0 Day Vulnerability Discovery Tool (Constantine)

Compete in DARPA AIxCC Challenge

Repository

• https://github.com/praetorian-inc/deltascan (foundation)
• https://github.com/praetorian-inc/chariot (target platform)

Overview

DeltaScan is a proof-of-concept vulnerability scanner that analyzes diffs between software releases to identify security issues. It works: the Scanner finds potential vulnerabilities in code changes, the Reviewer validates them with full codebase context, and the Exploiter generates proof-of-concept exploits in sandboxed containers. But DeltaScan is a standalone Python tool that only looks at what changed between versions—it can't analyze a full codebase, doesn't integrate with anything, and critically, it cannot generate patches. DARPA's AIxCC challenge scores 60% of points on patch generation alone. To compete, we need to evolve DeltaScan from a diff scanner into a full Cyber Reasoning System: port it to Chariot's agent architecture for orchestration and persistence, add patch generation as a first-class capability, and eventually build code graph infrastructure for taint analysis to reduce false positives. Tasks 1-4 complete the DeltaScan foundation. Tasks 5-7 integrate it into Chariot and add patching. Tasks 8-9 add competitive differentiation.

Current State

| Component | Status | What It Does | | -- | -- | -- | | Scanner | ✅ Done | Analyzes diffs between releases, flags potential vulns | | Reviewer | ✅ Done | Validates findings with full codebase context | | Exploiter | ✅ Done | Generates PoC exploits in sandboxed containers | | Benchmarking | 🔄 Todo | Measures accuracy, false positive rate | | Patch Generator | ❌ Missing | 60% of AIxCC scoring |

AIxCC Scoring

| Capability | Points | Our Status | | -- | -- | -- | | Vulnerability Discovery | 1x | ✅ Have | | Exploit Generation | 1x | ✅ Have | | Patch Generation | 3x | ❌ Missing |

Tasks

Phase 1: DeltaScan Foundation

| Task | Issue | Title | Status | | -- | -- | -- | -- | | 1 | LAB-841 | Scanner - Differential Vulnerability Analysis | ✅ Done | | 1a | LAB-846 | Scanner - Chunk Size Optimization | ✅ Done | | 2 | LAB-845 | Reviewer - Full-Context Vulnerability Validation | ✅ Done | | 3 | LAB-848 | Exploiter - Dynamic Vulnerability Exploitation | ✅ Done | | 3a | LAB-842 | Exploiter - Docker-in-Docker Sandbox Isolation | ✅ Done | | 4 | LAB-843 | Benchmarking - Scanner Accuracy & Validation | ✅ Done | | 4a | LAB-849 | Benchmarking - A/B Testing Configuration | ✅ Done |

Phase 2: Chariot Integration

| Task | Issue | Title | Status | | -- | -- | -- | -- | | 5 | LAB-847 | SCM Integrations for Public Repos | Todo | | 6 | LAB-851 | Chariot-Native Code Analysis Agents | Todo | | 7 | LAB-853 | Chariot-Native Exploitation & Patching | Todo |

Phase 3: Competitive Differentiation

| Task | Issue | Title | Status | | -- | -- | -- | -- | | 8 | LAB-850 | Skills & Domain Knowledge | Todo | | 9 | LAB-852 | Code Graph Infrastructure | Future |

Architecture

DeltaScan evolves into Chariot capabilities:

DELTASCAN (standalone)              CHARIOT-NATIVE (integrated)
──────────────────────────────────────────────────────────────
Scanner (Python)            →    vuln-researcher agent
Reviewer (Python)           →    code-analyzer agent
Exploiter (Python)          →    exploit-tester capability
[none]                      →    patch-generator capability (NEW)
[none]                      →    Code graph + taint analysis (NEW)

Target architecture: modules/chariot/backend/pkg/lib/agent/