An open-source security framework called T3MP3ST now lets developers turn general-purpose AI coding agents into autonomous red-teaming operators. Built by researcher elder-plinius and released on GitHub under an AGPL-3.0 license, the framework works with Claude Code, OpenAI Codex, and Hermes agents that are already running on a developer’s machine. No new API keys, cloud infrastructure, or additional billing required.

The core premise is what the project calls “keyless warfare.” Rather than providing its own AI model, T3MP3ST functions as a multi-agent orchestration layer that coordinates existing agent sessions through a reconnaissance-to-exploit-to-report kill chain, according to TechGig. Users point the framework at an authorized target via a web-based “War Room” interface or CLI, and the agent already on their machine becomes the operational brain for the security mission.

Benchmark Performance

The framework claims a 90.1% pass@1 score on XBOW’s 104-challenge XBEN suite, a black-box benchmark, according to the project’s README. On Cybench, an academic benchmark with 40 tasks, its single-agent loop achieved 23 of 40 hint-free solves.

The more notable result: T3MP3ST accurately identified 8 of 10 real CVEs disclosed in 2026, pinpointing the exact file, line, and CWE classification. Because these vulnerabilities postdate the underlying model’s training cutoff, the project argues memorization is ruled out as an explanation.

All benchmark numbers are committed to the repository and re-derivable through a single command (npm run verify-claims), a transparency measure the project emphasizes repeatedly.

Kill Chain Architecture

T3MP3ST maps an 8-operator kill chain onto MITRE ATT&CK tactics and the Cyber Kill Chain: Recon, Scanner, Exploiter, Infiltrator, Exfiltrator, Ghost, Coordinator, and Analyst. Currently, the recon engine and single-agent exploit loop are stable and benchmarked, according to TechGig. The downstream operators (Infiltrator through Analyst) are classified as experimental, and end-to-end coordinated-swarm exploitation has not been validated at scale.

The framework enforces egress-scope containment, meaning networked tools do not interact with off-scope public hosts. It also supports fully offline operation through Ollama, LM Studio, or vLLM, removing any cloud dependency entirely.

Dual-Use Concerns

The obvious question with any offensive security framework: who uses it, and for what. T3MP3ST’s README includes an explicit authorized-use-only disclaimer, restricting it to systems the operator owns or has written permission to test. But the same capabilities that make it useful for penetration testers make it useful for adversaries.

Security researchers on Reddit’s blueteamsec community have recognized T3MP3ST as a significant development in autonomous red-teaming, according to TechGig. The framework follows similar developments in the agent security space, including Anthropic’s Mythos model for vulnerability analysis.

The timing matters. Agent-native offensive tooling is maturing faster than the defensive infrastructure to contain it. T3MP3ST lowers the barrier to running full-kill-chain security operations from “years of practice and expensive tooling,” as the project’s documentation puts it, to a two-minute setup with an agent most developers already have installed.