Design of an AI Agent for the Generation of Vulnerable Virtual Environments

The steady increase of new software vulnerabilities puts growing pressure on current cybersecurity systems. To improve detection and mitigation capabilities, security experts seek to discover novel attack patterns and understand how new vulnerabilities can be exploited. One way to do that, is to manually create in-vitro scenarios (e.g., virtual environments) to safely observe and log attack data, without exposing real systems to risks. However, making scenarios that accurately reproduce realistic conditions is a complex, time-consuming task that requires a wide range of skills in virtualization technologies, cybersecurity, and service configuration. Recent developments in the Artificial Intelligence (AI) field and the continuous growth of Large Language Models (LLMs) have highlighted their potential to automate complex tasks. Applying these technologies to streamline the creation of in-vitro scenarios would enable security experts to save time and safely perform penetration testing, patch development, collect attack data, and analyse data on these environments. Building on this idea, this thesis proposes an AI agent designed to automate the generation of vulnerable virtual environments. The LLM-automated workflow replicates the structured reasoning of a human expert and is divided into four sequential steps: (1) CVE validation, (2) information retrieval, (3) generation of the virtual environment, and (4) static vulnerability assessment. Particularly, the agent receives as input the identifier of the vulnerability, namely the CVE-ID (Common Vulnerabilities and Exposures Identifier); gathers the services required to reproduce the virtual environment; iteratively builds the environment through a build-and-test loop; and finally assesses whether the environment is vulnerable to the input CVE. I systematically evaluate several LLMs (GPT-4o, GPT-5, and gpt-oss:120B) to automate the AI agent. Results on 100 CVEs show that the AI agent can develop a working virtual environment for 63% of the tested vulnerabilities, with 27% of them confirmed to be vulnerable to the input CVE. These preliminary results demonstrate the potential of AI agent in the automation process to aid the work of cybersecurity experts. Future works will need to improve the current architecture, analyse a larger set of vulnerabilities, and explore the benefits of a multi-agent framework.