse state machine.

Accomplishments that we're proud of

Sub-Minute Mitigation: We successfully engineered a completely autonomous SecOps pipeline that detects, verifies, triages, and starts patching an active threat in under 45 seconds.

Sponsor Tool Mastery: We pushed ClickHouse to run relational analytical joins across unstructured infrastructure paths and scraping telemetry with sub-millisecond latency.

Bulletproof Integrity: Our generated audit trails match every single infrastructure modification to verified web citations using Senso.ai, giving security teams absolute confidence in our agent's autonomous actions.

What we learned

We learned that autonomous agents are most effective when treated as tool-using orchestrators rather than simple text generators. By decoupling the reasoning engine from the underlying data layers—using ClickHouse for blazing fast state transitions, Nimble API for real-world environmental awareness, and Senso.ai for verifiable generation—we can safely grant an LLM orchestrator the authority to execute critical infrastructure changes without risking chaotic failures.

What's next for VulnerAI

We are ready to scale AutoPatch-Agent into a comprehensive enterprise security framework:

Kubernetes/K8s Support: Moving beyond standalone AWS EC2 instances to dynamically isolate pods and patch container runtimes via automated network policies.

Advanced eBPF Probing: Integrating deeper kernel-level runtime insights directly into our ClickHouse telemetry schema to track active vulnerability exploitation attempts live.

Distributed Multi-Region Syncing: Scaling ClickHouse to cluster across multiple distinct enterprise environments to coordinate global, cross-cloud defensive responses simultaneously.

Built With

Share this project:

Updates