[ Memory-corruption zero-days · Automated ]

Meet Lilith. Autonomous zero-day discovery.

Lilith is an autonomous engine that hunts memory-corruption vulnerabilities — buffer overflows, use-after-free, out-of-bounds access — in C/C++ infrastructure code. It orchestrates frontier LLMs across a 20-phase pipeline — threat modeling, adversarial exploration, ASAN-verified proof-of-concept — end-to-end, with no human in the loop. Stella runs Lilith against your codebase and delivers CVE-ready findings. 16 CVEs assigned across Firefox NSS, wolfSSL, Arm mbedTLS, and strongSwan.

Request an audit →See our CVEs

16 CVEs · 4 published · $65K bounties

lilith@stella — bash — 80×24

[01]

CVEs Assigned

4 published · 12 pending disclosure

[02]

Findings Accepted

[03]

40+

Targets Audited

[How Lilith Works]

From git URL to CVE-ready report. Automatically.

Lilith runs four stages end-to-end, with no human in the loop. Every stage is instrumented and gated — hallucinated findings are rejected before they reach you.

[01]

Scope

You share your target codebase. Stella agrees scope, timeline, and disclosure path — then hands the repo to Lilith.

[02]

Lilith explores

Parallel LLM explorers build a threat model, cross-reference the code against protocol specs (TLS, X.509, HPKE, and more), and generate adversarial attack hypotheses.

[03]

Lilith verifies

Every candidate is compiled with AddressSanitizer and reproduced on isolated GCP instances. An evidence gate rejects hallucinated stack traces — only machine-verified crashes survive.

[04]

Lilith reports

You receive CVE-ready write-ups — CWE classification, CVSS scoring, runnable proof-of-concept code, and responsible-disclosure guidance — generated autonomously.

[Why Lilith]

What traditional tools miss. What Lilith finds.

Fuzzers can't reason about specifications. Static analyzers can't hypothesize. Manual audits take months. Lilith reasons, hypothesizes, and verifies — in hours, autonomously.

Memory corruption, hunted by reasoning

Lilith specializes in memory-corruption vulnerabilities — buffer overflows, use-after-free, out-of-bounds access — in C/C++ infrastructure code. Parallel LLM explorers read RFCs, build threat models, and generate attack hypotheses that fuzzers need millions of inputs to stumble into.

Self-verifying proof-of-concept

Every finding is built with AddressSanitizer and reproduced on isolated GCP instances. Lilith's evidence gate rejects hallucinated stack traces automatically — no false positives reach your team.

End-to-end autonomy

From git URL to CVE-ready markdown: 20 phases run without human intervention. Explore, exploit, verify, report — all automatic, in hours rather than months. 16 CVEs already assigned across Firefox NSS, wolfSSL, Arm mbedTLS, and strongSwan.

[Proven Results]

Real vulnerabilities, real impact.

Four memory-corruption CVEs publicly disclosed on CVE.org, credited to Haruto Kimura (Stella). Twelve more are pending coordinated disclosure across Firefox NSS, Arm mbedTLS, strongSwan, and PowerDNS — bounties already paid by Mozilla, Arm, and others.

$ lilith feed --published4 entries

[Approach]

How a Stella audit compares.

Manual audits hand you a 50-page PDF. Stella delivers reproducible findings you can patch and verify on the spot.

Approach

[+]Stella Audit

Manual Audit

Cost

Starts at $5K

$50K–$150K per engagement

Time to Results

3–6 hours per target

3–6 months

Proof Quality

ASAN-verified stack traces

Varies by auditor

Analysis Method

Spec-driven LLM analysis

Human intuition

Deliverable

CVE-ready reports with PoC

PDF report

[+]Stella Audit

Cost: Starts at $5K
Time to Results: 3–6 hours per target
Proof Quality: ASAN-verified stack traces
Analysis Method: Spec-driven LLM analysis
Deliverable: CVE-ready reports with PoC

Manual Audit

Cost: $50K–$150K per engagement
Time to Results: 3–6 months
Proof Quality: Varies by auditor
Analysis Method: Human intuition
Deliverable: PDF report