Researchers present VEXAIoT, an autonomous multi-agent framework that leverages Large Language Model reasoning and offensive security tools to discover and exploit vulnerabilities in Internet of Things environments. The system combines a vulnerability detection agent with an attack execution agent to perform reconnaissance, plan attack sequences, and execute exploits against vulnerable IoT services.

  • Evaluated across ten attack scenarios mapped to OWASP IoT vulnerabilities in IoTGoat and Metasploitable2 environments.
  • Achieved a 95.0% overall success rate across 260 attack executions, including 94.5% in IoTGoat and 96.7% in Metasploitable2.
  • Demonstrated attack success rates of up to 100% with low token overhead and average execution times under two minutes for most attacks.

These results demonstrate the potential for LLM-driven agents to automate IoT vulnerability assessment and offensive security workflows in controlled environments.