𝝺 Overview

EVA is an AI penetration testing agent that guides users through complete pentest engagements with AI-powered attack strategy, autonomous command generation, and real-time vulnerability analysis based on outputs. The goal is not to replace the pentest professional but to guide and assist and provide faster results.

Main funcionalities

• 🜂 Intelligent Reasoning: Advanced AI-driven analysis and attack path identification depending on query.
• ⵢ Automated Enumeration: Systematic target reconnaissance and information gathering based on provided target.
• ꎈ Vulnerability Assessment: AI-powered vulnerability identification and exploitation strategies, suggesting next steps for vulnerability or OSINT.
• ⑇ Multiple AI Backends: Support for Ollama, OpenAI GPT, Anthropic, Gemini, G4F.dev and custom API endpoints
• ㄖ Session Management: Persistent sessions and chats
• ⑅ Interactive Interface: Real-time command execution and analysis of output in multi-stage.

ⵢ EVA Logic & Pentest Process Flow

graph TD
 
    A[🜂 EVA Launch] --> B{🢧 Session Selection}
    B -->|Existing Session| C[🢧 Load Session Data]
    B -->|New Session| D[߭ Initialize Session]
    C --> E[ㄖ Select AI Backend]
    D --> E
    
    E --> F[🦙 Ollama Local]
    E --> G[⬡ OpenAI GPT]
    E --> J1[✶ Anthropic Claude]
    E --> J2[✦ Google Gemini]
    E --> H[⟅ Custom API]
    E --> I[🜅 G4F.dev Provider]
    
    F --> J[Pentest Shell]
    G --> J
    J1 --> J
    J2 --> J
    H --> J
    I --> J
    
    J --> K[⌖ Target Definition]
    K --> L[🧠 AI Pentest Strategy]
    
    L --> M[🝯 Reconnaissance Phase]
    M --> N[➤_ Execute Commands]
    N --> O[ꎐ Analyze Results]
    O --> P{ᐈ Vulnerabilities Found?}
    
    P -->|Yes| Q[🖧 Exploitation Planning]
    P -->|No| R[⭯ More Enumeration]
    R --> L
    
    Q --> S[⚡ Exploitation Phase]
    Q --> T[Export graphs and mapped networks]
    
    S --> U[➤_ Execute Exploit]
    U --> V{🞜 Access Gained?}
    
    V -->|Yes| W[𐱃 Privilege Escalation]
    V -->|Failed| X[⭯ Alternative Methods]
    X --> Q
    
    W --> Y[𐦝 Post-Exploitation]
    Y --> Z{🞜 Objectives Met?}
    
    Z -->|Generate Report| AA[📋 Generate Report]
    Z -->|Exit and Save| AB[💾 Save & Exit]
    Z -->|No| AC[🔍 Continue Pentest]
    AC --> L
    
    AA --> AB
    
    subgraph "🍎 EVA "
        AD[⯐ Attack Strategy AI]
        AE[𝚵 Session Memory]
        AF[ᐮ Vulnerability Analysis]
        AG[CVE DATABASE SEARCH]
        AH[𐰬 Output Processing]
    end
    
    L --> AD
    AD --> AE
    O --> AF
    AF --> AG
    AG --> AH
    AH --> L

🍎 Installation

Ollama for local endpoint (required for local models and eva exploit database)

curl -fsSL https://ollama.ai/install.sh | shr

pip installation

pip install eva-exploit
eva

EVA github installation

git clone https://github.com/ARCANGEL0/EVA.git
cd EVA
chmod +x eva.py
./eva.py 
# Adding it to PATH to be acessible anywhere
sudo mv eva.py /usr/local/bin/eva

⬢ Configuring EVA.

When starting EVA, it will automatically handle:

• ✅ API key setup (According to Model)
• ✅ Ollama model download (Default set as whiterabitv2, feel free to change to any other desired model)
• ✅ Session directory creation
• ✅ Dependencies installation

If you wish to modify endpoints, ollama models, API Keys or configure EVA, please run:

eva --config

📁 Directory Structure of EVA

~/EVA_data/
├── sessions/           # Session storage
│   ├── session1.json
│   ├── session2.json
│   └── ...
├── reports/           # Vulnerability reports
│   ├── report1.html
│   ├── report1.pdf
│   └── ...
└── attack_maps/           # Attack vector maps in HTML/JS
    ├── attack_surface1.html
    ├── attack_surface2.html
    └── ...

ꀬ Where to change EVA options

eva --config

Will display the following configuration:

API_ENDPOINT = "NOT_SET" 
G4F_MODEL="gpt-oss-120b"   
G4F_URL="https://api.gpt4free.workers.dev/api/novaai/chat/completions"
OLLAMA_MODEL = "ALIENTELLIGENCE/whiterabbitv2" 
SEARCHVULN_MODEL = "gpt-oss:120b-cloud"
SEARCVULN_URL = "https://ollama.com/api/chat"
OLLAMA_API_KEY = "NOT_SET" 
OPENAI_API_KEY = "NOT_SET" 
ANTHROPIC_API_KEY = "NOT_SET" 
GEMINI_API_KEY = "NOT_SET" 
ANTHROPIC_MODEL = "claude-3-5-sonnet-latest"
GEMINI_MODEL = "gemini-2.0-flash"
OLLAMA_CLOUD_TIMEOUT = 45
CONFIG_DIR = Path.home() / "EVA_data" #
SESSIONS_DIR = CONFIG_DIR / "sessions"
REPORTS_DIR = CONFIG_DIR / "reports"
MAPS_DIR = CONFIG_DIR / "attack_maps"
TERMS_ACCEPTEDTHING = CONFIG_DIR / ".confirm"
CONFIG_DIR.mkdir(parents=True, exist_ok=True)
SESSIONS_DIR.mkdir(parents=True, exist_ok=True)
REPORTS_DIR.mkdir(parents=True, exist_ok=True)
MAPS_DIR.mkdir(parents=True, exist_ok=True)
username = os.getlogin()
MAX_RETRIES = 10 ### maximum retries for fetching requests
RETRY_DELAY = 10 ### delay between requests to avoid rate limit error

Initialization

python3 eva.py
# or if installed via pip:
eva

# open config.py in your default editor
eva --config

# deletes all sessions and files
eva --delete

# configure custom api and payload handler
eva --custom-api

# vulnerability / exploit intel search
eva --search i have a wingftp server running on version 4.7.3, find me exploits for it

# run eva default launcher
eva 

1. Select Session: Choose existing session or create new one
2. Choose AI Backend:
   • Ollama (Recommended): Local AI with WhiteRabbit-Neo model
   • GPT-5: OpenAI's latest model (requires API key)
   • G4F: Uses g4f.dev endpoints with models running GPT5.2, feel free to change model used.
   • Anthropic: Claude API backend (requires API key)
   • Gemini: Google Gemini API backend (requires API key)
   • Custom API: Your own API endpoint if desired
3. In the input field of chat, type in your request or what you need assistance with for EVA to help you!

USER > i need help with a CTF machine, ip is 10.10.16.81

After making a request, commands will be provided and the pentest workflow will start, use commands below as reference.

| Command | Description | |---------|-------------| | /exit / /quit | Exit EVA and save session | | /model | Change AI backend | | /rename | Rename the current session | | /search <query> or search <query> | Run exploit/vulnerability intel search inside current chat session and feed results into next analysis | | /report | Generates a PDF/HTML report with latest findings on session | | /map | Generates a html file with attack surface map of session | | /menu | Return to session menu | | R | Run suggested command | | S | Skip command | | A | Ask for next step | | Q | Quit session |

ㄖ Example of chat session

demonstration video.

USER > I'm on a Windows target at IP 10.10.11.95, what should I enumerate first?

[ANALYSIS] 
Based on the Windows environment, I need to perform comprehensive 
enumeration focusing on:

1. System Information (OS version, patches, architecture)
2. Network Services (ports, services, listening processes)  
3. User Context (current user, groups, privileges)
4. Security Controls (AV, firewall, UAC settings)
5. Potential Attack Vectors (SMB, RDP, IIS, etc.)

Let me start with basic system reconnaissance to understand the target better...

> execute:   nmap -sC -sV -O 10.10.10.10
| [R]un | [S]kip | [A]sk | [G]enerate HTML Report | [V]iew attack map | [Q]uit | 

>  R

🦙 Ollama (Recommended)

• Model: ALIENTELLIGENCE/whiterabbitv2" (best one for OffSec)
  • ✅ Complete offline operation
  • ✅ No API costs
  • ✅ Privacy-focused
  • ❌ Higher CPU/GPU usage, recommended for machines above 8GB+ VRAM/RAM
  • ❌ Heavier model, ~9.8gb model

⬡ OpenAI GPT

• Models: GPT-5, GPT-4.1 (fallback)
• About:
  • ✅ Faster reasoning
  • ✅ Extensive knowledge base
  • ✅ Continuous updates
  • ❌ Paid, requi