Synthesizing Multi-Agent Harnesses for Vulnerability Discovery

TL;DR

This paper introduces AgentFlow, a typed graph DSL and feedback-driven optimization method for designing multi-agent harnesses that significantly improve vulnerability discovery success rates.

Contribution

AgentFlow jointly optimizes agent roles, prompts, tools, and communication protocols using runtime feedback, surpassing previous narrow or coarse methods.

Findings

Achieves 84.3% success on TerminalBench-2, the highest in the leaderboard.

Discovered ten previously unknown zero-day vulnerabilities in Google Chrome.

Identified two critical sandbox-escape vulnerabilities (CVE-2026-5280 and CVE-2026-6297).

Abstract

LLM agents have begun to find real security vulnerabilities that human auditors and automated fuzzers missed for decades, in source-available targets where the analyst can build and instrument the code. In practice the work is split among several agents, wired together by a harness: the program that fixes which roles exist, how they pass information, which tools each may call, and how retries are coordinated. When the language model is held fixed, changing only the harness can still change success rates by several-fold on public agent benchmarks, yet most harnesses are written by hand; recent harness optimizers each search only a narrow slice of the design space and rely on coarse pass/fail feedback that gives no diagnostic signal about why a trial failed. AgentFlow addresses both limitations with a typed graph DSL whose search space jointly covers agent roles, prompts, tools, communication topology, and coordination protocol, paired with a feedback-driven outer loop that reads runtime signals from the target program itself to diagnose which part of the harness caused the failure and rewrite it accordingly. We evaluate AgentFlow on TerminalBench-2 with Claude Opus 4.6 and on Google Chrome with Kimi K2.5. AgentFlow reaches 84.3% on TerminalBench-2, the highest score in the public leaderboard snapshot we evaluate against, and discovers ten previously unknown zero-day vulnerabilities in Google Chrome, including two Critical sandbox-escape vulnerabilities (CVE-2026-5280 and CVE-2026-6297).