Building an Adversarial Consensus Engine | Multi-Agent LLMs for Automated Malware Analysis

Keypoints

• Single-tool LLM analysis is unreliable because decompiler artifacts, dead code, and parsing quirks in outputs (e.g., mangled strings, compiler stubs) propagate into confident but incorrect reports.
• The system uses a serial consensus pipeline on OpenClaw with an Orchestrator and four tool-specific subagents (r2 → Ghidra → Binary Ninja → IDA Pro) that pass a Shared Context in-memory between rounds.
• The pipeline runs in three phases: initial extraction, an adversarial “Gauntlet” peer-review round where agents must AGREE or DISAGREE, and a final report-writing stage anchoring claims to virtual addresses and decompilation snippets.
• An Active Rejection Mandate requires subagents to explicitly reject incorrect claims and record rationale, preventing artifacts (e.g., mangled C2 strings, decompiler hallucinations) from reaching the final report.
• Deterministic bridge scripts that dump comprehensive tool outputs to disk were chosen over MCP to ensure deterministic extraction, lower latency, predictable token usage, and better prompt-caching economics.
• Tiered reasoning assigns stronger models to the Orchestrator and report-writer and cheaper models to subagents, balancing cost and reasoning capability while handling rate-limit and concurrency constraints.
• Operational lessons included normalizing subagent output schemas, adding exit-code propagation to bridge scripts, capping concurrency to avoid rate limits, and preserving state in the Orchestrator to recover from dropped subagents.