agent  by PentesterFlow

Agentic AI CLI for offensive security

Created 1 month ago
699 stars

Top 48.1% on SourcePulse

GitHubView on GitHub
Project Summary

Summary

PentesterFlow is an open-source, terminal-based AI agent designed for penetration testers and bug hunters. It automates offensive security tasks from reconnaissance to reporting, prioritizing analyst control, transparent execution, and operational learning. The system enhances AI-assisted security assessments by integrating real-world tools and a unique local learning mechanism, aiming to improve efficiency and auditability.

How It Works

The core architecture follows an agent loop: plan, act, observe, verify, report, and learn. It connects to various LLM backends (local or hosted) and orchestrates security tools like shell commands and HTTP requests. A key design principle is "analyst control," requiring explicit approval for sensitive actions. PentesterFlow also features a "continuous learning" system that locally stores project-specific and personal intelligence, improving future session effectiveness without model retraining or complex memory management.

Quick Start & Requirements

  • Installation: Standalone binaries available via curl (macOS/Linux) or PowerShell (Windows).
  • Prerequisites: Node.js (v20+). Requires integration with LLM providers such as Ollama, LM Studio, OpenAI-compatible APIs, Groq, Gemini, or Kimi.
  • Links: Install Script, GitHub Releases.
  • Example: ollama pull qwen2.5-coder:32b then pentesterflow.

Highlighted Details

  • Built-in Skills: Offers specialized Markdown playbooks for common pentest areas like recon, web vulnerabilities (IDOR, injection), SSRF, JWT, GraphQL, and more.
  • Human-in-the-Loop: Default mode requires analyst approval for executing tools and sensitive commands, with an optional YOLO mode for lab environments.
  • Continuous Learning: A local intelligence system captures user preferences, successful workflows, lessons learned, and coverage gaps, injected as context in future sessions.
  • Tool Integration: Seamlessly integrates with shell commands, HTTP requests, Burp Suite (via a companion tool for traffic ingestion and findings export), and browser capture tools.
  • Reproducibility: Generates copy-pasteable commands, evidence-backed findings in Markdown, and structured JSON-lines logs.

Maintenance & Community

The project is actively maintained, indicated by CI/CD badges and frequent release updates. Community interaction is primarily through GitHub Issues and Pull Requests for bug reports, feature requests, and contributions. No dedicated community channels like Discord or Slack are listed.

Licensing & Compatibility

Licensed under Apache-2.0. The license permits commercial use and modification, provided attribution and license preservation. A strong emphasis is placed on responsible use and explicit authorization for penetration testing activities.

Limitations & Caveats

PentesterFlow is designed strictly for authorized security assessments; misuse is prohibited. The agent's ability to execute shell commands, modify files, and process network traffic necessitates careful oversight. Debug logs, if enabled, are considered sensitive and may contain target data.

Health Check
Last Commit

3 weeks ago

Responsiveness

Inactive

Pull Requests (30d)
1
Issues (30d)
2
Star History
259 stars in the last 30 days

Explore Similar Projects

Feedback? Help us improve.