| 🚨 SECURITY WARNING & LIABILITY DISCLAIMER |
|---|
| This repository contains intentionally vulnerable applications, synthetic exploit traces, and security rules generated strictly for research, testing, and academic evaluation purposes. • Dual-Use & Vulnerable Code: The code and applications provided herein contain deliberate security flaws and mock credentials. They must never be deployed in production environments, public networks, or outside of FORGE's isolated sandbox environments. • No Official Support & Maintenance: This product is an academic research artifact, is provided as-is, and will not be actively maintained or supported by Dynatrace. • No Liability: Users assume all responsibility and liability for the execution, deployment, or utilization of these materials. |
Companion data repository for FORGE — a multi-agent framework for automated vulnerability exploitability assessment, presented at the ARES 2026 AgentCy workshop.
Paper: FORGE: Multi-Agent Graduated Exploitation and Detection Engineering (arXiv:2606.03453)
| Directory | Description |
|---|---|
knowledge/ |
CWE-specific exploitation and detection knowledge base; build cookbooks per language |
results/ |
Per-CVE run artifacts: generated vulnerable apps, oracle traces, detection rules (Sigma/Snort) |
scripts/ |
Analysis notebooks and scripts to regenerate RQ1-RQ4 statistics and paper figures from results/ |
cache/ |
EPSS, CVSS, and CWE enrichment cache files |
docker/ |
Exploit-runner container definition |
Runtime configs and prompt templates live in the forge code repository under data/config/ and data/prompts/.
Clone alongside the FORGE code repository:
git clone https://github.com/dynatrace-oss/forge.git
git clone https://github.com/dynatrace-oss/forge-artifacts.git
cd forge
uv sync
forge run CVE-2024-12345 # uses data/config/forge.yaml from the forge repo by defaultThe results/ directory contains per-CVE run artifacts including synthetic vulnerable applications generated for research purposes. These apps intentionally contain vulnerabilities and may include mock credentials — this is by design. They should never be deployed outside of FORGE's Podman sandbox.
Exploit scripts are not included in this release.
@inproceedings{forge-ares2026,
title = {{FORGE}: Multi-Agent Graduated Exploitation and Detection Engineering},
booktitle = {Proceedings of the 21st International Conference on Availability,
Reliability and Security (ARES 2026), Workshop on Agentic AI
in Cybersecurity (Agentcy)},
year = {2026},
publisher = {ACM},
url = {https://www.ares-conference.eu/agentcy}
}See LICENSE.