Skip to content

aakashnotes/pentest-ai-agents

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

pentest-ai

pentest-ai-agents

28 Claude Code subagents for penetration testing.

License: MIT Claude Code Agents GitHub stars

Quick Start | Agents | Examples | Documentation


pentest-ai-agents is a collection of 28 Claude Code subagents that turn Claude into an offensive security research assistant. Each agent carries deep domain knowledge in a specific area: recon, web testing, Active Directory, cloud, mobile, wireless, social engineering, exploit chaining, detection engineering, forensics, and more.

Install the agent files. Open Claude Code. Describe your task. Claude routes to the right specialist automatically.

No servers, no dependencies, no setup beyond copying files.

Quick Start

One command:

curl -fsSL https://raw.githubusercontent.com/0xSteph/pentest-ai-agents/main/install.sh | bash

That's it. The script clones the repo to a temp dir, copies the 28 agents to ~/.claude/agents/, and exits. Idempotent: safe to re-run for updates.

Then open Claude Code:

"Plan an internal network pentest for a 500-endpoint AD environment with a 2-week window."

Claude routes to the engagement planner agent and produces a phased plan with MITRE ATT&CK mappings.

Prefer to clone first?

git clone https://github.com/0xSteph/pentest-ai-agents.git
cd pentest-ai-agents && ./install.sh --global

Other install options:

./install.sh --project     # Install for current project only
./install.sh --global --lite  # Use Haiku for advisory agents (lower cost)
./install.sh --help        # All options

See INSTALL.md for step-by-step instructions, including first-time Claude Code setup.


Agents

Offensive Operations

Agent What It Does
Engagement Planner Phased pentest plans with MITRE ATT&CK mappings, time estimates, and ROE templates
Recon Advisor Parses Nmap/Nessus/BloodHound output, prioritizes targets, recommends next commands. Tier 2: executes recon tools directly.
OSINT Collector Domain recon, email harvesting, social media profiling, breach data analysis
Exploit Guide Attack methodology for AD, web, cloud, and post-exploitation with defensive perspective
Privilege Escalation Linux and Windows privesc: SUID, tokens, services, kernel exploits, container escape
Cloud Security AWS/Azure/GCP pentesting: IAM escalation, container escape, serverless exploitation
API Security REST, GraphQL, WebSocket testing. OWASP API Top 10, JWT attacks, OAuth exploitation
Mobile Pentester Android/iOS analysis with Frida, Objection, jadx. OWASP MASTG/MASVS mapping
Wireless Pentester WPA/WPA2/WPA3, evil twin, rogue AP, enterprise 802.1X, Bluetooth security
Social Engineer Phishing campaigns, pretexting, vishing for authorized red team engagements
Vuln Scanner Nuclei, Nikto, Nmap NSE scans. Parses Nessus/OpenVAS results. Tier 2: executes scans.
Web Hunter ffuf, gobuster, sqlmap, dalfox. Content discovery, fuzzing, WAF detection. Tier 2: executes web tools.
Credential Tester Hydra, Hashcat, John, CrackMapExec. Hash identification, wordlist generation
Attack Planner Correlates findings into multi-step attack chains. Scores by probability, stealth, and impact
Bug Bounty Hunter HackerOne/Bugcrowd methodology, duplicate avoidance, report writing for maximum payout
AD Attacker BloodHound, Impacket, CrackMapExec, Certipy. Kerberos, delegation, ACL, and cert abuse. Tier 2: executes AD tools.
Exploit Chainer Chains low-severity findings into full compromise paths. Step-by-step with approval gates. Tier 2.
PoC Validator Generates and safely executes proof of concept scripts. Eliminates false positives. Tier 2.
Swarm Orchestrator Coordinates all agents as a red team swarm. Parallel workstreams, progress tracking.
Business Logic Hunter Price manipulation, workflow bypass, race conditions, authorization flaws. Tier 2.
CI/CD Red Team GitHub Actions, GitLab CI, Jenkins pipeline configs with security gates

Defense and Analysis

Agent What It Does
Detection Engineer Sigma, Splunk SPL, Elastic KQL, Sentinel KQL rules with false positive tuning
Threat Modeler STRIDE/DREAD analysis, attack trees, data flow diagrams
Forensics Analyst Evidence acquisition, memory forensics, disk analysis, timeline construction
Malware Analyst Static/dynamic analysis, reverse engineering, YARA rules, IOC extraction
STIG Analyst DISA STIG compliance, GPO remediation paths, keep-open justification templates

Reporting and Learning

Agent What It Does
Report Generator Professional pentest reports with executive summaries, CVSS scoring, remediation roadmaps
CTF Solver HackTheBox, TryHackMe, PicoCTF. Web, pwn, rev, crypto, forensics, OSINT

Tier 1 vs Tier 2

Tier 1 (all agents): Advisory mode. You paste tool output, ask methodology questions, get analysis and recommendations. You run the tools yourself.

Tier 2 (select agents): Can also compose and execute commands directly. You declare your authorized scope, the agent validates every target against it, and Claude Code shows you each command for approval before it runs.

Tier 2 Agent What It Executes
Recon Advisor nmap, dig, whois, curl, netcat, traceroute, whatweb, nikto
Vuln Scanner nuclei, nikto, nmap NSE scripts
Web Hunter ffuf, gobuster, feroxbuster, sqlmap, dalfox, whatweb
AD Attacker BloodHound, Impacket, CrackMapExec, Certipy, ldapsearch, enum4linux
Exploit Chainer Multi-step chain execution with approval at each gate
PoC Validator Safe, non-destructive proof of concept scripts
Business Logic Hunter Logic flaw tests (price manipulation, race conditions)

See docs/TIER2-EXECUTION.md for the full safety model.


Examples

$ claude

You: Analyze this Nmap scan and prioritize targets for our internal pentest

> Routing to recon-advisor agent...

## Prioritized Target Summary

### Critical Priority
| Host       | Port | Service | Finding                  |
|------------|------|---------|--------------------------|
| 10.10.1.5  | 445  | SMB     | SMBv1 enabled, MS17-010  |
| 10.10.1.20 | 3389 | RDP     | BlueKeep (CVE-2019-0708) |

### Recommended Next Steps
1. nmap -sV --script smb-vuln* 10.10.1.5
2. crackmapexec smb 10.10.1.0/24
3. bloodhound-python -d corp.local

More examples in the examples/ directory:

Example Agent What It Shows
Engagement Plan engagement-planner Full phased plan with MITRE ATT&CK mappings
Nmap Analysis recon-advisor Prioritized attack vectors with follow-up commands
Detection Rule detection-engineer Kerberoasting detection in Sigma, SPL, and KQL
STIG Finding stig-analyst STIG analysis with GPO path and keep-open template
Report Excerpt report-generator SQL injection finding formatted for a pentest report

Running Tools in a Container

Run your security tools inside a Docker container to keep your workstation clean and avoid endpoint protection flags.

docker pull kalilinux/kali-rolling
docker run -it --name pentest-lab kalilinux/kali-rolling /bin/bash
apt update && apt install -y nmap nikto sqlmap metasploit-framework bloodhound

Use pentest-ai agents on your host for methodology and analysis. Run the actual tools inside the container.


Findings Database

Persistent SQLite storage that keeps engagement data across Claude Code sessions.

findings.sh init acme-2024 --client "ACME Corp" --type internal --scope "10.0.0.0/24"
export PENTEST_AI_ENGAGEMENT="acme-2024"

findings.sh stats         # Check progress
findings.sh list vulns    # See all findings
findings.sh export        # Full JSON export
bash handoff.sh           # Markdown handoff report for next session

Tier 2 agents write to the database automatically when findings.sh is in PATH. See docs/FINDINGS-DB.md for full docs.


Token Optimization

Install with lite mode to run advisory agents on Haiku (lower cost, same methodology):

./install.sh --global --lite

See docs/TOKEN-OPTIMIZATION.md for the full guide.


Local Models

The agents are plain markdown system prompts. The only Claude-specific part is the YAML frontmatter header. Run ./opencode-setup.sh --full to convert all agents into OpenCode custom commands that work with Ollama, LM Studio, or any local model.

See docs/LOCAL-SETUP.md for setup instructions and model recommendations.


Documentation

Document Description
INSTALL.md Installation guide with troubleshooting
Agent Guide How each agent works and when to use it
Tier 2 Execution Execution mode safety model and conversion guide
Local Setup Run offline with Ollama and local GPU
Customization Modify agents, change models, create new agents
Token Optimization Reduce token consumption
Findings Database Persistent SQLite storage for engagement data
Data Privacy LLM data handling and local model options
Changelog Version history

MCP Server

Looking for the automated pipeline? pentest-ai is the companion MCP server with 150+ tool wrappers, autonomous exploit chaining, and CI/CD integration. Works with Claude Desktop, Cursor, VS Code Copilot, and any MCP client.


Prerequisites

  • Claude Code installed and configured
  • Claude Pro or Max subscription
  • For security testing: signed rules of engagement and defined scope

Contributing

Contributions welcome. See docs/CONTRIBUTING.md for guidelines.


Legal

This toolkit is for authorized security testing only. Users must have proper written authorization before using these agents in any engagement. See DISCLAIMER.md for full terms.


License

MIT License


Built by 0xSteph · pentestai.xyz

About

Turn Claude Code into your offensive security research assistant. Specialized AI subagents for authorized penetration testing plan engagements, analyze recon, research exploits, build detections, audit STIGs, and write reports.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Shell 100.0%