The RootVector Platform Vision
Active Development & Commercialization: RootVector is an active, enterprise-grade offensive security platform under development at rootvector.dev. This is not a theoretical architecture — it is modeled after industrial-scale ASM/PT environments like Horizon3.ai's NodeZero and designed to be the next Unicorn Startup in autonomous continuous threat exposure management.
When building offensive security tools, it's easy to fall into the trap of writing isolated scripts. You write a port scanner in Python, a subdomain enumerator in Go, a vulnerability checker in bash. They work, but they don't think together.
RootVector is my answer to this fragmentation. It is an autonomous, AI-driven offensive security platform modeled after enterprise ASM/PT solutions like Horizon3.ai's NodeZero, but built entirely from the ground up to integrate LLM reasoning at every stage of the attack chain.
The Problem with Traditional Recon
A standard pentest workflow looks like this:
- Run
subfinderto get subdomains. - Feed subdomains into
httpxto find live web servers. - Feed live IPs into
nmapto find open ports. - Feed Nmap XML into
searchsploitor Nessus. - Manually read through a 400-page PDF of false positives.
This is a linear pipeline. It doesn't adapt, it doesn't learn, and it requires a human to synthesize the data. The human has to look at the output of step 2 and decide to skip step 3 because a WAF is blocking the traffic. Traditional tools just keep throwing packets at the firewall.
The RootVector Architecture
RootVector solves this by splitting the problem into two distinct ecosystems: Mapit (Attack Surface Management) and Pentit (Execution Engine), both feeding into a central AI reasoning core.
text┌─────────────────────────────────────────────────────────────┐ │ ROOTVECTOR MOTHERSHIP │ │ │ │ ┌────────────────┐ ┌────────────────┐ │ │ │ MAPIT │ │ PENTIT │ │ │ │ Attack Surface │────────▶│ Execution │ │ │ │ Management │ target │ Engine │ │ │ │ │ feed │ │ │ │ │ • Subdomains │ │ • Active Scan │ │ │ │ • Port mapping │ │ • Vuln Match │ │ │ │ • Asset enum │ │ • Exploit Rec │ │ │ │ │ │ • OODA Loop │ │ │ └────────────────┘ └───────┬────────┘ │ │ │ │ │ ┌──────▼───────┐ │ │ │ AI CORE │ │ │ │ Reasoning │ │ │ │ Engine │ │ │ └──────┬───────┘ │ │ │ │ │ ┌──────▼───────┐ │ │ │ REPORTS │ │ │ │ CVE + MSF │ │ │ │ + Reasoning │ │ │ └──────────────┘ │ └─────────────────────────────────────────────────────────────┘
1. Mapit: The Cartographer
Mapit's job is passive and low-noise. It continuously monitors an organization's external perimeter. It doesn't fire exploits; it builds a map.
- Consumes certificate transparency logs
- Resolves DNS records
- Performs stealthy banner grabbing
- Identifies technology stacks (e.g., "This is WordPress 5.8 on PHP 7.4")
When Mapit discovers a new asset or a change in the attack surface (like a newly opened RDP port), it flags the asset and automatically forwards it to Pentit.
2. Pentit: The Execution Engine
Pentit is where the OODA loop (Observe, Orient, Decide, Act) takes over. It's an orchestration framework that chains 15+ specialized modules (from CVE matching to network vulnerability checks) using an LLM to make autonomous decisions.
text┌──────────┐ │ OBSERVE │ Collect scan data (ports, banners, CVEs) └────┬─────┘ │ ┌────▼─────┐ │ ORIENT │ AI analyzes context and compares data └────┬─────┘ │ ┌────▼─────┐ │ DECIDE │ AI determines the best attack vector └────┬─────┘ │ ┌────▼─────┐ │ ACT │ Fires targeted exploit, loops back └──────────┘
The difference is the Orientation phase.
When Pentit scans a target, it doesn't just pass text to OpenAI. It maintains a stateful context window (ai/context_manager.py).
If Pentit finds an exposed Git repository on port 80, the AI remembers that. Later, when it finds an SSH service on port 2222, the AI decides: "Do not run SSH brute force. Extract the SSH keys from the exposed Git repository first, then attempt to log in."
This cross-correlation of vulnerabilities across different services and ports is the hallmark of a human pentester. Pentit automates this intuition.
AI Integration: Function Calling vs Prompting
The biggest technical leap in Pentit v2 was moving from simple prompt-response to LLM Function Calling (ai/tool_calling.py).
In v1, the AI would generate text saying "You should run an Nmap scan with the -sV flag." Then I would have to write complex regex to parse that text and actually run the command.
In v2, the AI is provided with a JSON schema of available tools (Nmap, Nikto, SearchSploit, Custom Exploit Modules). The LLM returns a structured JSON payload telling the Orchestrator exactly which Python function to call, with which arguments.
The AI isn't an advisor anymore. It's the driver.
The "-it" Ecosystem Future
RootVector is designed as a mothership platform that orchestrates specialized tools. The vision extends beyond just Mapit and Pentit:
- mapit: Attack Surface Management
- pentit: Automated Penetration Testing
- traceit: Attack path and lateral movement analysis (Planned)
- fixit: Remediation code generation and automated patching (Planned)
This is the HashiCorp model applied to offensive security. Each tool does one specific job perfectly. You can run them independently, but when they talk to each other under the RootVector umbrella, the sum is far greater than the parts.
Conclusion
We are moving away from the era of manual vulnerability scanning. The future of offensive security isn't running better tools; it's building better orchestrators that can think about attack paths the way a human does, but execute them with the speed and coverage of a machine. RootVector is my implementation of that future.