Vigolium, an open-source vulnerability scanner that mixes deterministic scanning with AI-driven auditing, launched its preliminary open-source launch this month. The undertaking ships 235+ scanner modules and an in-process agent runtime known as olium that handles autonomous endpoint discovery, assault planning, and discovering triage.
The software exposes two scanning paths. vigolium scan runs a multi-phase deterministic pipeline overlaying content material discovery, browser-based spidering, and energetic and passive auditing. vigolium agent arms management to an LLM-driven harness that selects modules, generates customized JavaScript extensions, and runs source-code audits alongside dynamic scans.
Finances caps and the price of agent autonomy
Agentic safety tooling raises a recurring query for operators: how a lot time and cash ought to an autonomous auditor be allowed to eat earlier than its output stops being helpful. Vigolium exposes caps on tokens, software calls, triage iterations, and wall-clock period.
Jessie Ho, the software’s writer, advised Assist Internet Safety that operators ought to match the cap to the job. “Time-boxed pentests or CI runs: lean on the wall-clock and iteration caps so it at all times finishes. Deep dive on one goal: loosen tokens and let it re-plan. Broad sweeps: hold per-target budgets tight, or one rabbit-hole goal eats every little thing.”
He described two failure modes from underbudgeting and overbudgeting. “Too little finances and the agent will get reduce mid-lead, you’re left with a low-confidence stub. An excessive amount of and it simply wanders, burns cash, and provides noise.” His steering to new customers is to start out tight and loosen the caps solely when real work is getting reduce off.
Triage as a separate part
Believable-sounding findings that fail to breed stay a persistent downside in LLM-assisted safety testing. Ho mentioned Vigolium handles this by operating triage as its personal cross after scanning. “The scanner finds candidates, then a separate cross re-checks each towards its proof.”
On deduplication, the design favors merging over deletion. “It solely collapses copies of the identical subject, it by no means makes hold or kill calls on borderline ones. Something the agent’s not sure about will get downgraded and proven, by no means quietly dropped.”
Extensions, sandboxing, and a doable registry
Vigolium’s JavaScript engine lets customers write customized scan modules and hooks with session-aware HTTP APIs. Extensions can execute arbitrary instructions with no sandbox. Requested whether or not a group registry may emerge, Ho was cautious in regards to the belief mannequin such a system would require.
“Extensions run arbitrary code with no sandbox, so a registry is de facto simply distributing executables, and signing solely tells you who wrote it, not whether or not it’s protected.” Any sharing mechanism, he mentioned, would want provenance and signing, an untrusted-by-default posture with express opt-in, and curation over open submission. “A small vetted set beats an enormous unvetted market.”
Open core, business console
Vigolium ships alongside a hosted product known as Cloud Console. Ho drew the boundary between the 2 in operational phrases. “The scanner is the open core, operations are business. Something that finds bugs stays within the AGPL repo. The Console is simply the ops layer on high: internet hosting, collaboration, scale, scheduling.”
Contributor confidence, he mentioned, rests on the license and on seen conduct over time. “New detection lands within the open repo first. The day functionality begins shifting out of core to upsell the Console, that belief is gone.”
Vigolium is accessible without spending a dime on GitHub.
Should learn:
Subscribe to the Assist Internet Safety ad-free month-to-month publication to remain knowledgeable on the important open-source cybersecurity instruments. Subscribe right here!