How We Built the Strobes AI Harness: Engineering an Automated Agentic Security Platform

Wrapping an agent around a model is the easy part. Making it run a real engagement is where most agentic security tooling quietly falls apart.

At Strobes, the bet was simple: the model isn't the moat. New models ship every month and get better on their own. What doesn't come for free is the layer around them, the context management, the skills, the tools, the agent design engineered specifically for offensive security.

That layer is the harness, and it's where the hard problems live.

The first real pentest exposed all of them at once. A two-hour engagement that spans multiple targets, manages credentials, hands a browser back to a human mid-test, and holds state without freezing the interface none of that is a model capability. It's a systems problem. It took breaking things repeatedly to get right.

Strobes started with pentesting: tools, skills, custom agents, and context engineering built for one job done well. Once that held, the same harness scaled into the rest of exposure management. This session is a walkthrough of how it was engineered from decisions to failures, and what got thrown out before it worked.

What we'll cover:

1. Orchestrator and sub-agent fleet design and how tenant isolation holds across concurrent engagements.

 2. Keeping long-running tasks coherent summarization middleware, observation masking, and prompt caching, because a two-hour run otherwise drowns in its own context.

 3. What the agent can reach beyond text code interpreter, credential manager, threat-intel feeds, out-of-band receivers, dashboards, and generative UI rendered directly in chat.

 4. Non-blocking sub-agent execution background threads and durable state so a long pentest never locks the interface.

 5. When the agent stops and asks a human plan approval, the human-input tool, and clean browser handover.

 6. Real operational reach without unconstrained access a shell sandbox, an in-network browser bridge, and local proxy isolation.

 45 minutes of open content, live Q&A at the end. No registration fee, and the full recording goes out within 24 hours.

Who should attend:

1 - Security Engineers and Pentesters

2 - Engineering Leads and Architects

3 - AppSec Practitioners

4 - AI Security Researchers and Red teamers

5 - Anyone running multi-agent security workflows in production

The harness around the model is the product. This talk is about what it took to build it.