Saved in:
Bibliographic Details
Main Authors: Zhang, Ting, Li, Yikun, Yang, Chengran, Widyasari, Ratnadira, Liu, Yue, Bui, Ngoc Tan, Nguyen, Phuc Thanh, Tun, Yan Naing, Irsan, Ivana Clairine, Nguyen, Huu Hung, Huang, Huihui, Jiang, Jinfeng, Shar, Lwin Khin, Ouh, Eng Lieh, Lo, David, Kang, Hong Jin, Yin, Yide, Leow, Wen Bin
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.17860
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910147140386816
author Zhang, Ting
Li, Yikun
Yang, Chengran
Widyasari, Ratnadira
Liu, Yue
Bui, Ngoc Tan
Nguyen, Phuc Thanh
Tun, Yan Naing
Irsan, Ivana Clairine
Nguyen, Huu Hung
Huang, Huihui
Jiang, Jinfeng
Shar, Lwin Khin
Ouh, Eng Lieh
Lo, David
Kang, Hong Jin
Yin, Yide
Leow, Wen Bin
author_facet Zhang, Ting
Li, Yikun
Yang, Chengran
Widyasari, Ratnadira
Liu, Yue
Bui, Ngoc Tan
Nguyen, Phuc Thanh
Tun, Yan Naing
Irsan, Ivana Clairine
Nguyen, Huu Hung
Huang, Huihui
Jiang, Jinfeng
Shar, Lwin Khin
Ouh, Eng Lieh
Lo, David
Kang, Hong Jin
Yin, Yide
Leow, Wen Bin
contents Software vulnerabilities remain one of the most persistent threats to modern digital infrastructure. While static application security testing (SAST) tools have long served as the first line of defense, they suffer from high false-positive rates. This article presents TitanCA, a collaborative project between Singapore Management University and GovTech Singapore that orchestrates multiple large language model (LLM)-powered agents into a unified vulnerability discovery pipeline. Applied in open-source software, TitanCA has discovered 203 confirmed zero-day vulnerabilities and yielded 118 CVEs. We describe the four-module architecture, i.e., matching, filtering, inspection, and adaptation, and share key lessons from building and deploying an LLM-based vulnerability discovery solution in practice.
format Preprint
id arxiv_https___arxiv_org_abs_2604_17860
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle TitanCA: Lessons from Orchestrating LLM Agents to Discover 100+ CVEs
Zhang, Ting
Li, Yikun
Yang, Chengran
Widyasari, Ratnadira
Liu, Yue
Bui, Ngoc Tan
Nguyen, Phuc Thanh
Tun, Yan Naing
Irsan, Ivana Clairine
Nguyen, Huu Hung
Huang, Huihui
Jiang, Jinfeng
Shar, Lwin Khin
Ouh, Eng Lieh
Lo, David
Kang, Hong Jin
Yin, Yide
Leow, Wen Bin
Cryptography and Security
Software vulnerabilities remain one of the most persistent threats to modern digital infrastructure. While static application security testing (SAST) tools have long served as the first line of defense, they suffer from high false-positive rates. This article presents TitanCA, a collaborative project between Singapore Management University and GovTech Singapore that orchestrates multiple large language model (LLM)-powered agents into a unified vulnerability discovery pipeline. Applied in open-source software, TitanCA has discovered 203 confirmed zero-day vulnerabilities and yielded 118 CVEs. We describe the four-module architecture, i.e., matching, filtering, inspection, and adaptation, and share key lessons from building and deploying an LLM-based vulnerability discovery solution in practice.
title TitanCA: Lessons from Orchestrating LLM Agents to Discover 100+ CVEs
topic Cryptography and Security
url https://arxiv.org/abs/2604.17860