BetaWe're currently in beta. Signing in will place you on our waitlist.
The P4L4D1N Agent System

Blitz Agents

Beyond Breadth: The Blitz Architecture

The Blitz tier does not simply run more agents. It introduces a fundamentally different testing strategy: a two-pass approach where breadth agents identify the landscape and depth agents drill into each finding, plus two specialized meta-agents that operate on the combined output of all other agents.

At 20 agents running for 4 hours, Blitz is designed for targets where maximum vulnerability discovery and verification justify the investment. Understanding the architecture of these additional agents is essential for interpreting Blitz results and recognizing the types of findings that only this tier can produce.

The Two-Pass Strategy

Breadth Pass (8 Specialists)

The first 8 agents in a Blitz engagement are identical to the Deep tier specialists: Web App, API Security, Infrastructure, Code Analysis, Crypto/TLS, Auth/Access Control, Business Logic, and Supply Chain. They perform their standard analysis — reading Phase 1 output, reasoning about findings, validating vulnerabilities, posting to the blackboard, and exchanging leads.

The breadth pass establishes the baseline: what vulnerabilities exist, what the attack surface looks like, and where the most promising investigation paths are.

Depth Pass (8 Deep Analysts)

After the breadth pass agents have populated the blackboard with initial findings, 8 additional depth-pass agents are deployed — one for each specialist domain. Each depth agent receives the same system prompt as its breadth counterpart, plus an additional directive: "You are in DEPTH mode. Go deeper on findings from the breadth pass. Attempt exploit chains and verify severity with detailed PoCs."

The depth agents read the blackboard to see what the breadth pass found and then focus on:

  • Exploit sophistication — Trying more advanced techniques that require more reasoning steps. If the breadth Web Agent found reflected input, the depth Web Agent attempts stored XSS, DOM-based XSS, and payload variations that bypass WAF filtering.
  • Severity verification — Confirming whether a Medium-severity finding is actually exploitable at a higher severity level when combined with other conditions.
  • Proof-of-concept detail — Producing more detailed, reproducible exploit documentation. The depth agent's PoC is not just "this parameter is reflected" but a full request/response sequence demonstrating actual exploitation.
  • Edge case exploration — Testing boundary conditions, unusual input encodings, and race conditions that breadth agents may have identified but not fully explored.

Each depth agent has a role name suffixed with -depth (e.g., web-depth, api-depth, infra-depth). This allows the blackboard to distinguish breadth findings from depth findings, and enables depth agents to specifically reference and extend the breadth pass results.

The Exploit Chain Agent

The Exploit Chain Agent is unique to the Blitz tier. Its focus areas are "exploit chains" and "attack paths," and its system prompt instructs it to read all findings from all other agents on the blackboard and identify multi-step attack paths.

Where individual specialists find individual vulnerabilities, the Exploit Chain Agent finds combinations. It looks for patterns such as:

  • Information disclosure + credential access — Server version disclosure reveals a known vulnerability, which provides initial access, which leads to configuration file exposure containing database credentials.
  • XSS + CSRF + session hijacking — Reflected XSS steals a CSRF token, which enables a state-changing action on behalf of the victim, which combined with session fixation enables full account takeover.
  • IDOR + data exposure + privilege escalation — An IDOR on user profile endpoints exposes email addresses, which enables password reset attacks, which combined with missing rate limiting enables account enumeration and takeover.
  • Dependency vulnerability + SSRF — A known CVE in a dependency enables SSRF, which reaches an internal metadata service, which leaks cloud credentials.

The Exploit Chain Agent does not run its own tools or perform its own scanning. It is purely an analytical agent that reads the blackboard and produces chain findings — multi-step attack paths where the whole is more severe than any individual part. These chain findings often represent the highest-severity items in a Blitz report because they demonstrate realistic attack scenarios rather than isolated theoretical vulnerabilities.

The Verification Agent

The Verification Agent serves as quality control for the entire pentest. Its focus areas are "PoC verification" and "severity validation," and its system prompt instructs it to verify findings from other agents by checking that:

  • Severity ratings are accurate — A finding rated Critical should demonstrate actual exploitation with significant impact. The Verification Agent flags findings where the claimed severity does not match the demonstrated proof.
  • PoCs are reproducible — The proof-of-concept exploit included with each finding should be complete enough for someone to reproduce the vulnerability. Incomplete or ambiguous PoCs are flagged for improvement.
  • CVSS scores match impact — The CVSS vector string should accurately reflect the access vector, complexity, privileges required, and impact of the vulnerability. Misaligned CVSS scores are corrected.
  • No false positives — Findings that appear to be false positives based on contradictory evidence from other agents or tool outputs are flagged.

The Verification Agent reads the entire blackboard at the end of the assessment and produces verification findings — meta-findings that confirm, adjust, or dispute other agents' work. This quality control layer is what makes Blitz tier reports the most reliable.

Timing and Coordination

The 240-minute Blitz window accommodates the sequential nature of the two-pass strategy. Breadth agents need time to populate the blackboard before depth agents can meaningfully build on their work. The Exploit Chain and Verification agents both benefit from having a complete blackboard to analyze.

The wrap-up signal fires at 192 minutes (80% of 240), giving all agents 48 minutes to complete their final analysis. Agents that are still mid-cycle when the wrap-up signal arrives summarize their remaining work and post their final findings before terminating.

When Blitz Findings Differ from Deep

Because Blitz includes depth passes and meta-agents, its findings often differ from what Deep tier would produce on the same target:

  • Higher severity ratings — Depth agents that verify exploitability often confirm that a Medium finding is actually High when combined with additional conditions.
  • Chain findings — The Exploit Chain Agent produces findings that exist only in the Blitz tier because no other tier has this agent.
  • Verified findings — The Verification Agent's quality control means fewer false positives and more accurate CVSS scoring in the final report.
  • More detailed PoCs — Depth agents produce longer, more detailed proof-of-concept documentation than breadth agents.

Understanding these differences helps you choose the right tier for each engagement and interpret Blitz-specific findings correctly.

Previous

Tier Scaling

Next

Blackboard in Action

On this page