pentest-ai
MCP server + 10 AI agents + 150+ security tools. One command.
Website · Quick Start · Agents · 150+ Tools · Claude Code Agents
pentest-ai connects AI to 150+ real security tools through the Model Context Protocol. It works with Claude Desktop, Cursor, VS Code Copilot, Windsurf, or any MCP-compatible client.
Point it at a target. It runs recon, finds vulnerabilities, chains them into full compromise paths, validates every finding with a working proof of concept, and generates professional reports with detection rules for your blue team.
No vendor lock-in. No cloud dependency. Runs locally.
How It Works
You: "Run a full assessment against staging.example.com"
pentest-ai:
1. Recon > nmap, subfinder, amass, DNS enum, OSINT
2. Web scan > nuclei, sqlmap, nikto, ffuf, dalfox
3. Cloud audit > prowler, ScoutSuite, pacu
4. AD attack > BloodHound, Impacket, CrackMapExec
5. Chaining > Links 3 medium findings into domain admin
6. Validation > Generates safe PoC for each finding
7. Detection > Sigma + SPL + KQL rules for every attack
8. Report > Professional markdown/HTML/PDF with CVSS scores
Quick Start
pip install -e .
pentest-ai start target.example.com
That starts the MCP server. Connect from your AI client and start talking to it.
Connect to Claude Desktop
Add this to your Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json):
{
"mcpServers": {
"pentest-ai": {
"command": "pentest-ai",
"args": ["server", "start"]
}
}
}
Connect to Cursor / VS Code Copilot
Add the same MCP server config in your editor's settings. Any client that speaks MCP will work.
Agents
10 specialist agents, each focused on a specific attack surface.
| Agent | What It Does |
|---|---|
| Recon | Port scanning, service fingerprinting, subdomain enum, OSINT |
| Web | SQLi, XSS, SSRF, IDOR, auth bypass, API testing, business logic |
| AD | BloodHound, Kerberoasting, AS-REP, delegation abuse, DCSync |
| Cloud | AWS/Azure/GCP misconfigs, IAM escalation, exposed services |
| Mobile | Android/iOS app analysis, API interception, SSL pinning bypass |
| Wireless | WPA/WPA2/WPA3, evil twin, rogue AP, Bluetooth |
| Social Engineer | Phishing campaign design, pretexting, vishing frameworks |
| Exploit Chain | Correlates findings across agents into multi-step attack paths |
| PoC Validator | Auto-generates safe, non-destructive proofs of concept |
| Report + Detection | Professional reports with Sigma, SPL, and KQL rules |
Every agent stores findings in a local SQLite database. Findings persist across sessions and feed into the chaining engine.
Tools
158 security tools organized into 6 categories. pentest-ai wraps each tool with structured output parsing so findings flow directly into the database.
Network (30+ tools)
nmap, masscan, rustscan, netcat, hping3, arping, tcpdump, Wireshark (tshark), responder, mitm6, bettercap, ettercap, arpwatch, nbtscan, enum4linux, smbclient, rpcclient, ldapsearch, snmpwalk, onesixtyone, fierce, dnsrecon, dnsenum, dig, whois, traceroute, mtr, ping, netdiscover, fping
Web (40+ tools)
nuclei, sqlmap, nikto, gobuster, ffuf, feroxbuster, dirb, dirbuster, wfuzz, dalfox, xsstrike, commix, ssrfmap, tplmap, arjun, paramspider, waybackurls, gau, httpx, httprobe, whatweb, wappalyzer, wafw00f, burpsuite, zaproxy, w3af, arachni, skipfish, wpscan, joomscan, droopescan, cmsmap, testssl, sslscan, sslyze, jwt_tool, graphqlmap, postman, curl, wget
Password (20+ tools)
hydra, hashcat, john, medusa, ncrack, patator, cewl, crunch, cupp, mentalist, ophcrack, fcrackzip, pdfcrack, rarcrack, aircrack-ng, cowpatty, hash-identifier, haiti, name-that-hash, kerbrute
Binary (15+ tools)
checksec, gdb, radare2, ghidra, objdump, strace, ltrace, file, strings, binwalk, foremost, volatility, ropper, ROPgadget, pwntools
Cloud (20+ tools)
prowler, ScoutSuite, pacu, enumerate-iam, cloudfox, cloudsplaining, pmapper, steampipe, trivy, grype, syft, kube-hunter, kubeaudit, kubectl, docker, crane, cosign, falco, tracee, tetragon
OSINT (25+ tools)
theHarvester, sherlock, recon-ng, maltego, spiderfoot, amass, subfinder, assetfinder, findomain, massdns, puredns, shuffledns, crt.sh, shodan, censys, zoomeye, hunter.io, phonebook, dehashed, h8mail, trufflehog, gitleaks, git-secrets, gitrob, shhgit
Built-in Scanners (Zero Dependencies)
Don't have nmap installed? pentest-ai includes built-in scanners that work immediately:
- Port scanner (async TCP connect)
- HTTP header analyzer (missing security headers, CORS, cookies)
- SSL/TLS checker (expiry, weak ciphers, deprecated protocols)
- Path discovery (admin panels, backups, .env files, .git exposure)
- DNS enumerator (A records, subdomain brute-force)
- Secret scanner (AWS keys, GitHub tokens, JWTs, connection strings in responses)
# Works with zero external tools installed
pentest-ai start target.example.com --scope recon
Exploit Chaining
Most scanners give you a list of isolated findings. pentest-ai connects them.
Example: 5 medium-severity findings individually look minor. The chaining engine discovers they connect into a path from unauthenticated user to domain admin.
SSRF in /api/internal > Read cloud metadata > AWS keys
> Lateral move to staging DB > Extract AD service account creds
> Kerberoast > Crack hash > Domain Admin
Each chain is validated with a working PoC before it shows up in your report.
Architecture
pentest-ai/
├── mcp_server/ # FastMCP server, exposes all tools via MCP protocol
├── agents/ # 10 specialist Python agents
├── tools/ # 158 tool wrappers with output parsers
├── engine/ # Orchestrator + findings DB + built-in scanners
├── cli/ # CLI interface (Typer + Rich)
├── config/ # YAML config
└── tests/ # Test suite
Configuration
# config/pentest-ai.yaml
llm:
provider: openai # or anthropic, ollama
model: gpt-4o
temperature: 0.0
agent:
auto_chain: true
auto_validate_pocs: true
auto_generate_detections: true
hitl_mode: true # Human approval before exploitation
scope:
allowed_targets: []
excluded_targets: []
max_depth: 3
MCP Tools Reference
| Tool | Description |
|---|---|
start_engagement | Begin a full pentest against a target |
run_recon | Reconnaissance (passive, standard, deep) |
test_web_app | Web application security testing |
test_active_directory | AD security assessment |
test_cloud | Cloud provider security audit |
run_tool | Run any of the 158 tools directly |
discover_attack_chains | Find exploit chains from existing findings |
validate_finding | Generate a safe PoC for a specific finding |
generate_detection_rules | Create Sigma/SPL/KQL rules |
generate_report | Professional report (markdown, HTML, PDF, JSON) |
builtin_scan | Run built-in scans (no external tools needed) |
get_findings | Query findings by severity, status, engagement |
Claude Code Agents
Looking for the Claude Code version? pentest-ai-agents has 28 specialized Claude Code subagents for penetration testing. No server, no dependencies. Copy .md files into Claude Code and go.
| pentest-ai (this repo) | pentest-ai-agents | |
|---|---|---|
| Type | MCP server + Python agents | Claude Code subagents |
| Works with | Any MCP client (Claude, Cursor, Copilot, etc.) | Claude Code only |
| Tools | 158 tool wrappers with output parsing | Uses whatever tools are on your system |
| Install | pip install -e . | Copy .md files |
| Best for | Automated assessments, CI/CD integration | Interactive pentesting, learning, CTFs |
Requirements
- Python 3.10+
- An MCP-compatible AI client (Claude Desktop, Cursor, VS Code Copilot, etc.)
- Security tools you want to use (optional, built-in scanners work without any)
Development
git clone https://github.com/0xSteph/pentest-ai.git
cd pentest-ai
pip install -e ".[dev]"
pytest tests/ -v
FAQ
Does this replace manual pentesting? No. It accelerates it. The agents handle recon, scanning, and correlation. You make the decisions about what to exploit and how deep to go. Human-in-the-loop is on by default.
Is my data sent to the cloud? No. Everything runs locally. The only external calls are to whatever LLM provider you configure (OpenAI, Anthropic, or a local model via Ollama).
Can I add my own tools?
Yes. Add a SecurityTool entry in tools/registry.py with a command template and output parser. The tool is immediately available through the MCP server.
What about false positives? The PoC validator generates a safe proof of concept for every finding. If the PoC fails, the finding is flagged as unconfirmed. Only validated findings appear in the final report.
Legal
This tool is for authorized security testing only. Always get written permission before testing any system you don't own. See LICENSE for the MIT license.
Built by 0xSteph · pentestai.xyz · Claude Code Agents