pentest-ai-agents

Table of Contents

• What's New in v3.3
• What's New in v3.2
• Agent Map
• What's New in v3.1
• Quick Start
• Cheatsheet
• Coverage
• Agents
• Tier 1 vs Tier 2
• Examples
• Running Tools in a Container
• Findings Database
• Token Optimization
• Local Models
• Documentation
• MCP Server
• Prerequisites
• Legal
• License

pentest-ai-agents is a collection of 50 Claude Code subagents that turn Claude into an offensive security research assistant. Each agent carries deep domain knowledge in a specific area: recon, web, Active Directory, cloud, mobile, wireless, social engineering, payload crafting, reverse engineering, exploit chaining, detection engineering, forensics, and more.

Install the agent files. Open Claude Code. Describe your task. Claude routes to the right specialist automatically.

No servers, no Python deps, no setup beyond copying files.

What's New in v3.3

• Installable as a Claude Code plugin. Two lines — /plugin marketplace add 0xSteph/pentest-ai-agents then /plugin install pentest-ai-agents@pentest-ai-agents. The install.sh curl path still works unchanged.
• 15 new agents (35 → 50): ai-recon (AI attack-surface mapping), code-auditor, crypto-analyzer, password-auditor, database-attacker, network-attacker, traffic-analyzer, compliance-mapper, risk-scorer, plus the post-exploitation set — evasion-specialist, persistence-planner, data-exfiltrator, scada-attacker, iot-pentester, lateral-movement. Every offensive agent pairs its techniques with the detection they exercise.
• Hardened CI validator. A SHA-pinned, least-privilege workflow validates each agent's frontmatter, requires the scope-guard block on every Bash-capable (Tier 2) agent, checks the plugin manifests, and smoke-tests the installer.
• Scope-guard gap closed. cicd-redteam is Bash-capable but was missing the mandatory scope-enforcement block — now fixed (the new CI check would have caught it).
• Installer fixes. curl | bash no longer crashes under set -u, the one-liner clone URL is corrected, slash commands now install alongside the agents, and --uninstall removes everything cleanly.
• Minimal offline Docker bundle with a digest-pinned base and non-root user — packaging only, no tooling baked in.

What's New in v3.2

• 4 new agents: c2-operator (Sliver/Mythic/Havoc/Cobalt Strike profile tuning, beacon hygiene, redirector design), container-breakout (Docker/K8s escape, runc/cri-o CVEs, kubelet exploitation, RBAC abuse), opsec-anonymizer (operator-side identity hygiene, source IP design, burner infrastructure, fingerprint hygiene), llm-redteam (OWASP LLM Top 10 testing, prompt injection, RAG poisoning, MCP server abuse, agent tool abuse).
• Tightened scope guard: explicit hard-refusal list in _scope-guard.md covers DoS, mass scanning, unattended worms, false-flag operations, safety-of-life systems.
• Findings DB v2: vulns.tool_used column for filtering findings by the tool that produced them; new indexes on cve and tool_used. Existing engagements migrate forward via db/migrate.sh.
• Agent map diagram: visual flow from recon to closure mapped to agent names (see below).

Agent Map

flowchart LR
    classDef plan fill:#1a2a4a,stroke:#5a7ab8,color:#eaf0ff
    classDef recon fill:#1a3a2a,stroke:#5ab87a,color:#eaffea
    classDef exploit fill:#3a1a1a,stroke:#b85a5a,color:#ffeaea
    classDef post fill:#3a2a1a,stroke:#b8895a,color:#fff0ea
    classDef defense fill:#1a3a3a,stroke:#5ab8b8,color:#eaffff
    classDef report fill:#2a1a3a,stroke:#895ab8,color:#f0eaff

    EP[engagement-planner]:::plan
    OA[opsec-anonymizer]:::plan
    TM[threat-modeler]:::plan

    OS[osint-collector]:::recon
    RA[recon-advisor]:::recon
    VS[vuln-scanner]:::recon