How DeepZero Automates Vulnerability Research Pipelines with YAML and LLMs
DeepZero is an open‑source, high‑concurrency pipeline engine that lets security researchers define end‑to‑end vulnerability analysis workflows in YAML, orchestrating tools like Ghidra, Semgrep and large language models, while providing parallel execution, state persistence and automatic recovery.
1. Project Overview
DeepZero (深度零号) is a highly concurrent automation engine for vulnerability‑research pipelines, created by security researcher 416rehman. Its core idea is that vulnerability research itself is a pipeline; researchers write a YAML description of the data‑processing flow and DeepZero handles parallel orchestration, state persistence and fault recovery.
2. Core Feature Analysis
2.1 Pipeline as YAML
The main selling point is declarative pipeline definition. In a YAML file researchers describe the full path from raw files to exploitability assessment, specifying each stage’s inputs, outputs and processing logic.
# Pipeline example: LoLDrivers kernel driver research
stages:
- name: ingest_pe
type: IngestProcessor # stage 1 – PE parsing and metadata extraction
- name: filter_hash
type: MapProcessor # stage 2 – filter known safe driver hashes
- name: ghidra_decompile
type: MapProcessor # stage 3 – Ghidra headless decompilation
- name: semgrep_scan
type: BulkMapProcessor # stage 4 – batch Semgrep rule scanning
- name: llm_assess
type: MapProcessor # stage 5 – LLM‑driven exploitability assessmentThis design makes the pipeline itself a readable, code‑like document; new team members can understand the entire analysis by reading the YAML.
2.2 Massive Parallel Processing
A key bottleneck in vulnerability research is throughput – an SDI (Snappy Driver Installer) image can contain tens of thousands of driver files, making serial analysis impractical.
PE parsing stage: 16 concurrent workers to fully utilize multi‑core CPUs.
Ghidra decompilation stage: 4 concurrent workers because each Ghidra headless process is heavy.
LLM assessment stage: 2 concurrent workers to control API call rate and cost.
Official test on an 8‑core machine processed a 5,000+‑driver SDI image in roughly three hours (excluding LLM API latency).
2.3 Interruptible and Recoverable
Long‑running research jobs are vulnerable to power loss, OOM, or accidental termination. DeepZero writes an atomic per‑sample state file to disk; after an interruption, rerunning the same command automatically resumes from the last completed stage without losing any results.
2.4 LLM‑Driven Exploitability Assessment
Traditional static analysis tools can flag a problem but cannot judge whether it is exploitable. DeepZero integrates a large language model (via LiteLLM, supporting any provider) at the pipeline’s end. Using a Jinja2 template, the LLM evaluates the exploitability of an IOCTL call and returns a risk score.
# assessment.j2 example prompt
Analyze the following Windows kernel driver IOCTL call:
Device name: {{ device_name }}
IOCTL code: {{ ioctl_code }} (0x{{ ioctl_hex }})
Call trace: {{ call_trace }}
Driver version: {{ driver_version }}
Please assess whether this IOCTL could be leveraged by a low‑privilege user to gain higher privileges or execute code, and provide a risk rating from 0 to 10.3. Built‑in Processors
pe_ingest (IngestProcessor): parses PE headers, extracts driver metadata, entry points and import tables.
loldrivers_filter (MapProcessor): filters out hashes of known safe drivers collected by loldrivers.io.
ghidra_decompile (MapProcessor): runs Ghidra in headless mode to decompile binaries and build a function call graph.
semgrep_scanner (BulkMapProcessor): batch‑executes Semgrep rules to detect dangerous code patterns.
Custom processors can be created by subclassing MapProcessor or IngestProcessor and referenced in YAML via their module path.
4. Architecture Design
The codebase is organized into three core modules:
src/deepzero/
├── engine/ # pipeline orchestration, state persistence, concurrency control
├── stages/ # built‑in processors (map, reduce, ingest)
└── api/ # REST API (experimental, supports status queries)The REST API is currently marked as work‑in‑progress but already allows querying sample status and pipeline run data, with future plans for remote scheduling and result retrieval.
5. Quick Start
Installation requires three commands:
git clone https://github.com/416rehman/DeepZero.git
cd DeepZero
pip install -e .Configure the LLM API (OpenAI, Anthropic, Azure OpenAI, etc.) by copying .env.example to .env and inserting the appropriate API key.
Run the bundled LoLDrivers vulnerability‑research pipeline:
deepzero run C:\drivers -p .\pipelines\loldrivers\pipeline.yamlThe command processes an entire SDI driver package and automatically generates an exploitability assessment report.
6. Significance for Chinese Security Teams
Efficiency : Enables 24/7 continuous analysis, replacing manual, step‑by‑step operations.
Lower Barrier : YAML pipelines are far easier to learn than bespoke automation scripts.
Reusability : Community‑shared pipeline templates can be quickly adapted to similar research tasks.
LLM Collaboration : Bridges the gap where static analysis can find issues but cannot judge their impact.
For enterprises with dedicated vulnerability‑research teams, DeepZero can serve as the foundation of an internal bug‑hunting platform; for independent researchers, it offers a substantial productivity boost.
7. Conclusion
DeepZero is not a “one‑click zero‑day finder” but a workflow orchestration engine whose value depends on the depth of the research performed. It transforms vulnerability research from a manual workshop into a pipeline factory, making it possible to “find zero‑days while you sleep”.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
