// research · flagship project

Pathfinder AI.

An agentic vulnerability assessment framework for operational technology environments. Built around the PEER lifecycle (Plan → Enumerate → Exploit → Report) — a VAPT-specific contribution — with an inner ORDA control loop driving iteration-level behaviour and a scoped governance layer gating every tool call.

Status

Phases 0–2 complete · end-to-end verified 12 May 2026 · 142 tests passing

Programme

PhD · Keele University

Stack

Python 3.11+ · Ollama (DeepSeek R1 14B) · MCP · Jinja2 · async httpx

Repository

github.com/SamTruss/Pathfinder-AI

─── why this exists ───────────────────────────────────────────────────────

Operational technology environments — water treatment plants, power grids, chemical processing — don't tolerate the assumptions IT penetration testing tools were built on. You can't just nmap a programmable logic controller and walk away. The device may behave correctly under scan; the network may not survive at all. Real OT engagements are dominated by caution, sequencing, and an explicit allowance for the possibility that the diagnostic itself is the incident.

Existing agentic and generative AI work in security overwhelmingly targets IT systems and treats tool invocation as a low-cost action. For OT, that assumption is wrong. Pathfinder AI is an attempt to build an agent whose decision layer takes consequence seriously — where "do nothing" is a first-class choice, every action is preceded by explicit reasoning, and every step is governed by engagement-bound scope before it touches a tool.

─── architecture ──────────────────────────────────────────────────────────

Pathfinder operates at two levels. The Plan–Enumerate–Exploit–Report (PEER) lifecycle structures the assessment workflow, reflecting how practical VAPT engagements actually unfold. Within each PEER phase, an observe–reason–decide–act (ORDA) control loop drives iteration-level behaviour. A governance layer enforces engagement scope before every tool call; structured, hash-chained telemetry records every iteration for post-hoc audit.

peer // outer

Plan → Enumerate → Exploit → Report

The lifecycle a real VAPT engagement actually follows. Each PEER phase has its own goals, allowlisted tools, and exit conditions. The agent does not freelance across phases.

orda // inner

Observe → Reason → Decide → Act

The control loop that runs inside each PEER phase. The reason step is a local LLM (DeepSeek R1 14B via Ollama) producing structured JSON; the decide step gates that proposal against policy before any tool call.

governance // gating

ScopedPolicy

Engagement-bound scope loaded from YAML. Tool allowlists, action-class filters, hard prohibitions per phase (no Modbus writes, no destructive payloads, no persistence). Default-deny.

audit // persistence

Hash-chained telemetry

JsonLinesTelemetry writes one structured event per loop step, each line including a SHA-256 hash of the previous line. Silent edits to the audit trail are detectable; an action can be reconstructed and challenged without re-running the agent.

─── live trace ────────────────────────────────────────────────────────────

A representative trace of the Pathfinder agent loop. The agent receives a reconnaissance goal against an OT-flavoured target, reasons about which tool to use, executes it, and parses the result back into the next reasoning step. Target IP is in the RFC 5737 documentation range — reserved for examples, not a real host.

pathfinder@lab — agent_recon.py

pathfinder@lab:~/pathfinder-ai$ uv run python agent_recon.py --target 203.0.113.42

─── governance and audit ──────────────────────────────────────────────────

The governance and audit story is what makes Pathfinder a research contribution rather than another LLM agent wrapper. Three components carry the claim:

ScopedPolicy enforces engagement-bound scope. Loaded from YAML per engagement. Defines tool allowlists, action-class filters, and hard prohibitions for each PEER phase. Default-deny: any decision not matching the configured allowlist is refused before execution.
Custom MCP servers expose only named operations. The in-repo Nmap MCP server, for example, is not a wrapper around the nmap CLI — it exposes three named operations with structured arguments. There is no raw command-line passthrough. Capabilities expand by adding named operations to the server, never by lifting argument restrictions.
JsonLinesTelemetry produces a tamper-evident audit trail. One structured event per loop step. Each line includes a SHA-256 hash of the previous line. The post-hoc audit goal is that any single action taken by the agent can be reconstructed and challenged, and silent edits to the trail are detectable.

─── evaluation environment ────────────────────────────────────────────────

Evaluation runs against a purpose-built multi-PLC water treatment testbed — a three-PLC, dual-zone Modbus topology with a Scada-LTS HMI layer, four seeded vulnerabilities (default credentials on two PLCs and the HMI, plus unauthenticated Modbus), and segmented dmz-net / ot-net Docker networks. The testbed is deliberately scoped to address the gap identified in the accompanying systematic review: the absence of agentic VAPT evaluation against realistic OT infrastructure under governance constraints.

─── design choices ────────────────────────────────────────────────────────

Single agent, not multi-agent. Multi-agent orchestration is fashionable but adds coordination failure modes that would dominate the experiment. A single, well-instrumented agent produces clearer evidence.
Local-first inference. DeepSeek R1 14B via Ollama, no API tethering. Reasoning-token quality on a 10GB consumer GPU is the practical constraint that shaped the model choice. OT data shouldn't leave the network it lives on, and the research itself shouldn't depend on a vendor's continued availability.
MCP for every tool call. Tool integration uses the Model Context Protocol. Standardised, reproducible, auditable — and every server in the framework is custom-written to enforce the governance claim at the protocol boundary, not at the prompt.
Structured outputs throughout. The reason layer emits JSON, not prose. Free-text reasoning is harder to gate, harder to audit, and harder to compare across runs.
"Do nothing" as a first-class action. The decide layer is allowed to refuse all proposed actions. In OT, the safest action is often inaction.
Primary plan on track; MDT as safety net. An eight-week reduced-scope variant (two zones, three vulnerabilities, five runs, defensibility argument pre-written) sits behind the primary plan as a contingency. With phases 0–2 complete, the MDT is risk management, not the working plan.

─── current status ────────────────────────────────────────────────────────

Phases 0–3 are complete. The full ORDA loop is implemented and operational; three custom MCP servers (Nmap, HTTP auth, Modbus) are live and governance-scoped; the engagement-loading and policy-enforcement pipeline is end-to-end verified against the live Multi-PLC Water Treatment Testbed, with all seven services discovered under ScopedPolicy governance on 12 May 2026. The repository carries 197 passing tests across the framework. Active development is on Phase 4 (PEER orchestrator) — sequencing all four phases automatically with inter-phase state handover.

Companion documentation includes a Technical Design Document, a Minimum Defensible Thesis paper defining trigger conditions for the fallback plan, and per-phase engagement YAMLs that the policy layer loads at run time. The repository is at github.com/SamTruss/Pathfinder-AI.

─── related work ──────────────────────────────────────────────────────────

The systematic literature review that informs the framework is co-authored with Mohamed Chahine Ghanem (University of Liverpool) and Marcio J. Lacerda (London Metropolitan University), targeting Computers & Security or the Journal of Information Security and Applications. The OSF archive is at osf.io/d7p8j.

← Back to research