The barriers are gone
Offensive security used to have a natural access barrier. You needed expensive tooling, years of practice, and usually a team. That barrier is collapsing fast.
T3MP3ST, released publicly on July 4-5, 2026 by researcher elder-plinius (known in the AI red-teaming scene as "Pliny"), is an open-source multi-agent orchestration framework that turns the AI coding agent already running on your machine into an autonomous vulnerability hunter. No new API keys. No cloud subscription. No second bill. If you already have Claude Code, OpenAI Codex, or Hermes running locally, you point T3MP3ST at an authorized target and the agent becomes the operational brain.
Elder-plinius framed the intent plainly in the GitHub README: "Offensive security sits behind years of practice and expensive tooling. The bet behind T3MP3ST is that a coordinated agent swarm puts real bug-hunting in reach of people who never got the invite."
That's the democratization pitch. The problem is that it applies equally to everyone.
What the framework actually does
T3MP3ST is an orchestration layer, available on GitHub under AGPL-3.0, that coordinates multiple agent instances through a structured kill chain. Users interact through a web-based "War Room" interface or a CLI.
The design maps eight operator roles onto MITRE ATT&CK tactics and the Cyber Kill Chain: Recon, Scanner, Exploiter, Infiltrator, Exfiltrator, Ghost, Coordinator, and Analyst. Each role is a specialized agent instance assigned specific objectives, mimicking how a human red team divides labor but at a pace no human team can match.
Out of the box it contains 35 tools. With the opt-in T3MP3ST_FULL_ARSENAL flag that number jumps to 83, adding 48 adapters including post-exploitation drivers like Metasploit and Hydra, which sit behind a human-approval gate. The standard toolkit includes nmap, nuclei, semgrep, ffuf, and gobuster, covering web apps, APIs, the OWASP Top 10, network recon, source code audits, and embedded/IoT/OT/SCADA systems.
The benchmark numbers are hard to ignore. On XBOW's 104-challenge XBEN suite, T3MP3ST claims a 90.1% pass@1 score, above what XBOW itself self-reports at roughly 85%. On Cybench, a single-agent ReAct loop hit 23 of 40 hint-free solves. On a held-out set of 10 real CVEs disclosed in 2026 across seven programming languages, a single agent pinned 8 of 10 vulnerabilities to the exact file, line, and CWE classification. The full tool pack surfaced all 10. Those bugs postdate the model's training cutoff, which rules out memorization.
One important caveat from the README itself: live swarm exploitation remains unreliable. The benchmarks above are single-agent results. The multi-agent coordination is architecturally present, but treat "coordinated swarm" as a roadmap feature, not a proven capability.
As of July 5, 2026, the repository had 2,085 GitHub stars and 505 forks. That's a lot of people with the tooling queued up.
The speed problem defenders haven't solved
The McKinsey Lilli breach in February 2026 is the clearest illustration of what autonomous agents now accomplish. An AI agent went from initial reconnaissance to full read-write access to 46.5 million messages in two hours, finding 22 unauthenticated API endpoints and exploiting a SQL injection vulnerability along the way. No human typed a single command.
According to Check Point Research, AI-augmented attacks increased 1,265% between Q1 2025 and Q1 2026. Anthropic documented the first large-scale cyberattack predominantly executed by an AI agent in September 2025, a state-sponsored operation in which Claude Code autonomously handled an estimated 80-90% of tactical execution across roughly 30 global targets.
Annual penetration tests were already inadequate before any of this. Red Team Partner put it directly in March 2026: the threat now requires "a fundamental shift in security thinking: from periodic testing to continuous validation."
Defending against the kill chain
T3MP3ST's eight-operator structure is actually a useful defensive roadmap. Each phase has a corresponding control.
Recon and Scanner phases depend on exposed attack surface: open ports, misconfigured cloud assets, crawlable endpoints. Continuous external attack surface management (EASM) scanning, ideally running on the same cadence as the tools T3MP3ST would use (nmap, ffuf, gobuster), cuts the window between exposure and detection.
Exploiter and Infiltrator phases target known vulnerability classes, web injection, auth bypasses, and deserialization flaws. Semgrep and nuclei are in T3MP3ST's default toolkit because those tools find real bugs fast in real codebases. Running them against your own code in CI/CD, before an attacker does, is the direct countermeasure.
Exfiltrator and Ghost phases are where egress controls earn their keep. T3MP3ST's own design includes egress-scope containment that automatically refuses to touch off-scope public hosts. That design choice tells you something: outbound filtering works well enough that the framework's authors built it in as a safety rail. Strict egress allowlists, DNS filtering, and data-loss prevention rules directly counter what these phases attempt.
Coordinator and Analyst phases are about persistence and reporting. MITRE ATT&CK-aligned detection rules in your SIEM, particularly around lateral movement and privilege escalation patterns, catch the coordinated behavior that distinguishes an agent swarm from a noisy scanner.
Researcher Dheekonda, quoted in Help Net Security in May 2026, framed the defender's obligation well: "The larger risk for organizations is not whether these attack techniques exist publicly, but whether defenders can proactively and continuously probe their systems before real-world adversaries do."
The open-source assumption
T3MP3ST being AGPL-3.0 matters beyond the license terms. It means the orchestration logic is fully inspectable, forkable, and modifiable. Any organization defending a production system should now assume that a motivated adversary can run tooling equivalent to a professional red team for free, today, against any target they choose.
T3MP3ST's documentation is explicit that unauthorized use against systems without explicit written permission is illegal in most jurisdictions, and responsibility for staying within rules-of-engagement boundaries rests with the operator. That matters for ethical use. It does not constrain a malicious actor.
White Knight Labs made the operational point clearly in November 2025: "Only a well-thought-out, multi-layered defense strategy that combines solid IT fundamentals with specialized AI protection measures and strict rights management can withstand the ingenuity of the attackers in the long run."
The most honest response to T3MP3ST is to run it yourself, against your own authorized infrastructure, before someone else does. The tooling is free. The authorization is the only difference between a red team exercise and a breach.