Who is Z3r0 designed for?

Z3r0 is designed for authorized red teams, penetration testers, vulnerability researchers, internal security teams, code auditors, reverse engineers, cryptography reviewers, and controlled research or training environments.

How does Z3r0 run security tooling?

Z3r0 binds agent tools and manual review to controlled Docker sandbox containers with shell, file, browser, noVNC, and security review tooling access.

What environments should use Z3r0?

Z3r0 should be used only within lawful and explicitly authorized, trusted, and isolated environments where Docker access, model credentials, terminal access, and sandbox containers can be governed as high-privilege assets.

AI-Native

Q: What is Z3r0?

Z3r0 is an AI-native red-team workbench for authorized penetration testing and vulnerability research, with specialist agents, sandboxed tooling, evidence records, relationship graphs, and replayable timelines.

Red-Team Workbench

AI-native red-team workbench for authorized penetration testing and vulnerability research, with specialist agents, sandboxed tooling, evidence records, and replayable timelines.

Read quickstart Follow us

Red-Team Operating ModelCoordinator-led penetration testing and vulnerability research with specialist execution, durable evidence, and replayable review paths.

Authorized use only

Use this project only within a lawful and explicitly authorized scope. It does not grant permission to test, access, scan, or affect any third-party system, network, service, account, or data. Unauthorized, unlawful, or harmful use is prohibited. Users are responsible for preserving authorization, defining scope, and complying with applicable laws, contracts, and authorization boundaries. The author is not responsible for any consequence, loss, damage, legal liability, or unlawful act caused by users.

Coordination

csoZ3r0

Red-team planning, delegation, and evidence synthesis

Code Audit

caeV3ra

Source, dependency, and configuration review

Reconnaissance

cieL1ly

Asset discovery, enrichment, and relationship mapping

Validation

cpeFr4nk

Authorized exploitation validation and impact verification

Reverse

creJ4m3

Sample, binary, firmware, and APK analysis

Cryptography

cceNu1L

Protocol, key management, and implementation review

Architecture

Layered architecture for authorized red-team operations.

Z3r0 separates the workbench, API boundary, runtime orchestration, resumable drivers, session agent graph, sandboxed execution, model access, notification-backed liveness, timeline replay, and persisted WorkProject evidence records.

ExecutionTools, sandboxes, and models are mounted behind runtime authorization.

FoundationNotification obligations, stable events, and durable storage keep long red-team work recoverable.

Agent Team

A lead security role coordinates specialists across the red-team lifecycle.

csoZ3r0

Chief Security Officer

Task decomposition, specialist coordination, and result integration.

caeV3ra

Chief Audit Engineer

Source code security audit, dependency review, and remediation verification.

cieL1ly

Chief Intelligence Engineer

Reconnaissance, asset discovery, and relationship analysis.

cpeFr4nk

Chief Penetration Engineer

Penetration testing, vulnerability validation, and impact verification.

creJ4m3

Chief Reverse Engineer

File, binary, firmware, and APK reverse engineering.

cceNu1L

Chief Cryptography Engineer

Cryptographic protocol review, key management, and implementation analysis.

Evidence Chain

Durable records keep findings reviewable after the model context changes.

Agent output is useful only when it can be traced to authorized scope, evidence, relationships, and review state. WorkProject records turn transient red-team analysis into structured data owned by the application.

Authorized Scope

Targets, owners, sandbox binding, and red-team objectives define the operating boundary before execution.

Specialist Agents

A coordinator delegates reconnaissance, validation, audit, reverse, and cryptography work to role-scoped experts.

Sandboxed Tooling

Commands, files, GUI tooling, skills, and manual review stay inside the selected Docker sandbox.

Evidence Records

Assets, findings, relationship edges, and attack paths are stored as WorkProject-owned records.

Replayable Review

Timeline replay, graph views, and record tabs keep validation and handoff independent from model context.

Runtime Flow

Async drivers keep long red-team work resumable without polling or blocking on background work.

Start

AgentSessionPool creates or resumes a red-team session and launches the owning instance driver.

Drain

run_until_idle executes the initial turn and every claimable PENDING notification for that instance.

Dispatch

Specialist agents and async sandbox commands register AWAITING obligations, then the driver stops while they run.

Terminal

execute_async_command ends the current turn immediately, so agents cannot poll a running job.

Resume

Completed or failed background work flips the obligation to PENDING and wakes the owning instance.

Replay

Timeline events are stamped with seq values and item keys so refreshes read the same frames as live streams.

Sandbox Tooling

Agent tools and manual review share one controlled execution boundary.

Short commands return captured output metadata immediately. Long commands end the current agent turn and resume the owner only after terminal status, exit code, output size, and output file are available.

CommandsSkillsShellFilesnoVNCGhidrajadxsqlmapnmap

Technical Characteristics

Implementation boundaries that make agent-assisted red-team work recoverable, auditable, and contract-driven.

Async Instance Drivers

Main and specialist drivers drain ready work, stop while background obligations run, and relaunch only when results are ready to integrate.

Notification-backed Liveness

Subagent tasks and sandbox jobs register AWAITING obligations atomically, then wake owners through PENDING notifications.

Turn-terminal Commands

Long sandbox commands end the current agent turn immediately, preventing polling loops and preserving a single resume path.

Interruptible Runtime

The task runtime races SDK streams against notifications while deferring interruption until pending tool calls reach a safe point.

Session Agent Graph

Roles, tools, knowledge, specialist agents, model settings, sandbox state, and WorkProject state are assembled per session.

Recoverable Delegation

Specialist work can go dormant, resume after child work completes, cancel cleanly, and avoid hot relaunch loops.

Durable Timeline Replay

Persisted UI events use stable seq values and item keys, so live streaming and replay share the same event contract.

WorkProject Evidence Records

Project sessions persist scoped targets, discovered assets, findings, relationship edges, and attack paths as structured review data.

Scoped Context Projection

Agents share persisted history while receiving role-appropriate context views that filter private tool traces.

Long-context Compaction

Earlier projected history is summarized while recent context and durable facts remain available for continuation.

Generated Frontend Contracts

Frontend types and enum constants are regenerated from backend schema instead of manually maintained in feature code.

Sandbox Tool Invalidation

Sandbox state changes invalidate tool bindings and clean up active subagent work or async commands.

Operational Boundary

Built for authorized red-team work in controlled environments.

Use Z3r0 where sandbox execution, Docker access, file operations, and model credentials can be governed as high-privilege assets.

Trusted deployment required

Z3r0 is intended for authorized red-team operations, penetration testing, vulnerability research, security assessment, code auditing, internal review, controlled research, and training environments. Network access, sandbox containers, terminal access, file management, and model credentials should remain isolated and trusted. Users must define and follow an explicit authorization scope before using any tool capability.