A new project called Z3r0 just dropped on Hacker News โ€” an AI-native red-team workbench that coordinates multiple specialist agents through authorized penetration testing and vulnerability research workflows. The platform, hosted at github.com/yv1ing/Z3r0, runs each agent role (reconnaissance, code audit, reverse engineering, cryptography review) as a bounded Docker sandbox, preserving findings as durable evidence records outside the model context window.

Six Agents, One Workbench

The system deploys six named AI agents with distinct specializations: Z3r0 acts as Chief Security Officer handling task decomposition and coordination; V3ra runs code audits and dependency reviews; L1ly handles reconnaissance and asset discovery; Fr4nk validates vulnerabilities and verifies impact; J4m3 tackles reverse engineering of binaries, firmware, and APKs; and Nu1L focuses on cryptographic protocol analysis. Each agent operates within scoped responsibilities through a coordinator-driven delegation model โ€” the CSO agent owns decomposition and synthesis while specialist agents handle execution.

Sandboxed Execution with Audit Trails

The architecture enforces Docker-bound command execution for all offensive tooling, keeping the application host clean. Asynchronous commands are deliberately turn-terminal: after dispatching a long-running job like an nmap scan or binary analysis, the agent stops immediately and resumes only when the job completes via notification obligation. This prevents polling loops and keeps the conversation state manageable. Timeline event logs persist stable payloads with monotonic sequence values so operators can replay any assessment session from recorded wire events rather than reconstructing UI state.

Durable WorkProject Evidence Records

Beyond chat context, Z3r0 maintains structured records in PostgreSQL: assets (services, domains, networks, binaries), findings (suspected/validated/false-positive status with proof), relationship graphs (structural edges like 'hosts' or offensive edges like 'exploits'), and attack paths as ordered walks over relationship edges. Every record carries provenance metadata โ€” created_by_agent_code and created_from_session_id โ€” so discovered assets trace back to the exact agent and session that produced them. Findings bind evidence to specific graph nodes or edges, making the audit trail traceable from initial access through impact.

Legal Boundaries Built In

The project includes a prominent legal notice emphasizing authorization requirements: Z3r0 is designed exclusively for explicitly authorized security testing, vulnerability research, code auditing, and controlled internal review. The authors disclaim responsibility for any unauthorized use and make clear that users bear sole responsibility for obtaining proper authorization, defining scope boundaries, and complying with applicable laws before running any assessment.

Key Takeaways

  • Six specialist AI agents coordinate penetration testing workflows through a CSO-driven delegation model
  • All offensive tooling runs in Docker sandboxes; async commands are turn-terminal to prevent polling
  • Durable WorkProject records (assets, findings, relationships, attack paths) persist outside model context with full provenance tracking
  • Timeline event logs enable replayable audit trails from stable wire events

The Bottom Line

Z3r0 is a serious architecture for teams doing authorized security work โ€” the separation of evidence records from LLM context means assessments survive beyond single sessions. If you've been manually coordinating separate AI tools across a pen test engagement, this unified coordinator model with notification-backed background jobs is worth evaluating. Just make sure your authorization paperwork is airtight before you spin it up.