KAOS: AI Powered Autonomous Cyber Security Scanning Engine

Quick answer: KAOS is an AI powered, largely autonomous security testing and vulnerability scanning engine built by DSET. With a multi-agent architecture it covers a wide area, from reconnaissance to web, network, API, cloud and smart contracts; it verifies every vulnerability it finds in a controlled and safe way and reports only proven findings. It works alongside human experts, not instead of them.

The first thing a security analyst sees in the morning is often a pile of alerts. A classic automated scanner ran overnight and produced hundreds of lines of "possible vulnerability." The analyst spends the first hours of the day sorting which of these are real and which are noise. Worse, most of that list is false positive; a threat that cannot actually be exploited and does not really exist. That is precisely why we at DSET built KAOS: the real value of AI in cyber security is not "producing more alerts" but delivering "few but verified, prioritized, real findings."

Why does KAOS exist? The false positive problem

Traditional vulnerability scanners rely on signature matching. They look at a server's version information, compare it to a known vulnerability database, and say "this version might have this flaw." The problem hides in one word: might. The scanner does not test whether the flaw is actually exploitable in that environment. The result is a vast sea of alerts in which a handful of real findings are lost.

The analyst drowning in this sea spends most of their time on manual verification. They examine each alert one by one, set up a test environment, and attempt the exploit. It is tiring, slow and error prone. The question we asked when designing KAOS was clear: can a machine do this verification work safely on its own? If it can, the human expert can focus only on proven and important findings.

How does KAOS work? Multi-agent architecture

KAOS is not a single program; it is a system that behaves like a team of experts. At the heart of the architecture is an orchestrator that coordinates the work. The orchestrator recognizes the target, fingerprints it, and decides which areas of expertise come into play. It then assigns AI expert-agents, each trained in its own field.

These agents represent different disciplines:

  • Reconnaissance agent: Maps the target's surface; subdomains, open ports, technologies in use.
  • Web application agent: Investigates application-layer vulnerabilities such as injection, authentication bypass and privilege escalation.
  • Network and infrastructure agent: Service configuration, exposed services and protocol-level weaknesses.
  • Active Directory agent: Examines misconfigurations and privilege paths in enterprise identity infrastructure.
  • API agent: Tests logic and authorization flaws in REST, GraphQL and similar interfaces.
  • Web3 and smart contract agent: Looks at economic and logical security flaws in on-chain contracts.
  • Cloud and mobile agents: Evaluate cloud configuration and the mobile application surface separately.

It is hard for a single person to be deeply expert in all these areas at once. The multi-agent approach of KAOS widens coverage by giving each area of expertise its own dedicated attention and runs the scan in parallel. We describe how it combines with our red team approach on our red team attack simulation service page.

"Generate and verify": the real difference of KAOS

This is where the most critical feature that separates KAOS from an ordinary scanner begins. When KAOS detects a possible vulnerability, it does not stop. It generates an exploit for that vulnerability and attempts it in a controlled, safe way. Verification is evidence based: KAOS runs the exploit without harming the target, in a way that leaves an auditable trace (a canary), and observes whether it actually works.

The logic is simple but powerful. If the exploit produces a provable result, this is no longer a guess but a verified finding and is marked "CONFIRMED." If it cannot, KAOS does not put that alert in the report at all. This way false positives are eliminated before they ever reach the report. The list in front of the analyst is not hundreds of noise-filled lines, but a few real findings, each arriving with its proof.

The value of this approach is in trust, not in numbers. When a finding passes through KAOS, the response is not "I need to check this" but "this is real, let us fix it now." The valuable time of the human expert goes to closing critical flaws instead of chasing threats that do not exist.

The difference between a classic scanner and KAOS

Feature Classic automated scanner KAOS
Detection method Signature and version matching Multi-agent analysis + exploit generation
Verification None, says "possible" Controlled, evidence-based verification
False positives High, analyst filters them Low, filtered out before the report
Coverage Usually a single area Web, network, API, AD, cloud, web3, mobile
Reporting Raw alert list Executive summary + technical + PoC + fix
Learning Static database Self-learning from verified findings
Framework mapping Limited Mapped to OWASP, MITRE ATT&CK

Self-learning: KAOS improves over time

KAOS becomes smarter after every scan. It records its verified findings into a vector memory (semantic memory). When it encounters a similar pattern on a new target, it recalls cases it proved in the past and adapts that accumulated knowledge to the new situation. This is the RAG (retrieval augmented generation) approach applied to security testing.

As a result KAOS is not a static tool. Every verified vulnerability becomes a lasting lesson that makes future scans faster and more accurate. We covered the engine's technical architecture in more depth in our KAOS AI engine article.

Safe and responsible architecture

One of the biggest concerns with an AI based security tool is that the tool itself becomes an attack surface. KAOS was designed protected from the start. The system is hardened against prompt injection and data exfiltration attempts; content entering and leaving the model is inspected. KAOS only runs against an authorized target and respects the defined scope boundary; it does not drift to an asset it is not permitted to touch.

This sense of responsibility is essential for using AI in security. NIST's AI risk management framework and the top ten risk list OWASP published for large language models describe exactly how such risks should be managed. We built KAOS with these standards in mind.

Human expert and AI: alongside, not instead

Here we must be honest. AI does not find everything. Discovering a creative, unusual, business-logic-specific vulnerability still requires the human expert's intuition, experience and flexible thinking. The claim of KAOS is not to replace the human expert; its claim is to free the human expert from low-value, repetitive and tiring work.

At DSET we see security testing as the combination of two strong layers. KAOS scans a wide area continuously and quickly, completes the first scan within hours, cleans up false positives and builds a prioritized baseline. The human expert then starts from this solid baseline and focuses on deep, creative and context-aware exploitation. We explain our entire PTES and OWASP based penetration testing process in our penetration testing process, price and when it is needed article. Together, they provide a coverage and confidence that neither automation alone nor a single expert could reach.

Use cases

KAOS is strongest where continuity and broad coverage matter:

  • Continuous security monitoring: Systems change constantly; every new deployment can open a new attack surface. KAOS continuously scans this change and catches new flaws early.
  • Rapid first assessment: Before a new asset goes live, a broad baseline scan completes within hours.
  • Large asset inventory: Manually scanning many domains, applications and services one by one is impractical; KAOS meets this scale in parallel.
  • Finding prioritization: It passes an existing pile of alerts through an evidence-based filter to surface the real ones.

You can find all these capabilities and the service scope of KAOS in detail on the KAOS service page.

Frequently Asked Questions (FAQ)

Does KAOS replace the human penetration tester? No. KAOS is designed to free the human expert from repetitive, broad-scope work and let them focus on critical findings. The best result comes from combining the broad, continuous scanning of KAOS with the deep, creative analysis of the human expert.

Why does KAOS report fewer findings? Because KAOS verifies every vulnerability it finds in a controlled way and only adds proven ones to the report. Most of the hundreds of "possible" alerts produced by classic scanners are false positives; KAOS eliminates them before they reach the report. Few but real findings are more valuable than many but uncertain alerts.

Does KAOS harm my system during a scan? KAOS only runs against an authorized target and within the defined scope boundary. Verification is done in a controlled way that leaves an auditable proof without harming the target.

Which areas can KAOS scan? Thanks to its multi-agent architecture it covers reconnaissance, web application, network and infrastructure, API, Active Directory, cloud and web3 smart contract areas.

Against which standards does KAOS report its findings? Findings are mapped to frameworks such as OWASP and MITRE ATT&CK; the report includes executive summary, technical detail, proof (PoC) and remediation advice.

Sources

DSET has provided cyber security and data solutions at Hacettepe Teknokent Beytepe, Ankara since 2003. To learn more about KAOS and plan an assessment for your organization, contact us: +90 536 662 38 09.