Summary

Mantishack is an AI-powered autonomous security research framework for ethical vulnerability discovery. It targets security engineers and researchers, offering a comprehensive workflow from static analysis to exploit and patch generation to accelerate vulnerability identification and remediation.

How It Works

Built on RAPTOR, Mantishack employs an agentic workflow chaining static analysis (Semgrep, CodeQL), LLM-powered vulnerability validation, exploit generation, and patch writing. It maps attack surfaces, then uses a multi-stage validation methodology to confirm exploitability, generate PoCs, and create patches. A key addition is an automatic authentication and logging audit lane.

Quick Start & Requirements

Manual install: clone the repository, pip install -r requirements.txt, and install Claude Code (npm install -g @anthropic-ai/claude-code) and Semgrep (pip install semgrep). The recommended Devcontainer setup requires Docker and VS Code, providing a pre-installed ~6GB image that needs the --privileged flag for the rr deterministic debugger. Upstream project: github.com/gadievron/raptor.

Highlighted Details

• Full autonomous workflow (/mantis-agentic) covering scan, auth+logging audit, validation, exploit, and patch generation.
• New mantis-auth-audit lane for automatic JWT, cookie, and audit-log security checks using Semgrep rules and pytest fixtures.
• Optional Z3 integration enhances CodeQL dataflow pre-screening and binary exploit feasibility analysis.
• Supports fully offline Semgrep scanning via cached registry packs; CodeQL runs offline post-setup.

Maintenance & Community

Mantishack is a fork of the RAPTOR project, with upstream development continuing at github.com/gadievron/raptor. Framework-level issues and PRs should be directed upstream. Fork-specific issues can be filed at github.com/deonmenezes/mantishack/issues.

Licensing & Compatibility

The project uses an MIT dual-copyright license: Upstream RAPTOR code (© 2025-2026 Gadi Evron et al.), and fork modifications (© 2026 Deon Menezes). Crucially, the CodeQL dependency prohibits commercial use. Users must review all dependencies for compatibility.

Limitations & Caveats

Mantishack is described as "not polished software" and "rough in the corners." Framework issues are directed upstream. The /mantis-web component is currently in Alpha/stub status. Commercial use is restricted due to the CodeQL license.