VCAO: Verifier-Centered Agentic Orchestration for Strategic OS Vulnerability Discovery

Researcher Suyash Mishra has introduced VCAO (Verifier-Centered Agentic Orchestration), a novel AI system that radically reframes the hunt for operating system vulnerabilities. Instead of treating it as a passive scanning task, VCAO models the process as a strategic, repeated game against a hypothetical attacker—a Bayesian Stackelberg search game. At its core, a Large Reasoning Model (LRM) orchestrator acts as a game-theoretic strategist. It dynamically allocates a limited analysis budget (time, compute) across thousands of potential targets in the kernel—specific files, functions, and attack paths—while coordinating external verification tools like static analyzers and fuzzers.

The system's six-layer architecture includes surface mapping, attack-graph construction, and a game-theoretic ranking engine that solves a Mixed-Integer Linear Programming (MILP) problem for optimal resource allocation. This allows it to learn and adapt over time, with formal mathematical guarantees on its performance (Õ(√T) regret bounds). In rigorous experiments replaying 847 historical CVEs across five Linux kernel subsystems, VCAO demonstrated a massive efficiency leap. It discovered 2.7 times more validated vulnerabilities per unit of budget than standard coverage-guided fuzzing, 1.9 times more than static-analysis-only approaches, and 1.4 times more than non-strategic multi-agent AI pipelines. Crucially, it also slashed the false-positive rate presented to human security engineers by 68%, dramatically reducing alert fatigue. The framework and evaluation tools have been released as open-source artifacts.