Discovering vulnerabilities automatically
The system finds attack surface and chooses where to probe — no human picks the test cases.
Orchestrator queues attacks across all 18 (category, subcategory) cells from the threat model. Scheduled probes + background traffic keep coverage warm. Heatmap shows where tests have landed.
Coverage-gap scorer ranks under-tested cells highest each cycle. Event-driven trigger (target login / file ingest / LLM call → webhook → focused probe) so discovery reacts to live target activity.
A separate "is this harmful?" pre-screen LLM. The Judge already evaluates harm on responses; a second classifier on candidates duplicates work without adding signal.