// research log
Agentic AI for autonomous VAPT in operational technology.
My doctorate at Keele University asks whether autonomous agents — not scripted scanners,
not LLM chat wrappers, but goal-directed systems that observe, reason, decide, and act —
can assist with vulnerability assessment in environments where downtime kills people.
─── flagship project ──────────────────────────────────────────────────────
// pathfinder ai Pathfinder AI
An agentic vulnerability assessment framework for operational technology
environments. Built around the PEER lifecycle (Plan → Enumerate → Exploit
→ Report) with an inner ORDA control loop, governance-gated tool calls,
and hash-chained telemetry. Evaluated against a SWaT-inspired multi-PLC
Modbus testbed.
- Status
- Phases 0–3 complete · end-to-end verified · 142 tests passing
- Stack
- Python 3.11+ · Ollama (DeepSeek R1 14B) · MCP · Jinja2 · async httpx
- Testbed
- SWaT-inspired multi-PLC Modbus environment
- Scope
- Two zones · three vulnerabilities · five benchmark runs
─── publications ──────────────────────────────────────────────────────────
- Under revision
Agentic and Generative AI for Autonomous VAPT: A Systematic Analysis
Truss, S. · Ghanem, M. C. (corresponding) · Lacerda, M. J.
Systematic literature review of agentic and generative approaches to penetration testing
and vulnerability assessment. Targets Computers & Security or JISA.
OSF archive populated with search queries, PRISMA flow, coding framework, and 72 included studies.
osf.io/d7p8j
─── design rationale ──────────────────────────────────────────────────────
OT environments don't tolerate the assumptions IT pentesting tools were built on.
You can't just nmap a PLC and walk away — the device may behave correctly, the
network may not survive. Autonomous tooling has to incorporate caution as a
first-class concern, not a feature flag.
Pathfinder AI is deliberately scoped down. Single agent, not a multi-agent
orchestration. Local models, not API-tethered. A defensible minimum experiment,
with a pre-written viva argument for why "small and demonstrated" beats
"ambitious and unfinished".