Vireon — Autonomous Multi-Agent AppSec Pipeline

Vireon is a fully autonomous application security investigation platform built on a Band of Agents architecture. Given a GitHub repository URL, Vireon deploys 8 specialized agents that collaborate through Band to investigate, debate, patch, and ship security fixes without human intervention. The pipeline runs in five phases. Phase 1 runs Threat Intel and Static Analysis in parallel — fetching CVEs from OSV.dev and NVD while Semgrep scans the codebase for vulnerability patterns. Phase 2 uses an Exploitability agent powered by an LLM to triage findings and confirm which are actually reachable in the call graph. Phase 3 is the Challenger — a red team agent that pressures the investigation by hunting for mitigations, dismissing false positives, and forcing confidence down when evidence is weak. Phase 4 loops Remediation and Compliance: the Remediation agent generates code patches and dependency bumps, the Compliance agent gates them against security policy and forces retries if the patch weakens any auth path. Phase 5 runs Verification (re-running Semgrep on the patched code) and Delivery — opening a real GitHub pull request with a full CVE table, attack vector summary, and confidence scores. Every agent decision is fused into a single confidence score using a weighted model. If fused confidence drops below the abort threshold, the pipeline halts rather than shipping a weak patch. All 8 agents post updates to a shared Band chat room in real time, and every event, agent result, and decision is persisted to SQLite and streamed to a live React dashboard via FastAPI. The frontend war room shows confidence evolution, a live event feed, a CVE knowledge graph, and a full investigation report. The backend is deployed on Railway; the frontend on Vercel.