Agent Zero: The Self-Modifying Security Agent Framework

Agent Zero takes a different approach from most AI agent frameworks: it starts minimal and builds its own capabilities by writing and storing tools as it encounters new problem types. A single operator prompt can grow into a full capability set over the course of an engagement.

The core concept

Most frameworks ship with a fixed toolset. Agent Zero ships with:

• A code execution environment
• A memory system
• A capability to write and save new tools

That's it. When it encounters a task it can't handle, it writes a tool to handle it — and that tool becomes available for future tasks.

from agent_zero import Agent

agent = Agent(
    model="claude-sonnet-4-6",
    execution_env="docker",  # tools run in isolated container
    memory="persistent",     # learned tools survive between sessions
)

# Agent will write tools as needed
agent.run("Enumerate the web application at http://target.lab and identify injection points")

Watching it build capabilities

On a typical web app engagement, Agent Zero will:

1. Start with basic HTTP requests
2. Encounter JavaScript rendering — write a Playwright wrapper
3. Find API endpoints — write a schema-aware fuzzer
4. Find auth — write a session management helper

By hour three, it has a custom toolkit tuned exactly to the target stack.

Safety boundaries

Self-modifying agents require strict sandbox controls:

Agent(
    execution_env=DockerSandbox(
        network="isolated",
        allowed_outbound=["192.168.1.0/24"],  # scope only
        max_cpu="200m",
        max_memory="512Mi",
        tool_persistence=True,
    )
)

Defensive implications

An agent that builds its own tools is harder to detect than one using known tooling. Your behavioral detection needs to focus on what the agent does, not what tools it uses:

• Systematic HTTP fuzzing patterns regardless of the client
• Unusual process chains (Python → bash → curl in rapid succession)
• New executables dropped to temp directories