What happens when you point an AI coding agent at an authorized target and tell it to find vulnerabilities before the bad guys do? T3MP3ST, an open-source multi-agent offensive security framework by Elder Plinius, answers that question with a resounding 90.1% pass rate on XBOW's own 104-challenge suite. That number beats XBOW's self-reported 85%, and every digit of it is reproducible from committed data with a single npm command. With 4,921 GitHub stars in just two weeks and 1,029 forks, this project is reshaping what solo founders and small teams can achieve in security without a dedicated pentesting budget.

What Makes T3MP3ST Different

Most security tools require you to learn their ecosystem, configure their API keys, and pay for their cloud infrastructure. T3MP3ST flips that model entirely. It is keyless by design. The AI coding agent already on your machine is the brain. Whether you use Claude Code, Codex, Hermes, or a fully offline model via Ollama or LM Studio, you connect it in the War Room interface and describe a target in plain English. The framework handles the rest: recon, scanning, exploitation attempt, and report generation.

The architecture is an eight-operator kill chain mapped to MITRE ATT&CK phases. The Recon and Scanner operators are stable and proven on live targets. The Exploiter, Infiltrator, Exfiltrator, and Ghost operators run the same real, tool-backed ReAct loop, though the coordinated eight-agent swarm is still earning its stripes. Every claim in the README is re-derivable. Run npm run verify-claims and the tool recomputes every headline from the committed JSON in the bench directory. Twenty-four checks, all green, every time.

For HTTPS traffic, T3MP3ST performs TLS interception the way enterprise security proxies have for decades, but applied specifically to AI agent architecture. The egress-scope containment is on by default, refusing off-scope public hosts once a mission target is set. This is a tightened default, not a bare tool runner, and it reduces the operational risk of letting an autonomous agent loose on the internet by a significant margin.

The Numbers That Matter

The benchmark results are worth reading closely because T3MP3ST publishes receipts, not claims. On XBOW's 104-challenge black-box suite, the framework scores a pass-at-one mean of 90.1% using GPT-5.5, with a Wilson 95% confidence interval of 86.2 to 92.9. That is a floor of 91 out of 104 challenges solved. The white-box variant, where source code is staged for the agent, reaches 98.7% pass-at-one and a best-ball of 104 out of 104.

On the Cybench 40-task academic benchmark with no hints, it scores 23 out of 40, or 58% pass-at-one. Every flag is graded against a committed ground-truth oracle, not a self-report. The raw per-step transcripts are stripped for operator privacy, but the graded verdict and the oracle are both committed and verifiable.

Perhaps the most impressive result is the CVE-Zero benchmark: ten real post-cutoff CVEs from 2026 that the model had never seen during training, spanning seven programming languages. A single-agent run found 10 out of 10 vulnerabilities and identified the exact file, line number, and CWE identifier for 8 of them. Because the CVEs were published after the model's training cutoff, there is zero risk of memorization or data contamination. These are genuine zero-day-style hunts conducted autonomously.

Getting Started in Two Minutes

The fastest path to a running instance takes about two minutes. Clone the repository, run npm install, then npm run server to start the War Room at http://127.0.0.1:3333/ui/. In the War Room, open Settings and connect a local agent. Describe a target to Op Admiral in plain English and launch. No API keys required if you use a locally running agent.

For teams that prefer bringing their own API keys, the framework supports OpenRouter, Venice, Anthropic, OpenAI, and xAI's Grok Build. Set the corresponding environment variable and skip the connect step. For fully offline operation, point it at Ollama, LM Studio, or vLLM using the TEMPEST_LOCAL_BASE_URL and TEMPEST_LOCAL_MODEL environment variables. The tool-calling layer works over text, so even models without native function-calling can drive the arsenal.

The MCP server integration is also worth noting. Run node dist/mcp-server.js and the security_recon tool becomes available to any MCP-aware agent, making T3MP3ST composable with the broader AI tool ecosystem rather than a walled garden.

Who This Is For

T3MP3ST is for any founder, developer, or security practitioner who needs to run offensive security testing without hiring a pentesting firm or committing to an expensive SaaS platform. If your startup has an AI coding agent in its workflow, you already own the compute required to run autonomous security audits. The framework is AGPL-3.0 licensed, self-hosted, and does not send your target data to any third party.

For solo founders, this is particularly valuable. A security audit that would cost five figures from a professional firm is now something you can run on your own schedule, against your own targets, with results that include CWE classifications, CVSS scores, and PoC drafts ready for vendor disclosure. The coordinated-disclosure pipeline is already live enough that the project has disclosure drafts held for vendor coordination as of this writing.

For teams building AI agents themselves, T3MP3ST also serves as a case study in the architecture of autonomous security operations. The operator model, the evidence vault, the credential store, and the finding ledger are patterns worth studying regardless of whether you run the framework directly.