ABOUT The approach behind the agents

Finding 0-days isn't a checklist.

ZeroQuarry was built where the disclosure emails land. Fifteen years of triaging inbound vuln reports at companies like Elastic, Kong, and Vectara... plus a HackerOne payout going the other way... shaped its design. The agents inside reflect what those years taught: real findings carry working proof, real attackers don't follow patterns, and a scanner that can't be wrong won't ever find anything new.

Meet the team -> See the method

about://zeroquarry LIVE

$ whoami

ok zeroquarry · adversarial agents · est. 2026

$ pedigree

ok 15y · elastic · kong · vectara · hp · spread.ai

$ security-programs

ok soc 2 x4 · pentest sows x3 · cve triage x3

$ disclosures --as-reporter

ok h1 broken authn @ major travel · paid

$ mission

ok build the scanner those years called for

01 · The problem

Most scanners
cry wolf.

Every scanner promises to find your bugs. Almost none of them prove the bugs exist. The result, for a generation of security teams: a queue of "potential issues" no one trusts, a pen-test that visits twice a year, and an LLM that hallucinates findings in between.

01 Static scanners

SAST-0421 potential SQLi LOW

SAST-0422 hardcoded secret LOW

SAST-0423 potential XSS MED

SAST-0424 potential SQLi LOW

+1,847 more · 99% unread

Pattern matching, not proof.

Legacy SAST and DAST tools flag anything that looks suspicious. Severity is graded by guesswork. Engineers stop reading the queue by the third sprint, then learn to filter the whole tool out.

pattern-based, not behavioural
no exploit ever attempted
alert fatigue by week three

02 Point-in-time pen tests

JANFEBMARAPRMAYJUN

JULAUGSEPOCTNOVDEC

2 windows · 10 days each · ship something else?

Six-figure tests, twice a year.

Pen tests are excellent and expensive. They cover what's deployed on the day they happen — not what shipped on Tuesday, not what merged last week, not what your fork of upstream just inherited.

point-in-time only
scope-limited by SOW
shipping continues without them

03 Single-agent LLMs

finding: SSRF in /api/proxy

reproduces? no

code path exists? no

severity claimed: critical

no counter-party to disprove

Confident, frequently wrong.

A single LLM with a security prompt will happily describe a vulnerability that doesn't exist, in code that doesn't behave the way it thinks. Without a counter-party to disprove it, every plausible claim ships.

no falsification step
hallucinated PoCs
noise as a feature

ZeroQuarry's bet: pair an adversarial red-team agent with a skeptical vendor-team agent, run them continuously, and ship only findings that survive both.

02 · The method

An exploit isn't a finding
until two agents agree.

The homepage shows the agents debating. Here's what that actually means at each phase of a scan — and what survives to reach a human.

PHASE 01

Reconnaissance

The red agent maps the target. For source, that's call-graph and data-flow analysis. For binaries, lifting to IR and walking the control flow. For live targets, capturing the API surface, authentication model, and tenancy boundaries.

PHASE 02

Exploit attempt

The red agent isn't asked to identify suspicious code. It's asked to produce a working primitive. No primitive, no finding. This single constraint kills most of the noise other scanners generate before it ever reaches a triage queue.

PHASE 03

Vendor rebuttal

The vendor agent receives the claim and the PoC, and is rewarded for tearing it down. It re-runs the proof, checks for guards the red agent missed, and pushes back on speculative severity. False positives die here.

PHASE 04

Survivor framing

What reaches the human is a finding with a reproducible PoC, a severity that survived adversarial review, and the narrowest patch the vendor agent could draft. Reviewable, mergeable, defensible to leadership.

The loop runs on every commit, every build, every endpoint change. Findings close when patches merge. Regressions get re-found if they come back.

03 · The team

The operators
behind the loop.

ZeroQuarry was built by people who've stood on every side of a vulnerability report: the engineer who shipped the bug, the manager triaging the disclosure, the HackerOne reporter going the other way, and the operator running the SOC 2 audit afterwards.

● Founder

Shane Connelly.

Founder · ZeroQuarry

Previously at Elastic, Kong, Vectara, HP, SPREAD.AI.

Fifteen years building developer infrastructure that handles a lot of trust: search at Elastic, the API gateway at Kong, RAG at Vectara, and developer platforms before and after. Security work shadowed every role.

Across those rooms: sat on the security mailing list deciding which inbound reports earned a CVE. Negotiated and reviewed pen-test SOWs with three external firms. Ran SOC 2 engagements end-to-end at four companies. And on the other side of the desk, a HackerOne payout for breaking authentication on a major travel platform.

The pattern across all of it: most inbound reports were noise, and the real ones always brought a working PoC. ZeroQuarry's agent loop is built around that pattern as a hard constraint.

field note · 2026 “Every product I've worked on shipped with bugs that a determined attacker would find in a week and that no scanner ever flagged. ZeroQuarry is built to be the scanner that would have flagged them. Not because it's smarter, but because it's allowed to be wrong, get caught, and try again.”

Personal site -> shane@zeroquarry.com -> Research & disclosures ->