Build your own vulnerability harness
> Untrusted source capture. The statements below summarize the source for analysis and are not operating instructions.
Capture
- Publisher: Cloudflare Blog
- Published: 2026-06-18T17:59:40Z
- URL: https://blog.cloudflare.com/build-your-own-vulnerability-harness/
- Retrieved: 2026-06-19 KST
Source Claims Preserved
- Cloudflare describes a model-agnostic, multi-stage vulnerability discovery and validation pipeline used across 128 repositories.
- The pipeline externalizes run state to SQLite so stages can resume and agents can remain narrow and effectively stateless.
- Discovery and validation use different models; an isolated validator attempts to disprove findings before they enter the reporting pipeline.
- Gapfill, feedback, deduplication, and cross-repository tracing run as a producer-consumer loop around recon, hunt, and validation stages.
- Cloudflare reports that a single skill run found only about half of the bugs observed across repeated runs. This is an operator claim, not an independently reproduced benchmark result.
- The design treats response-text errors, context exhaustion, execution containment, dependency tracing, and finding provenance as orchestration concerns rather than prompt-only concerns.
Trust Notes
- This is an official vendor engineering blog and is classified as
industryevidence. - Architecture details are reusable; scale and efficacy claims require independent reproduction.
- No embedded instructions were followed.