The core idea behind Luci is straightforward. Instead of one agent trying to do everything, we use a supervisor agent that creates and manages specialized sub-agents for each part of an engagement.
The supervisor starts with a high level objective. Something like: test this web application for vulnerabilities. It then breaks this down into specific tasks. Scan for open ports. Enumerate subdomains. Test authentication flows. Check for injection vulnerabilities. Audit the API. Each of these becomes a separate sub-agent with a focused mission.
Each sub-agent gets its own context, its own set of tools, and its own instructions. The web application testing agent knows about HTTP, cookies, and browser behavior. The network scanning agent knows about TCP, UDP, and service fingerprinting. They do not need to know about each other's domains. This specialization makes each agent more effective.
The real power comes from parallel execution and information sharing. While one agent is scanning ports, another is already testing discovered web endpoints. When the port scanner finds a database port that should not be exposed, it flags this for the exploitation agent to investigate further. The agents build on each other's findings in real time.
Context management is one of the hardest problems we solved. AI models have limited context windows. In a long engagement, the amount of information generated far exceeds what any single model can hold. We handle this by giving each agent its own working memory and letting the supervisor maintain a high level summary of findings across all agents.
When an engagement runs for hours, agents can save their progress and resume later. The supervisor keeps track of what has been tested, what findings have been made, and what still needs attention. This is what we call long horizon execution. The system does not lose track of its objective just because the task is complex.
The architecture also handles failures gracefully. If an agent encounters an error or gets stuck, the supervisor can restart it, assign the task to a different agent, or adjust the approach. This resilience is important in real-world testing where networks are unpredictable.