<2-3 sentences summarising what the project addresses and solves, the target audience, and the benefit.> Pentest-AI automates offensive security engagements by integrating over 200 real-world tools with LLMs. It targets AppSec teams, consultants, and researchers, delivering validated findings with working PoCs and audit-ready reports, streamlining complex pentesting workflows.

How It Works

The system employs LLM-driven agents to orchestrate a vast toolkit (200+ tools, 60 probes) across security phases. Its novelty lies in LLM coordination rather than dependency, enabling autonomous or human-assisted operation. It uniquely handles authenticated sessions and generates non-destructive PoCs for every finding, operating locally without requiring separate API keys for its core MCP functionality.

Quick Start & Requirements

Install via pip install ptai (Python 3.10+). Use existing LLM subscriptions (Claude Pro) via MCP, or provide API keys (Anthropic, OpenAI, Ollama) for standalone CLI. Full tool installation takes ~30 minutes (ptai setup --tier full). Key resources: Docs, Benchmarks, Discord.

Highlighted Details

• 200+ security tools with smart auto-installation.
• 60 specialized probes for OWASP Top 10 and SPA coverage.
• 17 agents covering diverse security domains.
• LLM-driven engagements via MCP (Claude Code, Cursor) without extra API keys.
• Authenticated scanning with session persistence.
• Non-destructive PoC validation for every finding.
• CI-native support (SARIF, severity gates).
• YAML playbooks for custom methodologies.
• Human-In-The-Loop (HITL) teleoperation.
• Public, reproducible benchmarks.

Maintenance & Community

Active development (v0.14.0, May 2026). Community support via Discord, GitHub Discussions, and Issues.

Licensing & Compatibility

MIT license, permissive for commercial use and integration into closed-source projects.

Limitations & Caveats

LLMs are not fully autonomous; HITL is provided. Probe coverage is expanding, impacting effectiveness on novel targets. Benchmarks on highly-documented targets may inflate results. Standalone CLI requires LLM API keys if not using MCP.