live · v0.9.1 · MIT
star on github pypi · ptai

Find it. Chain it. Prove it.

Autonomous AI pentesting that finds bugs, chains them, and proves them safely. Runs on your machine. Nothing leaves your box.

get started see a live run
$ pip install ptai
copied to clipboard
191 security tools 11 specialist agents 32 MCP tools SARIF · CI/CD native
0 security tools 0 specialist agents 0 chain templates SARIF + CI/CD native MCP protocol
the difference

Scanners flag findings. pentest-ai weaponizes them.

Burp, Nessus, and Nuclei give you a flat list of issues. We connect them into multi-step attack paths, score every chain, and validate each step with a safe proof-of-concept.

scanner output · 47 findings flat
6.1 highest single CVSSnoise · manual triage required
MED/api/proxy?url= · external fetch5.4
MEDIMDSv1 metadata reachable6.1
LOWIAM node-role over-privileged4.3
HIGHaws-auth ConfigMap: cluster-admin7.8
MEDsecrets readable in prod ns5.9
triage queue: 47 tickets~3 days
no chain context · no PoC · no blast radius
pentest-ai chain · CRITICAL 9.8 chained
9.8 chain severitysignal · safe PoC per step
01SSRF: /api/proxy?url=entry✓ PoC
02→ IMDSv1 · role STS credspivot✓ PoC
03→ assume node role · eks-nodelateral✓ PoC
04→ aws-auth: cluster-adminescalate✓ PoC
05→ kubectl * · prod compromiseobjective✓ PoC
report: 1 chain, 5 validated steps~4 min
SARIF + Sigma + MITRE ATT&CK map shipped
signature moment

Every attack chain, drawn for you

Nodes, edges, proof-of-concept per step. No more copy-pasting between tools.

01
entry
SSRF via image proxy
02
pivot
IMDSv1 → STS creds
03
lateral
assume node role
04
escalate
aws-auth: cluster-admin
05
objective
prod EKS compromise
0%
drawn
live output

Watch a real engagement in motion

Recon, exploit, chain, validate, report. Fully auditable. Human approval at every risky step.

pentest-ai — staging
chain.yaml
recon.log
pentest-ai@ops:~/engagements/0x4f3b2a ssh · 00:00:00
LIVE ·findings 0 ·CRITICAL 0 ·SARIF [ctrl+c to stop]
capabilities

Everything runs locally.
You own every byte.

MCP server exposing 32 tools to any AI client. 11 specialist agents wrap 191 security tools, share recon context, and stamp every finding with a CVSS v3.1 score and a validated PoC.

tools_per_engagement
0

Security tooling, wrapped

nmap · nuclei · ffuf · sqlmap · trivy · kube-hunter · BloodHound · impacket · and 183 more, all via one MCP endpoint.

web
41
network
30
binary
27
osint
24
cloud
22
password
14
11_specialists

Agents with context sharing

Each agent streams findings to the shared engagement graph. No duplicate work, no lost signal.

recon-agent scanning subdomains
web-hunter testing 47 endpoints
cloud-agent enumerating IAM
ad-attacker mapping ACLs
exploit-chainer building paths
poc-validator confirming findings
chain_engine
0

Templates

Six battle-tested attack paths, rotating live:

webcloud
ADDA
K8slateral
supplyprod
CIprod
bountypwn
proof_of_concept

Every finding ships a safe PoC

Non-destructive reproducers, captured HAR, screenshot, request/response trace. False positives get filtered before your report.

[poc] blind SQLi confirmed · time-based · sleep(5) verified 3×
[poc] safe bucket listing · no mutation, 12 objects enumerated
[poc] XSS fires in sandbox · screenshot captured → evidence/f-014.png
ci_cd_native

Ships SARIF + JUnit + PDF

Drop pentest-ai into GitHub Actions. Breaks the build on severity gate. Posts findings as PR comments.

pentest-ai[bot] commented feat/payments-api · #482
critJWT alg=none accepted on /api/v2/admin
critIDOR on /api/v2/users/{id}/billing
poc2 findings validated, 0 false positives
severity gate: failed · build blocked · sarif.json uploaded
detection_output

Blue-team ready

Auto-generates Sigma, Splunk SPL, and KQL for every offensive technique used during the engagement.

Sigma
Splunk SPL
KQL

        

      

      

        
llm_red_team

        
OWASP LLM Top 10

        
Prompt injection, training-data leakage, insecure output, model DoS, covered as first-class assessment targets.

        

          
LLM01 · Prompt injection

          
LLM02 · Insecure output

          
LLM03 · Training data leak

          
LLM04 · Model DoS

          
LLM05 · Supply chain

          
LLM06 · Sensitive info

          
LLM07 · Insecure plugins

          
LLM08 · Excessive agency

          
LLM09 · Overreliance

          
LLM10 · Model theft

        

      

      

        
data_sovereignty

        
Local-first, zero telemetry

        
Your engagement never leaves your machine. MIT licensed. Self-hosted. Deterministic.

        

          
outbound0 B

          
telemetrydisabled

          
storagelocal only

          
licenseMIT

        

      

    

  






  

    

      
pricing

      
Three ways to use pentest-ai

      
Free OSS for individuals. Enterprise dashboard for teams. Managed Assessment delivered.

    


    

      no per-seat
      
      no per-scan
      
      no hidden fees
      
      cancel anytime
    


    

      

        
open_source

        
for builders & CI

        
The CLI

        
Free · forever

        
Full CLI + MCP server, no auth, no limits

        
    
          
  • 191 security tools
    • 
          
  • 11 specialist agents
    • 
          
  • Autonomous exploit chaining
    • 
          
  • PoC validation
    • 
          
  • CVSS v3.1 + MITRE ATT&CK mapping
    • 
          
  • SARIF + JUnit + PDF reports
    • 
          
  • CI/CD pipeline mode
    • 
          
  • Checkpoint + resume
    • 
          
  • MIT license
    • 
        

        view on github 
        view on pypi
      


      

        
enterprise · most popular

        
for security teams

        
Team dashboard

        
$499 /mo

        
Hosted platform for security teams

        
    
          
  • Everything in Open Source
    • 
          
  • Shared team workspaces
    • 
          
  • SSO / OIDC / SAML
    • 
          
  • Scheduled + recurring scans
    • 
          
  • Executive PDF reports
    • 
          
  • MITRE ATT&CK coverage dashboard
    • 
          
  • Attack surface monitoring
    • 
          
  • REST API + webhooks
    • 
          
  • Jira / Slack / GitHub integrations
    • 
          
  • 99.9% uptime SLA · audit log
    • 
        

        contact sales 
        or see a live run first
      


      

        
managed · limited

        
one-time engagements

        
Full assessment

        
$9,500 · one-time

        
typical human pentest: $15k–$30k

        
Full pentest engagement, delivered for you

        

          
capacity5 / quarter

          
by application · ~3-week turnaround

        

        
includes 3 months Enterprise ($1,497 value)

        
    
          
  • Complete autonomous pentest
    • 
          
  • Pre-engagement scoping
    • 
          
  • Exploit chain validation + PoCs
    • 
          
  • Executive + technical reports
    • 
          
  • Compliance framework mapping
    • 
          
  • Remediation priorities
    • 
          
  • 30-min findings walkthrough
    • 
          
  • 90-day retest window
    • 
          
  • Dedicated Slack channel
    • 
        

        book assessment 
        or book a 15-min scoping call
      

    

  






  

    

      
faq 12 questions

      
Common questions

    

    

      
      
      
      
      
    

    

      
Yes. All 191 tools, 11 agents, 32 MCP tools, exploit chaining, PoC validation, CVSS, SARIF + JUnit + PDF export, CI/CD mode, compliance mapping, Sigma/SPL/KQL generation, checkpoint-resume. Free under MIT. Enterprise ($499/mo) is a separate hosted dashboard for teams that want SSO, shared workspaces, and scheduling.


      
We take isolated low-severity findings and connect them into multi-step attack paths. Info disclosure + weak permission + credential reuse = Domain Admin. Each step requires your approval. Six templates cover web, AD, cloud, containers, supply chain, and API attacks.


      
Scanners output a flat list of isolated findings. pentest-ai connects low-severity items into multi-step chains (SSRF → IMDS → cluster-admin), scores the chain end-to-end, and validates each step with a safe PoC. You get one real attack path instead of 47 tickets to triage.


      
Yes, within the program's scope and rules. Use --scope to constrain targets. The bug-bounty preset auto-prunes out-of-scope hosts, disables destructive modules, and formats findings to match most program templates.


      
No. Every risky command runs in human-in-the-loop mode. You see the full command and approve or deny before execution. Set --auto at your own risk for sandboxed targets.


      
The CLI runs on your machine. Scans, findings, evidence, and reports stay local unless you upload them yourself. The only exception is the LLM call: prompts go to whatever model backend you choose. Use a local model via Ollama to keep everything offline. Enterprise dashboard sync is opt-in per workspace.


      
You need a model backend. Options: Claude, OpenAI, or a local model via Ollama (Llama 3, Mistral, Qwen). The tools themselves are free. Running with Ollama means zero cloud calls and no API key required. Set the backend with PTAI_MODEL=ollama/llama3 or similar.


      
Every finding ships with the exact request and response, a screenshot or captured payload where applicable, CWE + CVSS scoring, and for chains, the PoC script that validated each step. Evidence is hashed and stored alongside the finding so you can replay it or attach it to a report.


      
A full pentest engagement delivered at $9,500 one-time. Scoping, autonomous pentest, exploit-chain validation with PoCs, executive + technical reports, 30-minute findings walkthrough, 90-day retest, 3 months of Enterprise. Capacity is 5 engagements per quarter, by application.


      
The OSS CLI is the trial. Same engine, same tools, same chaining, runs locally for free. Enterprise adds shared workspaces, SSO, scheduling, API access, and the dashboard. If you want a 30-min walkthrough before committing, email sales and we'll set one up.


      
Linux and macOS are first-class. Windows works via WSL2. Install with pip install ptai, pipx install ptai, or uvx ptai. Python 3.10 or newer.


      
GitHub Issues for bugs and feature requests. Email [email protected] for Enterprise and Managed customers. Enterprise includes a dedicated Slack channel and a 24h response SLA during business hours.

    

    

      

        Still have a question?
        We reply to every inbound within one business day.
      

      ask us 
    

  






  

  

    
built by pentesters, for pentesters

    
Start finding what scanners miss.

    
Open source. Run it locally. Own your data.


    

      

        
1install

        

          $
          pip install ptai
          
          
copied

        

        
python 3.10+ · macOS, linux, WSL2

      

      

        
2run

        

          $
          ptai start your-target.com
        

        
pick scope · pick agent · approve each step

      

      

        
3ship

        

          ↗ SARIF + JUnit + PDF
        

        
fail the build · attach to jira · brief the exec

      

    


    

      get started 
      see a live run 
      read the docs 
    


    

      MIT licensed
      
      SARIF 2.1.0
      
      CVSS v3.1
      
      MITRE ATT&CK
      
      No telemetry