pentest-cli
Professional security testing CLI for deployed web applications. No Python required - download a single binary and run.
40+ commands covering OWASP WSTG, PTES, and modern attack vectors. Integrates with Kali Linux tools (nmap, sqlmap, hydra, nikto, nuclei).
Quick Install
Linux/macOS:
curl -fsSL https://raw.githubusercontent.com/sabania/pentest-cli/main/install.sh | bash
Windows (PowerShell):
irm https://raw.githubusercontent.com/sabania/pentest-cli/main/install.ps1 | iex
Or download directly from Releases.
Uninstall
Linux/macOS:
rm ~/.local/bin/pentest
Windows (PowerShell):
Remove-Item "$env:USERPROFILE\.local\bin\pentest.exe"
Claude Code Plugin
This repo also ships a Claude Code plugin with 12 skills and 8 AI agents that use the CLI as their backend. The plugin turns Claude Code into a full security testing platform.
Install the plugin:
/plugin marketplace add sabania/pentest-cli
Then run:
/setup # Install CLI + verify environment
/pentest-full https://your-app.com # Complete security audit
See the full plugin documentation: Plugin README
Plugin Skills
| Skill | Type | Description |
|---|
/setup | Utility | Install pentest-cli and verify environment |
/cli-reference | Utility | Show all 40+ CLI commands |
/pentest-recon <url> | Passive | Subdomains, DNS, ports, OSINT, tech stack |
/pentest-scan <url> | Passive | Headers, SSL/TLS, CORS, WAF |
/pentest-discover <url> | Passive | JS bundles, APIs, secrets, BaaS backends |
/pentest-auth <url> | Passive | JWT, OAuth, session management |
/pentest-cloud <url> | Passive | S3/Azure/GCS misconfig, email security |
/business-logic <url> | Passive | IDOR, privilege escalation, payment bypass |
/pentest-inject <url> | Active | SQLi, XSS, SSTI, SSRF, XXE, LFI |
/pentest-advanced <url> | Active | Request smuggling, race conditions, cache poisoning |
/pentest-full <url> | Full | All scans combined + PDF report |
/pentest-report | Utility | Generate PDF report from findings |
Plugin Agents
8 specialized AI agents work as your security testing team:
| Agent | Model | Role |
|---|
recon-agent | sonnet | Attack surface mapping |
scanner-agent | sonnet | Configuration & hardening |
discovery-agent | sonnet | Secrets, APIs, BaaS probing |
injection-agent | sonnet | Injection vulnerability testing |
auth-agent | sonnet | Authentication & session security |
advanced-agent | opus | Request smuggling, race conditions |
logic-agent | opus | Business logic & authorization flaws |
report-agent | haiku | Report generation |
CLI Usage
# Passive scans (safe, no payloads sent)
pentest scan headers https://example.com
pentest scan ssl example.com
pentest scan cors https://example.com
pentest recon subdomains example.com
pentest discover bundle https://example.com
pentest cloud email example.com
# Active scans (sends payloads - requires --active flag)
pentest --active --yes inject sqli https://example.com
pentest --active --yes discover fuzz https://example.com
# Full pentest
pentest full https://example.com
# JSON output (for CI/CD or Claude Code agents)
pentest --json scan headers https://example.com
# Generate PDF report
pentest report ./findings/
CLI Commands
Reconnaissance & OSINT (pentest recon)
| Command | Description |
|---|
recon subdomains | Subdomain enumeration (crt.sh, dnsrecon, DNS brute) |
recon ports | Port scanning (nmap integration) |
recon dns | DNS records, zone transfer, SPF/DMARC, DNSSEC |
recon whois | WHOIS lookup |
recon crawl | Web crawling & URL discovery |
recon osint | Google dorks, Wayback Machine, email harvesting |
Vulnerability Scanning (pentest scan)
| Command | Description |
|---|
scan headers | HTTP security headers (CSP, HSTS, X-Frame-Options, SRI) |
scan ssl | SSL/TLS protocols, ciphers, certificate analysis |
scan cors | CORS misconfiguration (origin reflection, null, wildcards) |
scan nikto | Nikto web server scanner |
scan nuclei | Nuclei vulnerability scanner (9000+ templates) |
Discovery (pentest discover)
| Command | Description |
|---|
discover bundle | JS bundle reverse engineering (source maps, API keys, secrets) |
discover api | API endpoint discovery, GraphQL, error disclosure |
discover graphql | GraphQL introspection & attack testing |
discover fuzz | Content discovery / directory fuzzing |
discover tech | Deep technology fingerprinting (whatweb) |
transilienceai