by 0xSteph
Turn Claude Code into your offensive security research assistant. Specialized AI subagents for authorized penetration testing plan engagements, analyze recon, research exploits, build detections, audit STIGs, and write reports.
# Add to your Claude Code skills
git clone https://github.com/0xSteph/pentest-ai-agentsGuides for using ai agents skills like pentest-ai-agents.
Last scanned: 5/5/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-05-05T06:18:27.218Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}50 Claude Code subagents for penetration testing.
Quick Start | Cheatsheet | Coverage | Agents | Examples
pentest-ai-agents is a collection of 50 Claude Code subagents that turn Claude into an offensive security research assistant. Each agent carries deep domain knowledge in a specific area: recon, web, Active Directory, cloud, mobile, wireless, social engineering, payload crafting, reverse engineering, exploit chaining, detection engineering, forensics, and more.
Install the agent files. Open Claude Code. Describe your task. Claude routes to the right specialist automatically.
No servers, no Python deps, no setup beyond copying files.
/plugin marketplace add 0xSteph/pentest-ai-agents then /plugin install pentest-ai-agents@pentest-ai-agents. The install.sh curl path still works unchanged.ai-recon (AI attack-surface mapping), code-auditor, crypto-analyzer, password-auditor, database-attacker, network-attacker, traffic-analyzer, compliance-mapper, risk-scorer, plus the post-exploitation set — evasion-specialist, persistence-planner, data-exfiltrator, scada-attacker, iot-pentester, lateral-movement. Every offensive agent pairs its techniques with the detection they exercise.cicd-redteam is Bash-capable but was missing the mandatory scope-enforcement block — now fixed (the new CI check would have caught it).curl | bash no longer crashes under set -u, the one-liner clone URL is corrected, slash commands now install alongside the agents, and --uninstall removes everything cleanly.c2-operator (Sliver/Mythic/Havoc/Cobalt Strike profile tuning, beacon hygiene, redirector design), container-breakout (Docker/K8s escape, runc/cri-o CVEs, kubelet exploitation, RBAC abuse), opsec-anonymizer (operator-side identity hygiene, source IP design, burner infrastructure, fingerprint hygiene), llm-redteam (OWASP LLM Top 10 testing, prompt injection, RAG poisoning, MCP server abuse, agent tool abuse)._scope-guard.md covers DoS, mass scanning, unattended worms, false-flag operations, safety-of-life systems.vulns.tool_used column for filtering findings by the tool that produced them; new indexes on cve and tool_used. Existing engagements migrate forward via db/migrate.sh.flowchart LR
classDef plan fill:#1a2a4a,stroke:#5a7ab8,color:#eaf0ff
classDef recon fill:#1a3a2a,stroke:#5ab87a,color:#eaffea
classDef exploit fill:#3a1a1a,stroke:#b85a5a,color:#ffeaea
classDef post fill:#3a2a1a,stroke:#b8895a,color:#fff0ea
classDef defense fill:#1a3a3a,stroke:#5ab8b8,color:#eaffff
classDef report fill:#2a1a3a,stroke:#895ab8,color:#f0eaff
EP[engagement-planner]:::plan
OA[opsec-anonymizer]:::plan
TM[threat-modeler]:::plan
OS[osint-collector]:::recon
RA[recon-advisor]:::recon
VS[vuln-scanner]:::recon
WH[web-hunter]:::exploit
AS[api-security]:::exploit
BL[bizlogic-hunter]:::exploit
BB[bug-bounty]:::exploit
AD[ad-attacker]:::exploit
CS[cloud-security]:::exploit
MP[mobile-pentester]:::exploit
WP[wireless-pentester]:::exploit
LR[llm-redteam]:::exploit
SE[social-engineer]:::exploit
PO[phishing-operator]:::exploit
CT[ctf-solver]:::exploit
CR[credential-tester]:::exploit
PV[poc-validator]:::exploit
EG[exploit-guide]:::exploit
EC[exploit-chainer]:::exploit
AP[attack-planner]:::exploit
PC[payload-crafter]:::exploit
RE[reverse-engineer]:::exploit
PE[privesc-advisor]:::post
CB[container-breakout]:::post
C2[c2-operator]:::post
CI[cicd-redteam]:::post
SO[swarm-orchestrator]:::post
DE[detection-engineer]:::defense
FA[forensics-analyst]:::defense
MA[malware-analyst]:::defense
SA[stig-analyst]:::defense
RG[report-generator]:::report
EP --> OA --> OS
EP --> TM
OS --> RA --> VS
VS --> WH & AS & BL & BB & AD & CS & MP & WP & LR
SE --> PO
BB --> WH
PO --> PC --> C2
AD --> CR
AD --> PE
CS --> CB
CB --> PE
WH --> PV
AS --> PV
PV --> EC --> AP
EC --> EG
PC --> RE
RE --> MA
AP --> SO
C2 --> DE
SO --> RG
DE --> FA
MA --> RG
SA --> RG
CT -.solo.-> RG
CI -.pipeline.-> SO
Tier 1 (advisory) agents are routable from any task. Tier 2 (execution-capable) agents require a declared scope and live in the offensive operations cluster.
payload-crafter (msfvenom, Donut, custom loaders), reverse-engineer (Ghidra, JadX, Radare2, Binwalk), phishing-operator (Evilginx, GoPhish, dnstwist)/recommend "freeform task" routes you to the right agent + concrete commands. /agents-for <tag> filters the catalog by domain.db/doctor.sh: audits which underlying CLI tools are installed on your box, grouped by agent. Shows ✔ and ✘ per tool with install hints.install.sh --tools: opt-in installer that pulls in the underlying tools via apt/brew/pacman + pipx/go/cargo.One command:
curl -fsSL https://raw.githubusercontent.com/0xSteph/pentest-ai-agents/main/install.sh | bash
That's it. The script clones the repo to a temp dir, copies the agents to ~/.claude/agents/, and exits. Idempotent: safe to re-run for updates.
Or install as a Claude Code plugin (no clone; updates through the marketplace):
/plugin marketplace add 0xSteph/pentest-ai-agents
/plugin install pentest-ai-agents@pentest-ai-agents
This registers all 50 agents and the slash commands through Claude Code's plugin system. Pick the plugin or the installer — you don't need both.
Then open Claude Code:
"Plan an internal network pentest for a 500-endpoint AD environment with a 2-week window."
Claude routes to the engagement planner agent and produces a phased plan with MITRE ATT&CK mappings.
Prefer to clone first?
git clone https://github.com/0xSteph/pentest-ai-agents.git
cd pentest-ai-agents && ./install.sh --global
Other install options:
./install.sh --project # Install for current project only
./install.sh --global --lite # Use Haiku for advisory agents (lower cost)
./install.sh --tools # Install underlying CLI tools (nmap, nuclei, ffuf, etc.)
./install.sh --help # All options
See INSTALL.md for step-by-step instructions, including first-time Claude Code setup.
Quick interactions once installed:
| Command | What It Does |
|---|---|
/recommend "phish a small SaaS team's IT department" |
Picks the right agent and gives concrete next commands |
/agents-for web |
Lists every agent relevant to web testing (web-hunter, api-security, bug-bounty, bizlogic-hunter) |
/agents-for cloud |
Cloud-specific agents (cloud-security, cicd-redteam) |
db/doctor.sh |
Audits which underlying CLI tools you have, grouped by agent. Shows ✔/✘ and install hints. |
db/doctor.sh --agent ad-attacker |
Audit just the AD tooling stack |
db/doctor.sh --json |
Machine-readable output for piping into a script |
install.sh --tools |
Install the underlying tools via your package manager + pipx/go/cargo |
findings.sh init <id> |
Start a new engagement (persistent SQLite findings DB) |
findings.sh stats |
Engagement progress |
findings.sh export |
Full JSON export |
bash handoff.sh |
Markdown handoff report between sessions |
In Claude Code, just describing your task routes automatically:
"Plan an internal pentest for a 500-endpoint AD environment, 2-week window."
"I have a domain user, where do I look first in BloodHound?"
"Convert this SharpHound EXE into shellcode f
pentest-ai-agents is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by 0xSteph. Turn Claude Code into your offensive security research assistant. Specialized AI subagents for authorized penetration testing plan engagements, analyze recon, research exploits, build detections, audit STIGs, and write reports. It has 1,939 GitHub stars.
Yes. pentest-ai-agents passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/0xSteph/pentest-ai-agents" and add it to your Claude Code skills directory (see the Installation section above).
pentest-ai-agents is primarily written in Shell. It is open-source under 0xSteph on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh pentest-ai-agents against similar tools.
No comments yet. Be the first to share your thoughts!