v3.5.4 — Robust attack chaining & false-positive reduction

Bundles the multi-round post-exploitation attack-chaining engine (attack_chain:
per-foothold decisions, loot carried forward, validate-before-pivot, loop-until-
dry, --chain-depth) and the false-positive controls (robust verdict parsing,
severity-aware quorum, adversarial refute pass, stronger validator prompt).
Version bumped 3.5.3 -> 3.5.4; README/RELEASE updated.
This commit is contained in:
CyberSecurityUP
2026-07-01 19:01:27 -03:00
parent ea61ab1fdf
commit e5c607f467
15 changed files with 93 additions and 29 deletions
+10 -8
View File
@@ -1,4 +1,4 @@
<h1 align="center">🧠 NeuroSploit v3.5.3</h1>
<h1 align="center">🧠 NeuroSploit v3.5.4</h1>
<p align="center">
<a href="https://github.com/JoasASantos/NeuroSploit/stargazers"><img src="https://img.shields.io/github/stars/JoasASantos/NeuroSploit?style=for-the-badge&logo=github&color=8b5cf6" alt="Stars"></a>
@@ -8,7 +8,7 @@
</p>
<p align="center">
<img src="https://img.shields.io/badge/Version-3.5.3-blue?style=flat-square">
<img src="https://img.shields.io/badge/Version-3.5.4-blue?style=flat-square">
<img src="https://img.shields.io/badge/Harness-Rust%20%7C%20tokio-e6b673?style=flat-square">
<img src="https://img.shields.io/badge/License-MIT-green?style=flat-square">
<img src="https://img.shields.io/badge/MD%20Agents-329-red?style=flat-square">
@@ -24,12 +24,14 @@
>
> 📖 **New here? Read the [full Tutorial & User Guide →](TUTORIAL.md)** — every mode, flag, config and example explained.
> 🆕 **New in v3.5.3Integrations:** connect **GitHub / GitLab** (clone private
> repos, review a **Pull Request's** code, **watch** a branch and re-review on
> every commit) and **Jira** (open a vulnerability **card per finding**). Toggle
> them with **`/integrations`** in the REPL or `neurosploit integrations`. Full
> setup in **[TUTORIAL-INTEGRATION.md](TUTORIAL-INTEGRATION.md)**.
> *(v3.5.2 added the DEPTH doctrine + report-hygiene pass — see [RELEASE.md](RELEASE.md).)*
> 🆕 **New in v3.5.4Robust attack chaining + fewer false positives:** a
> multi-round, decision-driven **post-exploitation** engine takes each confirmed
> foothold and expands new directions (cred reuse, privesc, lateral movement,
> exfil, new surface), carrying **loot** forward across rounds (`--chain-depth`).
> Validation is now **severity-aware** (High/Critical need ≥2 validators & ≥2/3
> agreement) with an **adversarial refute pass** that drops findings that can't
> withstand a skeptic.
> *(v3.5.3 added GitHub/GitLab/Jira **[integrations](TUTORIAL-INTEGRATION.md)**; v3.5.2 the DEPTH doctrine + report-hygiene pass — see [RELEASE.md](RELEASE.md).)*
---
+62
View File
@@ -1,3 +1,65 @@
# NeuroSploit v3.5.4 — Release Notes
**Release Date:** July 2026
**Codename:** Robust Attack Chaining & False-Positive Reduction
**License:** MIT
**Credits:** Joas A Santos & Red Team Leaders
---
## TL;DR
v3.5.4 makes NeuroSploit both **deeper** and **more precise**: a real multi-round
**post-exploitation attack-chaining** engine that expands each foothold in new
directions, plus stronger **false-positive** controls so what it reports is
trustworthy.
## Attack chaining (robust, decision-driven)
Replaces the old single-shot chainer with **`attack_chain()`** — an iterative,
per-foothold pivot engine:
- **Per-foothold decisions.** Each round takes the newest confirmed footholds
(best-first, capped per round) and, for **each one**, an agent decides which
directions to expand and proves new impact: **post-exploitation** (loot
creds/keys/config/source), **credential reuse**, **privilege escalation**
(horizontal & vertical), **lateral movement** to adjacent services/hosts,
**data exfiltration**, and **new attack surface** the foothold exposes.
- **Loot carried forward.** Credentials/tokens/hosts/endpoints discovered in one
round are passed to later rounds and reused (agent returns
`{"findings":[...],"loot":[...]}`), so the engine genuinely pivots in new
directions instead of re-testing the same spot.
- **No pivoting off false positives.** Each round's new findings are validated
before they become the next round's footholds.
- **Convergence.** Runs up to `chain_depth` rounds **or** stops when a round finds
nothing new (loop-until-dry).
- **Control.** New `RunConfig.chain_depth` (default **2**) and a `--chain-depth`
flag on every engagement command (`0` disables).
## False-positive reduction
- **Robust verdict parsing** (`pool::parse_verdict`) — whitespace-insensitive,
checks explicit rejection first, counts only explicit confirmations; ambiguous
replies are *not* counted as confirmed. Replaces the fragile exact-JSON /
loose-`yes` matching.
- **Severity-aware quorum** (`pool::quorum_confirmed`) — **High/Critical now need
≥2 validators AND ≥2/3 agreement** (a single vote can no longer confirm a
Critical); lower severities need a strict majority. Single-model panels fall
back to majority so they aren't nuked.
- **Adversarial refute pass** — every confirmed High/Critical is re-examined by a
skeptical panel that assumes false-positive; findings that can't withstand a
majority of skeptics are dropped.
- **Stronger validator prompt** with an explicit false-positive checklist
(reflected-not-executed, version/banner guesses, self-XSS, error-as-injection,
thin evidence, inflated severity).
## Notes
- Additive and back-compatible; defaults keep behavior sensible if you change
nothing. Unit tests cover verdict parsing, quorum, and report-hygiene logic.
---
# NeuroSploit v3.5.3 — Release Notes
**Release Date:** June 2026
+2 -2
View File
@@ -1,4 +1,4 @@
# NeuroSploit — Tutorial & User Guide (v3.5.3)
# NeuroSploit — Tutorial & User Guide (v3.5.4)
A complete, hands-on guide to installing, configuring and running NeuroSploit —
the autonomous, multi-model penetration-testing harness.
@@ -98,7 +98,7 @@ Agents **degrade gracefully**: if `rustscan` is absent they use `nmap`; if neith
### Verify
```bash
neurosploit --version # neurosploit 3.5.3
neurosploit --version # neurosploit 3.5.4
neurosploit agents # {"vulns":196,...,"chains":12,"total":329}
neurosploit models # all providers & models
```
+1 -1
View File
@@ -11,7 +11,7 @@ function Ok ($m) { Write-Host " + $m" -ForegroundColor Green }
function Warn($m){ Write-Host " ! $m" -ForegroundColor Yellow }
Write-Host ""
Write-Host " NeuroSploit installer (Windows) — v3.5.3" -ForegroundColor Cyan
Write-Host " NeuroSploit installer (Windows) — v3.5.4" -ForegroundColor Cyan
$arch = $env:PROCESSOR_ARCHITECTURE
Say "Platform: Windows / $arch"
+2 -2
View File
@@ -871,7 +871,7 @@ dependencies = [
[[package]]
name = "neurosploit"
version = "3.5.3"
version = "3.5.4"
dependencies = [
"anyhow",
"clap",
@@ -888,7 +888,7 @@ dependencies = [
[[package]]
name = "neurosploit-harness"
version = "3.5.3"
version = "3.5.4"
dependencies = [
"anyhow",
"futures",
+1 -1
View File
@@ -3,7 +3,7 @@ members = ["crates/harness", "app"]
resolver = "2"
[workspace.package]
version = "3.5.3"
version = "3.5.4"
edition = "2021"
license = "MIT"
repository = "https://github.com/JoasASantos/NeuroSploit"
+4 -4
View File
@@ -1,4 +1,4 @@
//! NeuroSploit v3.5.3 — interactive harness + CLI (`run` / `whitebox` / `agents` / `models`).
//! NeuroSploit v3.5.4 — interactive harness + CLI (`run` / `whitebox` / `agents` / `models`).
mod repl;
mod tui;
@@ -11,8 +11,8 @@ use std::path::{Path, PathBuf};
#[command(
name = "neurosploit",
version,
about = "NeuroSploit v3.5.3 — multi-model autonomous pentest harness",
long_about = "NeuroSploit v3.5.3 — a Rust multi-model harness that drives a pool of LLMs \
about = "NeuroSploit v3.5.4 — multi-model autonomous pentest harness",
long_about = "NeuroSploit v3.5.4 — a Rust multi-model harness that drives a pool of LLMs \
(API key or local subscription: Claude/Codex/Gemini/Grok) to autonomously test a target. \
After recon it INTELLIGENTLY selects only the agents matching the discovered surface, runs \
them in parallel, then validates every finding by cross-model voting before reporting.\n\n\
@@ -534,7 +534,7 @@ pub(crate) fn spawn_engagement(base: &Path, mut cfg: RunConfig, mcp: bool, mode:
cfg.rl_path = Some(base.join("data").join("rl_state_rs.json").display().to_string());
write_status(&workdir, "running", &format!("\"target\":{:?}", cfg.target));
println!(" ┌─ NeuroSploit v3.5.3 · by Joas A Santos & Red Team Leaders");
println!(" ┌─ NeuroSploit v3.5.4 · by Joas A Santos & Red Team Leaders");
println!(" │ run id : {run_id}");
println!(" │ target : {}", cfg.target);
println!(" │ models : {}", cfg.models.join(", "));
+2 -2
View File
@@ -1,4 +1,4 @@
//! NeuroSploit v3.5.3 — interactive session (Claude-Code / Codex / Cursor-CLI style).
//! NeuroSploit v3.5.4 — interactive session (Claude-Code / Codex / Cursor-CLI style).
//!
//! Launched when `neurosploit` runs with no subcommand. A persistent REPL with
//! real line editing (arrow-key history recall, Ctrl-A/E/K, paste), model
@@ -299,7 +299,7 @@ pub async fn repl(base: &Path) -> anyhow::Result<()> {
let backends = harness::installed_cli_backends();
println!("\x1b[1m");
println!(" ███╗ ██╗███████╗██╗ ██╗██████╗ ██████╗");
println!(" ████╗ ██║██╔════╝██║ ██║██╔══██╗██╔═══██╗ NeuroSploit v3.5.3");
println!(" ████╗ ██║██╔════╝██║ ██║██╔══██╗██╔═══██╗ NeuroSploit v3.5.4");
println!(" ██╔██╗ ██║█████╗ ██║ ██║██████╔╝██║ ██║ interactive harness");
println!(" ██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██║ by Joas A Santos");
println!(" ██║ ╚████║███████╗╚██████╔╝██║ ██║╚██████╔╝ & Red Team Leaders");
+1 -1
View File
@@ -1,4 +1,4 @@
//! NeuroSploit v3.5.3 — TUI "Mission Control" mode.
//! NeuroSploit v3.5.4 — TUI "Mission Control" mode.
//!
//! Concurrent panels that update live while the engagement runs in the
//! background, with a composer input that stays active during execution:
+1 -1
View File
@@ -1,4 +1,4 @@
//! POMDP belief-state world model (v3.5.3).
//! POMDP belief-state world model (v3.5.4).
//!
//! The target is only partially observable, so we don't track booleans — we
//! track a **belief**: a property graph whose nodes (host / service / vuln /
@@ -1,4 +1,4 @@
//! Verification / grounding engine (v3.5.3).
//! Verification / grounding engine (v3.5.4).
//!
//! Hard rule: **no claim enters the world model without a tool receipt** — raw
//! tool output, not the LLM's paraphrase. This is the empirical anti-hallucination
+1 -1
View File
@@ -1,4 +1,4 @@
//! NeuroSploit v3.5.3 harness — a robust multi-model runtime for the
//! NeuroSploit v3.5.4 harness — a robust multi-model runtime for the
//! markdown-driven autonomous pentest engine.
//!
//! The harness loads the `agents_md/` library, drives a *pool* of LLM models
+1 -1
View File
@@ -1,4 +1,4 @@
//! POMDP decision layer (v3.5.3): value-of-information planning + the
//! POMDP decision layer (v3.5.4): value-of-information planning + the
//! anti-hallucination gate.
//!
//! The choice "scan more vs exploit now" is **not** a heuristic here — it falls
+3 -3
View File
@@ -97,9 +97,9 @@ pub fn html(target: &str, findings: &[Finding]) -> String {
h4{{margin:12px 0 3px;font-size:12px;text-transform:uppercase;letter-spacing:.5px;color:#8b5cf6}}\
.b{{color:#8b5cf6;font-weight:800}}</style></head><body>\
<h1><span class=b>NeuroSploit</span> Penetration Test Report</h1>\
<div class=meta>Target: <b>{t}</b> · v3.5.3 Rust harness · multi-model validated</div>\
<div class=meta>Target: <b>{t}</b> · v3.5.4 Rust harness · multi-model validated</div>\
<div>{chips}</div>{graph_block}<h2>Findings ({n})</h2>{body}\
<p class=meta>Authorized testing only. Findings confirmed by multi-model adversarial voting.<br>NeuroSploit v3.5.3 · by <b>Joas A Santos</b> &amp; <b>Red Team Leaders</b></p></body></html>",
<p class=meta>Authorized testing only. Findings confirmed by multi-model adversarial voting.<br>NeuroSploit v3.5.4 · by <b>Joas A Santos</b> &amp; <b>Red Team Leaders</b></p></body></html>",
t = esc(target), chips = chips, n = sorted.len(), body = body, graph_block = graph_block,
)
}
@@ -135,7 +135,7 @@ pub fn typst_report(target: &str, findings: &[Finding], dir: &Path) -> std::io::
let mut data = String::new();
data.push_str(&format!(
"#let meta = (target: {}, run_id: {}, generated: {}, model: {})\n",
tq(target), tq(&run_id), tq("NeuroSploit v3.5.3"), tq("multi-model")
tq(target), tq(&run_id), tq("NeuroSploit v3.5.4"), tq("multi-model")
));
data.push_str("#let findings = (\n");
for f in sorted_findings(findings) {
+1 -1
View File
@@ -25,7 +25,7 @@ cat <<'BANNER'
███╗ ██╗███████╗██╗ ██╗██████╗ ██████╗
████╗ ██║██╔════╝██║ ██║██╔══██╗██╔═══██╗ NeuroSploit installer
██╔██╗ ██║█████╗ ██║ ██║██████╔╝██║ ██║ v3.5.3 — Rust harness
██╔██╗ ██║█████╗ ██║ ██║██████╔╝██║ ██║ v3.5.4 — Rust harness
██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██║ by Joas A Santos
██║ ╚████║███████╗╚██████╔╝██║ ██║╚██████╔╝ & Red Team Leaders
╚═╝ ╚═══╝╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝