{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,8]],"date-time":"2026-07-08T12:22:21Z","timestamp":1783513341481,"version":"3.55.0"},"publisher-location":"New York, NY, USA","reference-count":30,"publisher":"ACM","license":[{"start":{"date-parts":[[2026,4,12]],"date-time":"2026-04-12T00:00:00Z","timestamp":1775952000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"National Research Foundation, Singapore, and the Smart Nation Group under the Smart Nation Group's Translational R&D Grant","award":["TRANS2023-TGC02"],"award-info":[{"award-number":["TRANS2023-TGC02"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2026,4,12]]},"DOI":"10.1145\/3786582.3786814","type":"proceedings-article","created":{"date-parts":[[2026,7,8]],"date-time":"2026-07-08T11:52:47Z","timestamp":1783511567000},"page":"76-80","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["PenForge: On-the-Fly Expert Agent Construction for Automated Penetration Testing"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-9842-5026","authenticated-orcid":false,"given":"Huihui","family":"Huang","sequence":"first","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0799-5018","authenticated-orcid":false,"given":"Jieke","family":"Shi","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-9945-7729","authenticated-orcid":false,"given":"Junkai","family":"Chen","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6001-1372","authenticated-orcid":false,"given":"Ting","family":"Zhang","sequence":"additional","affiliation":[{"name":"Monash University, Melbourne, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1566-725X","authenticated-orcid":false,"given":"Yikun","family":"Li","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6100-8127","authenticated-orcid":false,"given":"Chengran","family":"Yang","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7759-348X","authenticated-orcid":false,"given":"Eng Lieh","family":"Ouh","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5130-0407","authenticated-orcid":false,"given":"Lwin Khin","family":"Shar","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4367-7201","authenticated-orcid":false,"given":"David","family":"Lo","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2026,7,8]]},"reference":[{"key":"e_1_3_3_1_2_2","unstructured":"2024. Perplexity API Documentation. https:\/\/docs.perplexity.ai."},{"key":"e_1_3_3_1_3_2","doi-asserted-by":"publisher","unstructured":"Brad Arkin Scott Stender and Gary McGraw. 2005. Software Penetration Testing. IEEE Secur. Priv. 3 1 (2005) 84\u201387. 10.1109\/MSP.2005.23","DOI":"10.1109\/MSP.2005.23"},{"key":"e_1_3_3_1_4_2","doi-asserted-by":"publisher","unstructured":"Matt Bishop. 2007. About Penetration Testing. IEEE Secur. Priv. 5 6 (2007) 84\u201387. 10.1109\/MSP.2007.159","DOI":"10.1109\/MSP.2007.159"},{"key":"e_1_3_3_1_5_2","unstructured":"Mark Chen. 2021. Evaluating large language models trained on code. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2107.03374 (2021)."},{"key":"e_1_3_3_1_6_2","unstructured":"Gelei Deng Yi Liu V\u00edctor Mayoral-Vilches Peng Liu Yuekang Li Yuan Xu Tianwei Zhang Yang Liu Martin Pinzger and Stefan Rass. 2023. Pentestgpt: An llm-empowered automatic penetration testing tool. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2308.06782 (2023)."},{"key":"e_1_3_3_1_7_2","unstructured":"epi052. 2025. feroxbuster Documentation. https:\/\/epi052.github.io\/feroxbuster-docs\/docs\/."},{"key":"e_1_3_3_1_8_2","first-page":"1","volume-title":"2023 International Conference on Business Analytics for Technology and Security (ICBATS)","author":"Fatima Areej","year":"2023","unstructured":"Areej Fatima, Tahir\u00a0Abbas Khan, Tamer\u00a0Mohamed Abdellatif, Sidra Zulfiqar, Muhammad Asif, Waseem Safi, Hussam Al\u00a0Hamadi, and Amer\u00a0Hani Al-Kassem. 2023. Impact and research challenges of penetrating testing and vulnerability assessment on network threat. In 2023 International Conference on Business Analytics for Technology and Security (ICBATS). IEEE, 1\u20138."},{"key":"e_1_3_3_1_9_2","doi-asserted-by":"publisher","unstructured":"Junda He Christoph Treude and David Lo. 2025. LLM-Based Multi-Agent Systems for Software Engineering: Literature Review Vision and the Road Ahead. ACM Trans. Softw. Eng. Methodol. 34 5 Article 124 (May 2025) 30\u00a0pages. 10.1145\/3712003","DOI":"10.1145\/3712003"},{"key":"e_1_3_3_1_10_2","unstructured":"Huihui Huang Ratnadira Widyasari Ting Zhang Ivana\u00a0Clairine Irsan Jieke Shi Han\u00a0Wei Ang Frank Liauw Eng\u00a0Lieh Ouh Lwin\u00a0Khin Shar Hong\u00a0Jin Kang and David Lo. 2025. Back to the Basics: Rethinking Issue-Commit Linking with LLM-Assisted Retrieval. arxiv:https:\/\/arXiv.org\/abs\/2507.09199\u00a0[cs.SE] https:\/\/arxiv.org\/abs\/2507.09199"},{"key":"e_1_3_3_1_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2002.1176290"},{"key":"e_1_3_3_1_12_2","unstructured":"He Kong Die Hu Jingguo Ge Liangxiong Li Tong Li and Bingzhen Wu. 2025. Vulnbot: Autonomous penetration testing for a multi-agent collaborative framework. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2501.13411 (2025)."},{"key":"e_1_3_3_1_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-FOSE59343.2023.00010"},{"key":"e_1_3_3_1_14_2","unstructured":"National Institute of Standards and Technology. [n. d.]. National Vulnerability Database (NVD). https:\/\/nvd.nist.gov\/."},{"key":"e_1_3_3_1_15_2","unstructured":"National\u00a0Institute of Standards and Technology. [n. d.]. NVD - Vulnerability Metrics. https:\/\/nvd.nist.gov\/vuln-metrics\/cvss."},{"key":"e_1_3_3_1_16_2","unstructured":"Penforge:\u00a0Replication Package. 2025. Replication package of Penforge. https:\/\/github.com\/huanghuihui0904\/PenForge.git"},{"key":"e_1_3_3_1_17_2","unstructured":"PortSwigger Ltd.2024. Burp Suite. https:\/\/portswigger.net\/burp."},{"key":"e_1_3_3_1_18_2","unstructured":"Open Worldwide Application\u00a0Security Project. 2021. A01 Broken Access Control - OWASP Top 10. https:\/\/owasp.org\/Top10\/A01_2021-Broken_Access_Control\/?utm_source=chatgpt.com."},{"key":"e_1_3_3_1_19_2","unstructured":"Rapid7. 2024. Metasploit Framework. https:\/\/www.metasploit.com."},{"key":"e_1_3_3_1_20_2","unstructured":"Abhik Roychoudhury. 2025. Agentic AI for Software: thoughts from Software Engineering community. arxiv:https:\/\/arXiv.org\/abs\/2508.17343\u00a0[cs.SE] https:\/\/arxiv.org\/abs\/2508.17343"},{"key":"e_1_3_3_1_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/3708821.3733882"},{"key":"e_1_3_3_1_22_2","doi-asserted-by":"publisher","unstructured":"Jieke Shi Zhou Yang and David Lo. 2025. Efficient and Green Large Language Models for Software Engineering: Literature Review Vision and the Road Ahead. ACM Trans. Softw. Eng. Methodol. 34 5 (2025) 137:1\u2013137:22. 10.1145\/3708525","DOI":"10.1145\/3708525"},{"key":"e_1_3_3_1_23_2","unstructured":"Significant Gravitas. 2023. Auto-GPT: An experimental open-source attempt to make GPT-4 fully autonomous. https:\/\/github.com\/Significant-Gravitas\/AutoGPT."},{"key":"e_1_3_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCSET.2016.7452095"},{"key":"e_1_3_3_1_25_2","unstructured":"The Cyphere. 2024. Penetration Testing Statistics Vulnerabilities and Trends in 2024. https:\/\/thecyphere.com\/blog\/penetration-testing-statistics\/."},{"key":"e_1_3_3_1_26_2","unstructured":"U.S. Department of the Interior. 2024. Penetration Testing. https:\/\/www.doi.gov\/ocio\/customers\/penetration-testing."},{"key":"e_1_3_3_1_27_2","unstructured":"Chengran Yang Zhensu Sun Hong\u00a0Jin Kang Jieke Shi and David Lo. 2025. Think Like Human Developers: Harnessing Community Knowledge for Structured Code Reasoning. arxiv:https:\/\/arXiv.org\/abs\/2503.14838\u00a0[cs.SE] https:\/\/arxiv.org\/abs\/2503.14838"},{"key":"e_1_3_3_1_28_2","volume-title":"The Thirteenth International Conference on Learning Representations, ICLR 2025, Singapore, April 24-28, 2025","author":"Zhang Andy\u00a0K.","year":"2025","unstructured":"Andy\u00a0K. Zhang, Neil Perry, Riya Dulepet, Joey Ji, Celeste Menders, Justin\u00a0W. Lin, Eliot Jones, Gashon Hussein, Samantha Liu, Donovan\u00a0Julian Jasper, Pura Peetathawatchai, Ari Glenn, Vikram Sivashankar, Daniel Zamoshchin, Leo Glikbarg, Derek Askaryar, Haoxiang Yang, Aolin Zhang, Rishi Alluri, Nathan Tran, and et al.2025. Cybench: A Framework for Evaluating Cybersecurity Capabilities and Risks of Language Models. In The Thirteenth International Conference on Learning Representations, ICLR 2025, Singapore, April 24-28, 2025. OpenReview.net. https:\/\/openreview.net\/forum?id=tc90LV0yRL"},{"key":"e_1_3_3_1_29_2","volume-title":"Forty-second International Conference on Machine Learning, ICML 2025, Vancouver, BC, Canada, July 13-19, 2025","author":"Zhu Yuxuan","year":"2025","unstructured":"Yuxuan Zhu, Antony Kellermann, Dylan Bowman, Philip Li, Akul Gupta, Adarsh Danda, Richard Fang, Conner Jensen, Eric Ihli, Jason Benn, Jet Geronimo, Avi Dhir, Sudhit Rao, Kaicheng Yu, Twm Stone, and Daniel Kang. 2025. CVE-Bench: A Benchmark for AI Agents\u2019 Ability to Exploit Real-World Web Application Vulnerabilities. In Forty-second International Conference on Machine Learning, ICML 2025, Vancouver, BC, Canada, July 13-19, 2025. OpenReview.net. https:\/\/openreview.net\/forum?id=3pk0p4NGmQ"},{"key":"e_1_3_3_1_30_2","unstructured":"Yuxuan Zhu Antony Kellermann Akul Gupta Philip Li Richard Fang Rohan Bindu and Daniel Kang. 2024. Teams of llm agents can exploit zero-day vulnerabilities. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2406.01637 (2024)."},{"key":"e_1_3_3_1_31_2","unstructured":"Terry\u00a0Yue Zhuo Dingmin Wang Hantian Ding Varun Kumar and Zijian Wang. 2025. Cyber-Zero: Training Cybersecurity Agents without Runtime. arxiv:https:\/\/arXiv.org\/abs\/2508.00910\u00a0[cs.CR] https:\/\/arxiv.org\/abs\/2508.00910"}],"event":{"name":"ICSE-NIER '26: 2026 IEEE\/ACM 48th International Conference on Software Engineering","location":"Rio de Janeiro Brazil","acronym":"ICSE-NIER '26","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the IEEE\/ACM 48th International Conference on Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3786582.3786814","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,8]],"date-time":"2026-07-08T11:55:38Z","timestamp":1783511738000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3786582.3786814"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4,12]]},"references-count":30,"alternative-id":["10.1145\/3786582.3786814","10.1145\/3786582"],"URL":"https:\/\/doi.org\/10.1145\/3786582.3786814","relation":{},"subject":[],"published":{"date-parts":[[2026,4,12]]},"assertion":[{"value":"2026-07-08","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}