Demo build: every run replays a real captured triage (captured with Claude sonnet, replayed faster than real time). No API key, no backend. Clone the repo to run the live agent.
Pydantic AI · MCP · 10 typed tools

Security triage that
cites its sources.

sec-recon-agent is an LLM agent that answers vulnerability questions by calling a fixed surface of typed tools (NVD, CISA KEV, FIRST EPSS, Exploit-DB, MITRE ATT&CK, SBOM and Nmap parsers), exposed by a custom MCP server (Model Context Protocol: the open standard that gives LLM tools a typed, auditable contract), and returns a strictly-typed TriageReport. No hallucinated CVSS scores, no invented patches, no free-text bypass.

10
typed tool contracts
4-level
deterministic SSVC verdict
MITRE
ATLAS red-team battery
SHA-256
tamper-evident audit
Browser:3000

Next.js 15 App Router · React 19

POST /api/triage · same-origin
Next.js proxy/api/triage

forwards the SSE stream byte-for-byte

SSE · text/event-stream
Agent API:8000

FastAPI · Pydantic AI · audit hook

MCPToolset · HTTP+SSE
MCP Server:8001

FastMCP · 10 typed tools

External data sources · parallel fan-out

NVD CVE 2.0

cve_lookup · patch_lookup

ChromaDB · MiniLM-L6

cve_semantic_search

Exploit-DB

exploit_check

GitHub Code Search

exploit_check

CISA KEV

kev_check

FIRST EPSS

epss_score

OSV.dev

osv_lookup

defusedxml · Nmap

nmap_parse_xml

CycloneDX / SPDX

sbom_ingest

MITRE ATT&CK JSON

attack_mapping

Cross-process W3C traceparent · browser talks only to the same-origin proxy · SHA-256 hash-chained, tamper-evident audit.

Why it matters

Ten browser tabs and an educated guess, or one grounded verdict in about two minutes.

Deciding whether a CVE (a publicly catalogued vulnerability) deserves an all-hands response or a slot in next sprint is judgment work, and today it is done by hand: NVD for the CVSS severity score, CISA KEV to see whether it is already being exploited in the wild, FIRST EPSS for the probability it will be soon, Exploit-DB and GitHub for public proof-of-concept exploits, then reconcile it all into one call. Per CVE. Reach for a general-purpose LLM to go faster and it will confidently hand you a CVSS score that does not exist. This agent runs that entire fusion across live authoritative feeds and returns a deterministic SSVC verdict (Stakeholder-Specific Vulnerability Categorization, the CISA-backed prioritization framework): the decision is computed in code from the collected signals, never guessed by the model.

The manual way

  • Five-plus sources opened per CVE: NVD, CISA KEV, EPSS, Exploit-DB, ATT&CK
  • CVSS measures capability, not urgency, and gets reconciled by hand
  • General-purpose LLMs invent scores, patches, and exploit claims
  • No record of how the call was made when someone asks three months later

With sec-recon-agent

  • One query returns one grounded, schema-bound TriageReport
  • Deterministic SSVC verdict: Act / Attend / Track* / Track
  • Every number sourced from a typed tool call, or flagged as missing
  • Hash-chained, tamper-evident audit of the whole reasoning chain

It is not another scanner. Trivy and Grype tell you which packages are vulnerable; sec-recon-agent is the reasoning layer that comes next, deciding which of those actually demand your morning and proving why in a reproducible scorecard.

Who it's for

Vulnerability & AppSec engineers

Turn a CVE backlog into a defensible, prioritized queue. Feed a CVE, a package + version, or a whole SBOM and get one grounded verdict, not ten open browser tabs across NVD, KEV, EPSS, Exploit-DB and ATT&CK.

SOC & detection engineers

Every report pivots the underlying CWE weakness classes into MITRE ATT&CK techniques and mitigations, the language that detection rules and purple-team exercises are actually written in.

Teams building or vetting LLM agents

A working reference for a grounded, type-safe, adversary-aware agent: schema-bounded output, a verdict computed outside the model, MCP tools as auditable contracts, and a falsifiable prompt-injection battery, all measured in a reproducible scorecard.

Design pillars

Type-safe by construction

Pydantic AI, the typed Python agent framework, validates every model output against a declared schema at the model boundary. The LLM never returns free text; it returns a TriageReport or it fails.

Grounded, never invented

Every severity, CVSS score, exploit claim, and patch version is sourced from a typed tool call. The reasoning chain is the audit log.

Adversary-aware

Untrusted content fenced before reaching the LLM. Prompt-injection regression battery with MITRE ATLAS per-payload tags.

Privacy-by-default

Query bodies hashed (SHA-256) in audit. Plain-text retention opt-in via env. Append-only SQLite WAL with hash chain.

Tool surface · 10 typed contracts

See live in Transparency →
cve_lookup

Full NVD record (CVSS, CWE, CPE) for a known CVE.

cve_semantic_search

Vector search over a local index of recent high-severity CVEs (~5-8k, 30-day window).

exploit_check

Exploit-DB + GitHub public PoC availability.

kev_check

CISA Known Exploited Vulnerabilities. Strongest patch-now signal.

epss_score

FIRST.org 30-day exploitation probability + percentile.

patch_lookup

Fixed-version extraction from NVD CPE configurations.

osv_lookup

OSV.dev advisories for a package at a version. Inverse of cve_lookup.

sbom_ingest

CycloneDX / SPDX / requirements.txt parser, in-process.

nmap_parse_xml

defusedxml-safe Nmap scan parser, no DTD.

attack_mapping

CWE -> MITRE ATT&CK techniques + mitigations.