<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Telmon Maluleka</title>
    <description>The latest articles on DEV Community by Telmon Maluleka (@telmon_maluleka_d775640a9).</description>
    <link>https://dev.to/telmon_maluleka_d775640a9</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4023532%2F392edafd-3e35-48b1-a126-baac3c6f06f9.png</url>
      <title>DEV Community: Telmon Maluleka</title>
      <link>https://dev.to/telmon_maluleka_d775640a9</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/telmon_maluleka_d775640a9"/>
    <language>en</language>
    <item>
      <title>I Got Featured on the Official OWASP ZAP Blog — Here's How I Built an AI Layer on Top of It published: true tags: security, ai, mcp, opensource</title>
      <dc:creator>Telmon Maluleka</dc:creator>
      <pubDate>Fri, 10 Jul 2026 06:03:13 +0000</pubDate>
      <link>https://dev.to/telmon_maluleka_d775640a9/i-got-featured-on-the-official-owasp-zap-blog-heres-how-i-built-an-ai-layer-on-top-of-it-1p78</link>
      <guid>https://dev.to/telmon_maluleka_d775640a9/i-got-featured-on-the-official-owasp-zap-blog-heres-how-i-built-an-ai-layer-on-top-of-it-1p78</guid>
      <description>&lt;p&gt;Months ago I was a full-stack dev with zero security research experience. Last month, the OWASP ZAP team published a guest post about a tool I built. Here's the story, and the tech behind it.&lt;br&gt;
&lt;strong&gt;The problem&lt;/strong&gt;&lt;br&gt;
Every serious security platform locks its best automation, correlation, and workflow features behind an enterprise price tag. I wanted something fully programmatic, fully open, and fully mine to extend. So I picked ZAP — open source, scriptable REST API, no licensing walls — and started layering AI on top of it.&lt;br&gt;
The result is VulneraMCP, an MCP server that turns ZAP from "a scanner you drive" into "a scanner an AI agent drives, with a memory."&lt;br&gt;
🔗 &lt;em&gt;Repo&lt;/em&gt;: github.com/telmon95/VulneraMCP&lt;br&gt;
📝 OWASP ZAP feature: zaproxy.org/blog/2025-11-28-enhancing-zap-with-ai-for-bug-bounty-hunting&lt;br&gt;
&lt;strong&gt;What it actually does&lt;/strong&gt;&lt;br&gt;
VulneraMCP sits between an AI agent (Cursor, Claude Desktop, ChatGPT — anything that speaks MCP) and ZAP's REST API. It's not just a wrapper. Three things make it different:&lt;br&gt;
&lt;strong&gt;ZAP Integration Layer&lt;/strong&gt; — drives spidering, active/passive scanning, context management, alert retrieval&lt;br&gt;
&lt;strong&gt;MCP Proxy Layer&lt;/strong&gt; — intercepts traffic and runs custom logic ZAP doesn't ship with (IDOR checks, business-logic flaws)&lt;br&gt;
Learning Engine — ingests writeups and lab solutions from HackTheBox and PortSwigger Academy, extracts exploit patterns, and generates adaptive payloads instead of firing the same static list at every target&lt;br&gt;
Everything gets persisted to Postgres — findings, scan history, exploit patterns — so the system actually gets smarter the more you throw at it.&lt;br&gt;
The stack&lt;br&gt;
ZAP — the scanning engine (spidering, active/passive scans)&lt;br&gt;
Node.js + TypeScript — backend automation&lt;br&gt;
MCP — the AI-agent interaction layer&lt;br&gt;
PostgreSQL — learning data, scan results, exploit patterns&lt;br&gt;
Docker — containerized, works fully offline/air-gapped&lt;br&gt;
What it can do out of the box&lt;br&gt;
Recon (Subfinder, Amass, HTTPx, DNS enumeration), automated XSS/SQLi/IDOR/CSRF testing, JS analysis (deobfuscation, endpoint extraction, secret detection), Caido and ZAP proxy integration, a live dashboard, and an AI reasoning layer that explains why something is a finding instead of just dumping a severity score.&lt;br&gt;
The part I'm most proud of&lt;br&gt;
This wasn't a weekend hack. It's the product of months of manual testing, reading writeups, and rebuilding the same scanning pipeline until the learning loop actually held up. When the OWASP ZAP team reached out to feature it as a guest post, that was the first real external validation that the approach — clinical-grade patience applied to security research — actually works.&lt;br&gt;
&lt;strong&gt;Try it / build on it&lt;/strong&gt;&lt;br&gt;
It's MIT licensed and built to be extended — new training data sources, new MCP tools, new integrations (Burp, nuclei, whatever you need) all slot in cleanly.&lt;br&gt;
⭐ github.com/telmon95/VulneraMCP&lt;br&gt;
If you're working on AI-augmented security tooling or just getting into bug bounty hunting, I'd love to hear what you're building — drop a comment or hit me up @DEOXYRIBOSE404.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>mcp</category>
      <category>typescript</category>
      <category>cybersecurity</category>
    </item>
  </channel>
</rss>
