FuzzingBrain V2 Debuts: Multi-Agent LLM Takes Care of Both Vulnerability Discovery and PoC Reproduction in One Go

A new paper presents a complete solution for Multi-Agent LLMs to automatically discover deep vulnerabilities in large C/C++ projects and generate reproducible PoCs, pushing the division of roles between traditional fuzzing and LLM agents to a new stage.
The Next Watershed in Vulnerability Discovery: Let the Agent Write the PoC Too
In late May, a paper quietly went viral in the security community after being posted on arXiv — FuzzingBrain V2, a Multi-Agent LLM System for Automated Vulnerability Discovery and Reproduction.
This isn’t another minor upgrade like “using an LLM to help write fuzz harnesses,” but rather a full integration of “discovery” and “reproduction” — historically separate processes — into one automated pipeline via agent collaboration.
The authors are answering one big question:
Can LLM multi-agents uncover deep vulnerabilities in large C/C++ projects and simultaneously output a runnable PoC input, instead of just throwing out a bunch of “looks like a bug” reports that humans still need a week to verify?
No one has solved this properly in previous years because it’s genuinely hard. After reading the paper and comparing it with the industry’s recent work, the solution here is well worth unpacking.

Why This Only Took Shape in 2026
Looking back at the paradigm shifts in automated vulnerability discovery, it’s no coincidence that FuzzingBrain V2 arrived now.
- Before 2022: Traditional fuzzing dominated. Tools like AFL, libFuzzer, and syzkaller tackled the “input space explosion” problem but couldn’t handle deep logic bugs and heavily depended on manually written harnesses.
- 2023: Google’s OSS-Fuzz AI-Powered Fuzzing first embedded LLMs into the fuzzing pipeline, using models to generate fuzz targets. That year, LLMs served as augmenters, not replacements.
- 2024: With Claude 3.5 and LangGraph, agent engineering matured. OSS-Fuzz’s Leveling Up Fuzzing used LLM agents to generate harnesses and auto-fix compilation errors across 272 C/C++ projects — even uncovering a 20-year-old OpenSSL vulnerability, CVE‑2024‑9143. This was the turning point where agents started generating real results.
- 2025: Anthropic launched Automated Security Reviews with Claude Code. SCONE-bench began evaluating agent performance on smart contracts. Tencent’s atum team disclosed 60+ real-world vulnerabilities found annually in major open-source repos — over half high-severity.
The curve is clear: LLMs have moved from support tools to decision-makers.
Yet, even so, most systems stop at “reporting vulnerabilities,” not delivering runnable PoCs. In industry, a vulnerability report without a PoC is almost worthless — SREs won’t trust it, product teams won’t fix it, and CVE reviewers can’t score it highly.
FuzzingBrain V2’s value lies in explicitly making reproducibility its top priority.
How the System Is Built: Specialization Beats Generalization
One of the paper’s most replicable design philosophies is rejecting the “super-agent that does everything” model. This differs sharply from the “single agent + long prompt brute-force” approach many used over the last six months.
The division of labor looks roughly like this:
- Recon Agent (Reconnaissance): Ingests the codebase to locate high-risk areas — like a static analysis engineer reading Makefiles, entry points, parsers, or IPC boundaries worth extra scrutiny.
- Hypothesis Agent: Proposes concrete vulnerability hypotheses based on Recon’s output — e.g., “
parse_header()may underflow the length field when it equals zero.” This plays to the LLM’s strength: pattern matching + intuitive reasoning. - Harness Agent (Construction): Translates hypotheses into executable fuzz harnesses or targeted input generators, leveraging OSS-Fuzz’s accumulated experience (auto-fix compile errors, locate include dependencies).
- Executor / Sanitizer Agent: Runs fuzzing and sanitizers (ASan/UBSan/MSan) to separate true positives from false ones.
- Reproducer Agent (Reproduction): After crashes, minimizes inputs and generates stable, reproducible PoCs with call stacks and trigger explanations.
The key insight isn’t just “multi-agent,” but cleanly separating the model’s reasoning from the tool’s factual validation through tool calls and message passing.
The LLM guesses, the sanitizer judges, the fuzzer executes — each stage has a ground truth for feedback. That’s the real distinction between agentic security research and “prompt engineering.”
The Boundary Between Black-Box and White-Box Is Fading
Qi An Xin’s security team recently made a similar observation: With maturity in MCP and RAG frameworks, the traditional boundary between black-box and white-box analysis is being blurred by agents. FuzzingBrain V2 exemplifies this:
- It can read code and do data-flow reasoning like a white-box tool.
- It can blast inputs and process runtime feedback like a black-box fuzzer.
- It can analyze crash logs and refine its hypotheses like a human researcher.
Previously, engineers had to decide: “Should I enable symbolic execution?” “Should I instrument?” “Should I run taint analysis first?” Now, the agent autonomously picks the right tool based on context.
That adaptive orchestration is the most valuable part of LLM agent deployment in security.
A Few Key Technical Details
Some engineering details in the paper are more significant than metrics like “we found N CVEs”:
- Crash deduplication and attribution: Anyone who’s run fuzzing knows that 10,000 crashes can map to just 3 actual bugs. FuzzingBrain V2 lets the LLM parse backtrace semantics instead of hashing the top few frames — especially helpful for macro-heavy, inline-heavy C/C++ projects.
- Dedicated PoC minimization modeling: Traditional delta debugging struggles with structured inputs (protobufs, media formats). A dedicated Reproducer Agent that understands format semantics achieves much smaller PoC sizes.
- Failure analyses included: The paper openly discusses frequent “hallucinated bug” issues and lists categories the agents still can’t handle (e.g., inter-module race conditions, long-lifecycle heap corruptions) — refreshingly candid.
Comparison With Contemporary Work
Let’s compare this with other recent systems:
| System / Work | Main Goal | LLM Role | Outputs Reproducible PoC? | |---|---|---|---| | OSS-Fuzz Leveling Up (2024) | Auto-generate harnesses | Single Agent + Tools | Partial | | IVAgent (Kanxue) | Binary / Source hybrid bug hunting | Multi-engine coordination | Partial | | Claude Code Security Review | Code auditing | Auditor | No (report-only) | | FuzzingBrain V2 | Integrated discovery + reproduction | Multi-Agent specialization | Yes, with minimization |
Horizontally, FuzzingBrain V2 might not dominate on a single metric, but it’s one of the few systems making “verifiable PoC generation” a hard deliverable. Its engineering impact may outweigh any benchmark gains.
What This Means for Developers
Even if you’re doing regular business development, this matters. Two trends to watch:
- Agent-based security reviews integrated into CI will become mainstream. Not just “running a SAST tool,” but an agent reasoning in the PR context: “This parser edit changed boundary handling — should I fuzz it quickly?” Expect this capability in major DevSec toolchains by late 2026.
- Vulnerability intelligence will become bidirectionally linked. Today’s CVE reports are human-textual. Once agents can output PoCs automatically, the next step is full-chain: CVE → Auto reproduction → Auto localization → Auto patch generation. That compresses vulnerability response times from days to hours.
A Dose of Realism
We should acknowledge limitations: Agent systems aren’t cheap.
Running a multi-agent workflow like FuzzingBrain V2 — with long contexts and repeated tool calls — consumes a massive number of tokens. That’s why such systems currently exist mainly in research papers and large enterprises; reproducing them in smaller teams remains challenging.
But the trajectory is clear: Vulnerability research is shifting from “Tools + Experts” to “Agents + Tools + Experts.”
Experts are moving up the chain — from writing harnesses and tuning fuzzers to defining objectives and reviewing results. It’s not replacement; it’s restructured collaboration.
A quick note on model choice: multi-agent security tasks are demanding in code comprehension, long-context stability, and tool-call accuracy. Claude, GPT, Gemini, and DeepSeek each excel in different phases; running them in rotation is normal. Aggregation interfaces like OpenAI Hub, which unify multiple APIs under one key, help avoid the account and networking headaches that cross-model testing otherwise brings.
As for whether multi-agent LLMs will eventually take over vulnerability discovery —
We’ll know by late 2026, judging from each team’s real CVE performance across open-source projects.
References
- IVAgent - Multi-Agent Driven Vulnerability Discovery Agent (Kanxue Forum): An LLM-based multi-engine vulnerability discovery agent implementation, useful for comparison with this system.



