pentest-ai-agents

June 19, 2026 · View on GitHub

pentest-ai-agents

50 Claude Code subagents for penetration testing.

License: MIT Claude Code Agents Tools Tracked GitHub stars

Quick Start | Cheatsheet | Coverage | Agents | Examples


Table of Contents


pentest-ai-agents is a collection of 50 Claude Code subagents that turn Claude into an offensive security research assistant. Each agent carries deep domain knowledge in a specific area: recon, web, Active Directory, cloud, mobile, wireless, social engineering, payload crafting, reverse engineering, exploit chaining, detection engineering, forensics, and more.

Install the agent files. Open Claude Code. Describe your task. Claude routes to the right specialist automatically.

No servers, no Python deps, no setup beyond copying files.

What's New in v3.3

  • Installable as a Claude Code plugin. Two lines — /plugin marketplace add 0xSteph/pentest-ai-agents then /plugin install pentest-ai-agents@pentest-ai-agents. The install.sh curl path still works unchanged.
  • 15 new agents (35 → 50): ai-recon (AI attack-surface mapping), code-auditor, crypto-analyzer, password-auditor, database-attacker, network-attacker, traffic-analyzer, compliance-mapper, risk-scorer, plus the post-exploitation set — evasion-specialist, persistence-planner, data-exfiltrator, scada-attacker, iot-pentester, lateral-movement. Every offensive agent pairs its techniques with the detection they exercise.
  • Hardened CI validator. A SHA-pinned, least-privilege workflow validates each agent's frontmatter, requires the scope-guard block on every Bash-capable (Tier 2) agent, checks the plugin manifests, and smoke-tests the installer.
  • Scope-guard gap closed. cicd-redteam is Bash-capable but was missing the mandatory scope-enforcement block — now fixed (the new CI check would have caught it).
  • Installer fixes. curl | bash no longer crashes under set -u, the one-liner clone URL is corrected, slash commands now install alongside the agents, and --uninstall removes everything cleanly.
  • Minimal offline Docker bundle with a digest-pinned base and non-root user — packaging only, no tooling baked in.

What's New in v3.2

  • 4 new agents: c2-operator (Sliver/Mythic/Havoc/Cobalt Strike profile tuning, beacon hygiene, redirector design), container-breakout (Docker/K8s escape, runc/cri-o CVEs, kubelet exploitation, RBAC abuse), opsec-anonymizer (operator-side identity hygiene, source IP design, burner infrastructure, fingerprint hygiene), llm-redteam (OWASP LLM Top 10 testing, prompt injection, RAG poisoning, MCP server abuse, agent tool abuse).
  • Tightened scope guard: explicit hard-refusal list in _scope-guard.md covers DoS, mass scanning, unattended worms, false-flag operations, safety-of-life systems.
  • Findings DB v2: vulns.tool_used column for filtering findings by the tool that produced them; new indexes on cve and tool_used. Existing engagements migrate forward via db/migrate.sh.
  • Agent map diagram: visual flow from recon to closure mapped to agent names (see below).

Agent Map

flowchart LR
    classDef plan fill:#1a2a4a,stroke:#5a7ab8,color:#eaf0ff
    classDef recon fill:#1a3a2a,stroke:#5ab87a,color:#eaffea
    classDef exploit fill:#3a1a1a,stroke:#b85a5a,color:#ffeaea
    classDef post fill:#3a2a1a,stroke:#b8895a,color:#fff0ea
    classDef defense fill:#1a3a3a,stroke:#5ab8b8,color:#eaffff
    classDef report fill:#2a1a3a,stroke:#895ab8,color:#f0eaff

    EP[engagement-planner]:::plan
    OA[opsec-anonymizer]:::plan
    TM[threat-modeler]:::plan

    OS[osint-collector]:::recon
    RA[recon-advisor]:::recon
    VS[vuln-scanner]:::recon

    WH[web-hunter]:::exploit
    AS[api-security]:::exploit
    BL[bizlogic-hunter]:::exploit
    BB[bug-bounty]:::exploit
    AD[ad-attacker]:::exploit
    CS[cloud-security]:::exploit
    MP[mobile-pentester]:::exploit
    WP[wireless-pentester]:::exploit
    LR[llm-redteam]:::exploit
    SE[social-engineer]:::exploit
    PO[phishing-operator]:::exploit
    CT[ctf-solver]:::exploit
    CR[credential-tester]:::exploit
    PV[poc-validator]:::exploit
    EG[exploit-guide]:::exploit
    EC[exploit-chainer]:::exploit
    AP[attack-planner]:::exploit
    PC[payload-crafter]:::exploit
    RE[reverse-engineer]:::exploit

    PE[privesc-advisor]:::post
    CB[container-breakout]:::post
    C2[c2-operator]:::post
    CI[cicd-redteam]:::post
    SO[swarm-orchestrator]:::post

    DE[detection-engineer]:::defense
    FA[forensics-analyst]:::defense
    MA[malware-analyst]:::defense
    SA[stig-analyst]:::defense

    RG[report-generator]:::report

    EP --> OA --> OS
    EP --> TM
    OS --> RA --> VS
    VS --> WH & AS & BL & BB & AD & CS & MP & WP & LR
    SE --> PO
    BB --> WH
    PO --> PC --> C2
    AD --> CR
    AD --> PE
    CS --> CB
    CB --> PE
    WH --> PV
    AS --> PV
    PV --> EC --> AP
    EC --> EG
    PC --> RE
    RE --> MA
    AP --> SO
    C2 --> DE
    SO --> RG
    DE --> FA
    MA --> RG
    SA --> RG
    CT -.solo.-> RG
    CI -.pipeline.-> SO

Tier 1 (advisory) agents are routable from any task. Tier 2 (execution-capable) agents require a declared scope and live in the offensive operations cluster.

What's New in v3.1

  • 3 new agents: payload-crafter (msfvenom, Donut, custom loaders), reverse-engineer (Ghidra, JadX, Radare2, Binwalk), phishing-operator (Evilginx, GoPhish, dnstwist)
  • Slash commands: /recommend "freeform task" routes you to the right agent + concrete commands. /agents-for <tag> filters the catalog by domain.
  • db/doctor.sh: audits which underlying CLI tools are installed on your box, grouped by agent. Shows and per tool with install hints.
  • install.sh --tools: opt-in installer that pulls in the underlying tools via apt/brew/pacman + pipx/go/cargo.
  • Extended agents: Commix added to web-hunter, RouterSploit added to vuln-scanner, targeted wordlist generation (cupp, CeWL, Mentalist, Crunch, hashid, haiti) added to credential-tester, full steganography toolkit added to ctf-solver.

Quick Start

One command:

curl -fsSL https://raw.githubusercontent.com/0xSteph/pentest-ai-agents/main/install.sh | bash

That's it. The script clones the repo to a temp dir, copies the agents to ~/.claude/agents/, and exits. Idempotent: safe to re-run for updates.

Or install as a Claude Code plugin (no clone; updates through the marketplace):

/plugin marketplace add 0xSteph/pentest-ai-agents
/plugin install pentest-ai-agents@pentest-ai-agents

This registers all 50 agents and the slash commands through Claude Code's plugin system. Pick the plugin or the installer — you don't need both.

Then open Claude Code:

"Plan an internal network pentest for a 500-endpoint AD environment with a 2-week window."

Claude routes to the engagement planner agent and produces a phased plan with MITRE ATT&CK mappings.

Prefer to clone first?

git clone https://github.com/0xSteph/pentest-ai-agents.git
cd pentest-ai-agents && ./install.sh --global

Other install options:

./install.sh --project     # Install for current project only
./install.sh --global --lite  # Use Haiku for advisory agents (lower cost)
./install.sh --tools       # Install underlying CLI tools (nmap, nuclei, ffuf, etc.)
./install.sh --help        # All options

See INSTALL.md for step-by-step instructions, including first-time Claude Code setup.


Cheatsheet

Quick interactions once installed:

CommandWhat It Does
/recommend "phish a small SaaS team's IT department"Picks the right agent and gives concrete next commands
/agents-for webLists every agent relevant to web testing (web-hunter, api-security, bug-bounty, bizlogic-hunter)
/agents-for cloudCloud-specific agents (cloud-security, cicd-redteam)
db/doctor.shAudits which underlying CLI tools you have, grouped by agent. Shows ✔/✘ and install hints.
db/doctor.sh --agent ad-attackerAudit just the AD tooling stack
db/doctor.sh --jsonMachine-readable output for piping into a script
install.sh --toolsInstall the underlying tools via your package manager + pipx/go/cargo
findings.sh init <id>Start a new engagement (persistent SQLite findings DB)
findings.sh statsEngagement progress
findings.sh exportFull JSON export
bash handoff.shMarkdown handoff report between sessions

In Claude Code, just describing your task routes automatically:

"Plan an internal pentest for a 500-endpoint AD environment, 2-week window."
"I have a domain user, where do I look first in BloodHound?"
"Convert this SharpHound EXE into shellcode for an EDR test, with detection content."
"Reverse this firmware image and tell me what the cryptographic protocol looks like."
"Run a phishing simulation against acme-corp.com, set up GoPhish + Evilginx infrastructure."

Coverage

What the agents drive. Categories map to the same surface real adversaries operate across:

CategoryAgentsUnderlying Tools (installable via install.sh --tools)
Recon and OSINTrecon-advisor, osint-collectornmap, masscan, rustscan, dig, whois, subfinder, amass, httpx, theHarvester, sherlock, holehe, maigret
Vulnerability scanningvuln-scannernuclei, nikto, RouterSploit, nmap NSE, OpenVAS/Nessus parsing
Web app testingweb-hunter, api-security, bug-bounty, bizlogic-hunterffuf, gobuster, feroxbuster, sqlmap, dalfox, Commix, dirsearch, whatweb
Active Directoryad-attacker, credential-testerBloodHound, Impacket, NetExec/CrackMapExec, Certipy, kerbrute, Responder, ldapsearch
Credentials and crackingcredential-tester, password-auditorHydra, Hashcat, John, Medusa, cupp, CeWL, NIST 800-63B policy audit, HIBP k-anonymity
Cloudcloud-security, cicd-redteamaws/az/gcloud CLIs, Trivy, Prowler, ScoutSuite, Pacu
Containers and K8s breakoutcontainer-breakoutkubectl, kube-hunter, peirates, CDK, Falco rule pairing
C2 operationsc2-operatorSliver, Mythic, Havoc, Cobalt Strike, malleable profiles, redirector design
AI / LLM red teamingai-recon, llm-redteamA2A/MCP/RAG surface discovery, model fingerprinting, Garak, PyRIT, Promptfoo, OWASP LLM Top 10, MITRE ATLAS
Operator opsecopsec-anonymizersource IP design, burner identity, JA3/fingerprint hygiene, burn checklists
Mobilemobile-pentester, reverse-engineerFrida, Objection, jadx, apktool, MobSF, adb
Wirelesswireless-pentesteraircrack-ng, hcxdumptool, hcxtools, bettercap, wifite
Social engineeringsocial-engineer, phishing-operatorGoPhish, Evilginx, dnstwist, Modlishka
Payload craftingpayload-craftermsfvenom, Donut, MSFvenom Payload Creator, custom loader patterns
Reverse engineeringreverse-engineer, malware-analystGhidra, Radare2, JadX, Binwalk, Apktool, IDA, dnSpy, Volatility 3
Forensics and IRforensics-analyst, malware-analystVolatility 3, exiftool, foremost, YARA, Wireshark/tshark, Autopsy
Exploit chainingexploit-chainer, attack-planner, poc-validatorMulti-step attack composition, ATT&CK-mapped chain scoring
Database attacksdatabase-attackersqlmap, NoSQLMap, native clients (MySQL/PostgreSQL/MSSQL/Oracle/MongoDB/Redis)
Network L2/L3 and trafficnetwork-attacker, traffic-analyzerResponder, ntlmrelayx, mitm6, bettercap, Wireshark/tshark, Zeek
Post-exploitationlateral-movement, persistence-planner, evasion-specialist, data-exfiltratorPtH/PtT, WMI/WinRM/DCOM, AMSI/ETW evasion, DNS/HTTPS exfil, golden ticket
ICS / OTscada-attackerModbus, DNP3, S7comm, EtherNet/IP, OPC-UA, OT-aware IDS pairing
IoT / embeddediot-pentesterbinwalk, UART/JTAG/SPI, BLE/Zigbee/sub-GHz, firmware analysis
Secure code and cryptocode-auditor, crypto-analyzerSemgrep, CodeQL, gitleaks, testssl.sh, jwt_tool
Detection and defensedetection-engineer, threat-modeler, stig-analystSigma, Splunk SPL, Elastic KQL, Sentinel KQL, STRIDE/DREAD, DISA STIG
CTFctf-solverzsteg, steghide, stegseek, pngcheck, plus generic toolchain
Reporting, risk and complianceengagement-planner, report-generator, risk-scorer, compliance-mapperMITRE ATT&CK mapping, CVSS 3.1/4.0, EPSS, CISA KEV, PCI/NIST/ISO/CIS mapping

Run bash db/doctor.sh to see which of these are present on your box right now and what's missing.


Agents

Offensive Operations

AgentWhat It Does
Engagement PlannerPhased pentest plans with MITRE ATT&CK mappings, time estimates, and ROE templates
Recon AdvisorParses Nmap/Nessus/BloodHound output, prioritizes targets, recommends next commands. Tier 2: executes recon tools directly.
OSINT CollectorDomain recon, email harvesting, social media profiling, breach data analysis
Exploit GuideAttack methodology for AD, web, cloud, and post-exploitation with defensive perspective
Privilege EscalationLinux and Windows privesc: SUID, tokens, services, kernel exploits, container escape
Cloud SecurityAWS/Azure/GCP pentesting: IAM escalation, container escape, serverless exploitation
API SecurityREST, GraphQL, WebSocket testing. OWASP API Top 10, JWT attacks, OAuth exploitation
Mobile PentesterAndroid/iOS analysis with Frida, Objection, jadx. OWASP MASTG/MASVS mapping
Wireless PentesterWPA/WPA2/WPA3, evil twin, rogue AP, enterprise 802.1X, Bluetooth security
Social EngineerPhishing campaigns, pretexting, vishing for authorized red team engagements
Vuln ScannerNuclei, Nikto, Nmap NSE scans. Parses Nessus/OpenVAS results. Tier 2: executes scans.
Web Hunterffuf, gobuster, sqlmap, dalfox. Content discovery, fuzzing, WAF detection. Tier 2: executes web tools.
Credential TesterHydra, Hashcat, John, CrackMapExec. Hash identification, wordlist generation
Attack PlannerCorrelates findings into multi-step attack chains. Scores by probability, stealth, and impact
Bug Bounty HunterHackerOne/Bugcrowd methodology, duplicate avoidance, report writing for maximum payout
AD AttackerBloodHound, Impacket, CrackMapExec, Certipy. Kerberos, delegation, ACL, and cert abuse. Tier 2: executes AD tools.
Exploit ChainerChains low-severity findings into full compromise paths. Step-by-step with approval gates. Tier 2.
PoC ValidatorGenerates and safely executes proof of concept scripts. Eliminates false positives. Tier 2.
Payload Craftermsfvenom, Donut, custom loaders. Pairs every payload with YARA/Sigma detection content.
Reverse EngineerGhidra, JadX, Radare2, Binwalk. Static analysis of firmware, mobile apps, and binaries.
Phishing OperatorEvilginx, GoPhish, dnstwist infrastructure. Live campaign tooling for authorized red team.
Swarm OrchestratorCoordinates all agents as a red team swarm. Parallel workstreams, progress tracking.
Business Logic HunterPrice manipulation, workflow bypass, race conditions, authorization flaws. Tier 2.
CI/CD Red TeamGitHub Actions, GitLab CI, Jenkins pipeline configs with security gates
C2 OperatorSliver, Mythic, Havoc, Cobalt Strike. Listener tuning, beacon hygiene, redirector design, engagement burn
Container BreakoutDocker/K8s escape, runc/cri-o CVEs, kubelet exploitation, RBAC abuse, admission controller bypass
OpSec AnonymizerOperator-side identity hygiene, source IP strategy, burner infrastructure, browser/JA3 fingerprint hygiene
LLM Red TeamOWASP LLM Top 10 testing, prompt injection, RAG poisoning, agent tool abuse, MCP server exploitation
AI ReconMaps the AI attack surface: AI/LLM endpoints, A2A agent cards, MCP exposure, RAG/tool surface, model fingerprint. Tier 2: executes read-only recon.
Password AuditorNIST 800-63B policy + hash-storage audit, breach exposure (HIBP k-anonymity), lockout-safe spray planning
Database AttackerSQL/NoSQL injection depth, DB privilege escalation, proof-scoped extraction across major engines. Tier 2.
Network AttackerLLMNR/NBT-NS poisoning, NTLM relay, mitm6, ARP MITM, pivoting. Tier 2: executes L2/L3 attacks.
Evasion SpecialistAV/EDR evasion, AMSI/ETW bypass, in-memory execution — every technique paired with its detection
Persistence PlannerHost/AD/cloud persistence (golden ticket, WMI, services) with mandatory cleanup tracking + detection
Data ExfiltratorDNS/HTTPS/ICMP exfil and DLP/egress testing with synthetic/canary data — paired with detection
SCADA AttackerICS/OT protocol analysis (Modbus/DNP3/S7comm/OPC-UA), safety-gated, passive-first
IoT PentesterFirmware, hardware interfaces (UART/JTAG), radio (BLE/sub-GHz), and device-cloud testing
Lateral MovementPtH/PtT, WMI/WinRM/DCOM/SSH, token theft, pivot planning — paired with detection

Defense and Analysis

AgentWhat It Does
Detection EngineerSigma, Splunk SPL, Elastic KQL, Sentinel KQL rules with false positive tuning
Threat ModelerSTRIDE/DREAD analysis, attack trees, data flow diagrams
Forensics AnalystEvidence acquisition, memory forensics, disk analysis, timeline construction
Malware AnalystStatic/dynamic analysis, reverse engineering, YARA rules, IOC extraction
STIG AnalystDISA STIG compliance, GPO remediation paths, keep-open justification templates
Code AuditorSecure-code review: injection, authz, secrets, deserialization (Semgrep, CodeQL, gitleaks)
Crypto AnalyzerWeak algorithms/modes, key and IV/nonce handling, TLS/cert config, JWT/JWE token issues
Traffic AnalyzerOffline pcap analysis: protocol dissection, credential extraction, beacon/anomaly hunting

Reporting and Learning

AgentWhat It Does
Report GeneratorProfessional pentest reports with executive summaries, CVSS scoring, remediation roadmaps
CTF SolverHackTheBox, TryHackMe, PicoCTF. Web, pwn, rev, crypto, forensics, OSINT
Compliance MapperMaps findings to PCI DSS, NIST 800-53/CSF, ISO 27001, CIS, HIPAA, SOC 2 with control-gap analysis
Risk ScorerCVSS 3.1/4.0 vectors, EPSS + CISA KEV enrichment, business-context remediation prioritization

Tier 1 vs Tier 2

Tier 1 (all agents): Advisory mode. You paste tool output, ask methodology questions, get analysis and recommendations. You run the tools yourself.

Tier 2 (select agents): Can also compose and execute commands directly. You declare your authorized scope, the agent validates every target against it, and Claude Code shows you each command for approval before it runs.

Tier 2 AgentWhat It Executes
Recon Advisornmap, dig, whois, curl, netcat, traceroute, whatweb, nikto
Vuln Scannernuclei, nikto, nmap NSE scripts
Web Hunterffuf, gobuster, feroxbuster, sqlmap, dalfox, whatweb
AD AttackerBloodHound, Impacket, CrackMapExec, Certipy, ldapsearch, enum4linux
Exploit ChainerMulti-step chain execution with approval at each gate
PoC ValidatorSafe, non-destructive proof of concept scripts
Business Logic HunterLogic flaw tests (price manipulation, race conditions)
AI ReconAI endpoint discovery, /v1/models probes, A2A/MCP enumeration (read-only)
Database Attackersqlmap, NoSQLMap, native DB clients (proof-scoped, non-destructive)
Network AttackerResponder, ntlmrelayx, mitm6, bettercap (scoped L2/L3 positioning)
CI/CD Red TeamPipeline-driven SAST/DAST/secret scans against in-scope targets

See docs/TIER2-EXECUTION.md for the full safety model.


Examples

$ claude

You: Analyze this Nmap scan and prioritize targets for our internal pentest

> Routing to recon-advisor agent...

## Prioritized Target Summary

### Critical Priority
| Host       | Port | Service | Finding                  |
|------------|------|---------|--------------------------|
| 10.10.1.5  | 445  | SMB     | SMBv1 enabled, MS17-010  |
| 10.10.1.20 | 3389 | RDP     | BlueKeep (CVE-2019-0708) |

### Recommended Next Steps
1. nmap -sV --script smb-vuln* 10.10.1.5
2. crackmapexec smb 10.10.1.0/24
3. bloodhound-python -d corp.local

More examples in the examples/ directory:

ExampleAgentWhat It Shows
Engagement Planengagement-plannerFull phased plan with MITRE ATT&CK mappings
Nmap Analysisrecon-advisorPrioritized attack vectors with follow-up commands
Detection Ruledetection-engineerKerberoasting detection in Sigma, SPL, and KQL
STIG Findingstig-analystSTIG analysis with GPO path and keep-open template
Report Excerptreport-generatorSQL injection finding formatted for a pentest report

Running Tools in a Container

Run your security tools inside a Docker container to keep your workstation clean and avoid endpoint protection flags.

docker pull kalilinux/kali-rolling
docker run -it --name pentest-lab kalilinux/kali-rolling /bin/bash
apt update && apt install -y nmap nikto sqlmap metasploit-framework bloodhound

Use pentest-ai agents on your host for methodology and analysis. Run the actual tools inside the container.


Findings Database

Persistent SQLite storage that keeps engagement data across Claude Code sessions.

findings.sh init acme-2024 --client "ACME Corp" --type internal --scope "10.0.0.0/24"
export PENTEST_AI_ENGAGEMENT="acme-2024"

findings.sh stats         # Check progress
findings.sh list vulns    # See all findings
findings.sh export        # Full JSON export
bash handoff.sh           # Markdown handoff report for next session

Tier 2 agents write to the database automatically when findings.sh is in PATH. See docs/FINDINGS-DB.md for full docs.


Token Optimization

Install with lite mode to run advisory agents on Haiku (lower cost, same methodology):

./install.sh --global --lite

See docs/TOKEN-OPTIMIZATION.md for the full guide.


Local Models

The agents are plain markdown system prompts — the only Claude-specific part is the YAML frontmatter header. They run on any model: point Claude Code at any Anthropic-compatible endpoint by setting ANTHROPIC_BASE_URL, or copy the system prompt (everything below the frontmatter) into any local runner such as Ollama or LM Studio.

See docs/LOCAL-SETUP.md for local-model notes.


Documentation

DocumentDescription
INSTALL.mdInstallation guide with troubleshooting
Agent GuideHow each agent works and when to use it
Tier 2 ExecutionExecution mode safety model and conversion guide
Local SetupRun offline with Ollama and local GPU
CustomizationModify agents, change models, create new agents
Token OptimizationReduce token consumption
Findings DatabasePersistent SQLite storage for engagement data
Data PrivacyLLM data handling and local model options
ChangelogVersion history

MCP Server

Looking for the automated pipeline? pentest-ai is the companion MCP server with 150+ tool wrappers, autonomous exploit chaining, and CI/CD integration. Works with Claude Desktop, Cursor, VS Code Copilot, and any MCP client.


Prerequisites

  • Claude Code installed and configured
  • Claude Pro or Max subscription
  • For security testing: signed rules of engagement and defined scope

This toolkit is for authorized security testing only. Users must have proper written authorization before using these agents in any engagement. See DISCLAIMER.md for full terms.


License

MIT License


Built by 0xSteph · pentestai.xyz