How DeepZero Automates Vulnerability Research Pipelines with YAML and LLMs

DeepZero is an open‑source, high‑concurrency pipeline engine that lets security researchers define end‑to‑end vulnerability analysis workflows in YAML, orchestrating tools like Ghidra, Semgrep and large language models, while providing parallel execution, state persistence and automatic recovery.

Black & White Path
Black & White Path
Black & White Path
How DeepZero Automates Vulnerability Research Pipelines with YAML and LLMs
DeepZero overview
DeepZero overview

1. Project Overview

DeepZero (深度零号) is a highly concurrent automation engine for vulnerability‑research pipelines, created by security researcher 416rehman. Its core idea is that vulnerability research itself is a pipeline; researchers write a YAML description of the data‑processing flow and DeepZero handles parallel orchestration, state persistence and fault recovery.

2. Core Feature Analysis

2.1 Pipeline as YAML

The main selling point is declarative pipeline definition. In a YAML file researchers describe the full path from raw files to exploitability assessment, specifying each stage’s inputs, outputs and processing logic.

# Pipeline example: LoLDrivers kernel driver research
stages:
- name: ingest_pe
  type: IngestProcessor  # stage 1 – PE parsing and metadata extraction
- name: filter_hash
  type: MapProcessor      # stage 2 – filter known safe driver hashes
- name: ghidra_decompile
  type: MapProcessor      # stage 3 – Ghidra headless decompilation
- name: semgrep_scan
  type: BulkMapProcessor # stage 4 – batch Semgrep rule scanning
- name: llm_assess
  type: MapProcessor      # stage 5 – LLM‑driven exploitability assessment

This design makes the pipeline itself a readable, code‑like document; new team members can understand the entire analysis by reading the YAML.

2.2 Massive Parallel Processing

A key bottleneck in vulnerability research is throughput – an SDI (Snappy Driver Installer) image can contain tens of thousands of driver files, making serial analysis impractical.

PE parsing stage: 16 concurrent workers to fully utilize multi‑core CPUs.

Ghidra decompilation stage: 4 concurrent workers because each Ghidra headless process is heavy.

LLM assessment stage: 2 concurrent workers to control API call rate and cost.

Official test on an 8‑core machine processed a 5,000+‑driver SDI image in roughly three hours (excluding LLM API latency).

2.3 Interruptible and Recoverable

Long‑running research jobs are vulnerable to power loss, OOM, or accidental termination. DeepZero writes an atomic per‑sample state file to disk; after an interruption, rerunning the same command automatically resumes from the last completed stage without losing any results.

2.4 LLM‑Driven Exploitability Assessment

Traditional static analysis tools can flag a problem but cannot judge whether it is exploitable. DeepZero integrates a large language model (via LiteLLM, supporting any provider) at the pipeline’s end. Using a Jinja2 template, the LLM evaluates the exploitability of an IOCTL call and returns a risk score.

# assessment.j2 example prompt
Analyze the following Windows kernel driver IOCTL call:
Device name: {{ device_name }}
IOCTL code: {{ ioctl_code }} (0x{{ ioctl_hex }})
Call trace: {{ call_trace }}
Driver version: {{ driver_version }}

Please assess whether this IOCTL could be leveraged by a low‑privilege user to gain higher privileges or execute code, and provide a risk rating from 0 to 10.

3. Built‑in Processors

pe_ingest (IngestProcessor): parses PE headers, extracts driver metadata, entry points and import tables.

loldrivers_filter (MapProcessor): filters out hashes of known safe drivers collected by loldrivers.io.

ghidra_decompile (MapProcessor): runs Ghidra in headless mode to decompile binaries and build a function call graph.

semgrep_scanner (BulkMapProcessor): batch‑executes Semgrep rules to detect dangerous code patterns.

Custom processors can be created by subclassing MapProcessor or IngestProcessor and referenced in YAML via their module path.

4. Architecture Design

The codebase is organized into three core modules:

src/deepzero/
├── engine/    # pipeline orchestration, state persistence, concurrency control
├── stages/    # built‑in processors (map, reduce, ingest)
└── api/       # REST API (experimental, supports status queries)

The REST API is currently marked as work‑in‑progress but already allows querying sample status and pipeline run data, with future plans for remote scheduling and result retrieval.

5. Quick Start

Installation requires three commands:

git clone https://github.com/416rehman/DeepZero.git
cd DeepZero
pip install -e .

Configure the LLM API (OpenAI, Anthropic, Azure OpenAI, etc.) by copying .env.example to .env and inserting the appropriate API key.

Run the bundled LoLDrivers vulnerability‑research pipeline:

deepzero run C:\drivers -p .\pipelines\loldrivers\pipeline.yaml

The command processes an entire SDI driver package and automatically generates an exploitability assessment report.

6. Significance for Chinese Security Teams

Efficiency : Enables 24/7 continuous analysis, replacing manual, step‑by‑step operations.

Lower Barrier : YAML pipelines are far easier to learn than bespoke automation scripts.

Reusability : Community‑shared pipeline templates can be quickly adapted to similar research tasks.

LLM Collaboration : Bridges the gap where static analysis can find issues but cannot judge their impact.

For enterprises with dedicated vulnerability‑research teams, DeepZero can serve as the foundation of an internal bug‑hunting platform; for independent researchers, it offers a substantial productivity boost.

7. Conclusion

DeepZero is not a “one‑click zero‑day finder” but a workflow orchestration engine whose value depends on the depth of the research performed. It transforms vulnerability research from a manual workshop into a pipeline factory, making it possible to “find zero‑days while you sleep”.

DeepZero illustration
DeepZero illustration
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

automationLLMvulnerability researchSemgrepDeepZeroGhidraYAML pipelines
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.