Turn Claude Code into your offensive security research assistant. Specialized AI subagents for authorized penetration testing plan engagements, analyze recon, research exploits, build detections, audit STIGs, and write reports.
AI Agentsai-agentsai-securitybug-bountyclaude-codectf
Installation
# Add to your Claude Code skills
git clone https://github.com/0xSteph/pentest-ai
README.md
pentest-ai
Turn Claude Code into your offensive security research assistant.
17 specialized AI subagents for every phase of authorized penetration testing, from scoping to reporting. MITRE ATT&CK mapped. Dual offensive/defensive perspective in every response.
The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.
pentest-ai is a collection of Claude Code subagents: specialized AI assistants that activate automatically based on what you're working on. Ask Claude to plan a pentest, and the engagement planner agent takes over. Paste Nmap output, and the recon advisor analyzes it. Each agent carries deep domain knowledge in offensive security methodology, MITRE ATT&CK mappings, and industry-standard frameworks.
You don't need to be an expert to use these agents. They communicate at whatever level you need, from explaining what Kerberoasting is to providing exact Impacket command syntax for a senior operator.
How It Works
Install the agent files into your Claude Code agents directory
Open Claude Code and describe your task naturally
Claude automatically routes to the right specialist agent
No configuration, no commands to memorize. Just describe what you need.
Quick Demo: Advisory Mode (Tier 1)
$ claude
You: Analyze this Nmap scan and prioritize targets for our internal pentest
▸ Routing to recon-advisor agent...
## Prioritized Target Summary
### Critical Priority (Exploit Immediately)
| Host | Port | Service | Finding |
|------------|------|---------|--------------------------|
| 10.10.1.5 | 445 | SMB | SMBv1 enabled, MS17-010 |
| 10.10.1.20 | 3389 | RDP | BlueKeep (CVE-2019-0708) |
### Recommended Next Steps
1. nmap -sV --script smb-vuln* 10.10.1.5
2. crackmapexec smb 10.10.1.0/24
3. bloodhound-python -d corp.local
Quick Demo: Execution Mode (Tier 2)
$ claude
You: My authorized scope is 10.10.1.0/24. Internal network pentest.
Run a service scan on the subnet.
▸ Routing to recon-advisor agent...
Scope recorded: 10.10.1.0/24 (internal)
I'll start with host discovery, then do targeted service detection
on live hosts.
[MODERATE] Host discovery scan:
nmap -sn 10.10.1.0/24 -oN nmap_10.10.1.0_discovery_20260330_140000.txt
▸ Allow Bash command? [y/n]
Found 47 live hosts. Running service detection on the top ports...
[MODERATE] Service scan on live hosts:
nmap -sT -sV -sC --top-ports 1000 --min-rate 100 --max-rate 1000
--host-timeout 300s -iL live_hosts.txt
-oN nmap_10.10.1.0_services_20260330_140215.txt
▸ Allow Bash command? [y/n]
## Prioritized Target Summary
| Priority | Host | Port | Service | Finding |
|----------|------------|------|----------------|-----------------------|
| Critical | 10.10.1.5 | 445 | SMB 1.0 | MS17-010 likely |
| Critical | 10.10.1.20 | 3389 | RDP 10.0.17763 | BlueKeep candidate |
| High | 10.10.1.12 | 8080 | Jenkins 2.289 | Pre-auth RCE range |
Evidence saved. Want me to run SMB vulnerability scripts on 10.10.1.5 next?
Agents
Offensive Operations
| Agent | What It Does | Example Prompt |
|-------|-------------|----------------|
| Engagement Planner | Plans penetration tests with phased methodology, MITRE ATT&CK technique mapping, time estimates, and rules of engagement templates | "Plan an internal network pentest for a 500-endpoint Active Directory environment with a 2-week window" |
| Recon Advisor | Parses output from Nmap, Nessus, BloodHound, and 20+ tools. Prioritizes targets, maps CVEs, and recommends specific next commands. Tier 2: can execute recon tools directly with your approval. | "Scan 10.10.1.0/24 and tell me what to hit first" |
| OSINT Collector | Open source intelligence gathering: domain recon, email harvesting, social media profiling, breach data analysis, and infrastructure mapping | "Build an OSINT profile on this target domain before our external engagement" |
| Exploit Guide | Detailed exploitation methodology covering AD attacks, web apps, cloud, and post-exploitation. Every technique includes the defensive perspective | "Walk me through AS-REP Roasting and how defenders detect it" |
| Privilege Escalation | Systematic Linux and Windows privilege escalation methodology. SUID abuse, token impersonation, service exploitation, kernel exploits, and container escape | "Here's my linpeas output, what's the fastest path to root?" |
| Cloud Security | AWS, Azure, and GCP penetration testing methodology. IAM privilege escalation, container escape, serverless exploitation, and cloud-native attack paths | "I have read-only AWS access with this IAM policy. Find privilege escalation paths" |
| API Security | REST, GraphQL, and WebSocket security testing. OWASP API Top 10, JWT attacks, OAuth exploitation, BOLA/BFLA testing, and API discovery | "Test this API for BOLA. Here's the Swagger doc and a valid JWT" |
| Mobile Pentester | Android and iOS application security testing. APK/IPA analysis, Frida hooking, SSL pinning bypass, OWASP MASTG/MASVS methodology | "Decompile this APK and check for hardcoded secrets and certificate pinning" |
| Wireless Pentester | WiFi and Bluetooth penetration testing. WPA/WPA2/WPA3 attacks, evil twin, rogue AP, enterprise wireless, and Bluetooth security | "Capture a WPA2 handshake and set up an evil twin for this corporate network" |
| Social Engineer | Phishing campaigns, pretexting, vishing, physical social engineering, and security awareness assessments for authorized red team engagements | "Design a phishing campaign for this engagement using GoPhish" |
Defense & Analysis
| Agent | What It Does | Example Prompt |
|-------|-------------|----------------|
| Detection Engineer | Produces deployment-ready detection rules in Sigma, Splunk SPL, Elastic KQL, and Sentinel KQL with false positive tuning guidance | "Create a detection rule for DCSync with Sigma and Splunk SPL" |
| Threat Modeler | STRIDE/DREAD threat modeling, attack tree construction, data flow analysis, and architecture-specific threat enumeration | "Build a STRIDE threat model for our microservices API gateway" |
| Forensics Analyst | Digital forensics and incident response. Evidence acquisition, memory forensics, disk analysis, timeline construction, and chain of custody | "Walk me through a Volatility 3 workflow for this memory dump" |
| Malware Analyst | Binary analysis, reverse engineering, sandbox methodology, YARA rule writing, and IOC extraction | "Analyze this suspicious PE file. Start with static analysis then walk me through Ghidra" |
| STIG Analyst | DISA STIG compliance analysis with GPO remediation paths, risk scores, verification commands, and keep-open justification templates | "Analyze V-220768, what breaks if I apply it, and write a keep-open justification" |
Reporting & Learning
| Agent | What It Does | Example Prompt |
|-------|-------------|----------------|
| Report Generator | Transforms raw findings into professional pentest reports with executive summaries, CVSS scoring, evidence formatting, and remediation roadmaps | "Compile these 12 findings into a professional report with an executive summary" |
| CTF Solver | Methodical challenge-solving partner for HackTheBox, TryHackMe, and competitive CTFs. Covers web exploitation, binary exploitation, reverse engineering, cryptography, forensics, and OSINT | "I'm stuck on this HackTheBox machine. I have a low-priv shell. Help me enumerate for privesc" |
Agent Capabilities at a Glance
OFFENSIVE OPERATIONS
engagement-planner ── PTES, OWASP, NIST 800-115, MITRE ATT&CK
Rules of engagement templates
Phased methodology with time estimates
recon-advisor ─────── Nmap, Nessus, BloodHound, masscan, Shodan + 20 more
CVE mapping and attack surface prioritization
Specific follow-up command
