Skip to content

AI for Pentesting

A new class of tool — autonomous enough to find, exploit, and report real vulnerabilities with minimal hand-holding — has matured fast. XBOW scored #1 on the global HackerOne leaderboard; open-source alternatives like Strix run the full pentest loop locally with a graph-of-agents architecture; MCP wrappers of classical tools (Kali, Burp Suite) turn an LLM into a harness over the existing toolkit. This topic catalogs those tools and the few primary write-ups that describe how they actually perform. Distinct from topic 08: every tool here uses AI to attack conventional systems; topic 08's tools attack AI systems.

Start here

  • The Road to Top 1: How XBOW Did It [blog] — CISO Nico Waisman describes the three-phase infrastructure that took XBOW to #1 on the US HackerOne leaderboard: benchmarking against CTF scenarios, discovering zero-days in open-source projects, then competing black-box against human researchers at scale. Key details: domain scoring for target prioritization, SimHash and image hashing for deduplication, headless-browser payload verification, and the triage breakdown — 54 critical, 242 high, 524 medium — that demonstrates real-world coverage. The primary account of how a purpose-built agentic offensive system outperforms human researchers on a public leaderboard. (Waisman / XBOW, Jun 2025)

  • We Ran 1,060 Autonomous Attacks. Here's What the Industry Gets Wrong. [blog] — Head of AI Albert Ziegler uses XBOW's production data to directly rebut the International AI Safety Report 2026's claim that "fully autonomous attacks aren't yet possible." The numbers: 1,060 HackerOne submissions, 48-step exploit chains, cryptographic implementations broken in 17.5 minutes, a 40-hour principal-pentester assessment matched in 28 minutes. Architecture note: thousands of short-lived narrowly-focused agents orchestrated by a coordinator, with deterministic logic handling validation — "creative AI discovers, deterministic logic decides what's real." The clearest primary account of what purpose-built offensive AI can actually do in 2026. (Ziegler / XBOW, Mar 2026)

  • Kali & LLM: macOS with Claude Desktop & Anthropic Sonnet LLM [blog] — The Kali Linux team's primary tutorial demonstrating their packaged mcp-kali-server in production use: SSH connectivity, MCP server installation, Claude Desktop as MCP client, and natural-language-driven nmap and nikto invocations against a real target. Distinct from third-party write-ups because it's the tool authors showing the integration on their own blog, including explicit acknowledgment of privacy trade-offs with cloud-hosted LLMs. The canonical starting point for practitioners evaluating the Kali MCP approach. (Kali Linux Blog, Feb 2026)

Go deeper

  • The Chaos Phase: How AI Is Transforming Cybersecurity Threats [blog] — XBOW founder and CEO Oege de Moor frames the current moment as a 24-month asymmetric window: phishing up 4,151% since ChatGPT's release, deepfake attacks every five minutes, 45% of CISOs feeling unprepared per Darktrace. The core argument is that attacker AI tooling has crossed a capability threshold defenders haven't matched yet, and organizations that adopt autonomous offense-informed defense now will close that window before it widens. Not a product pitch — a strategic framing of where the industry stands. (de Moor / XBOW, Sep 2025)

  • On the Surprising Efficacy of LLMs for Penetration-Testing [paper] — Happe and Cito (TU Wien / MIT) examine why LLMs work as well as they do for offensive security tasks: pattern recognition aligns with LLM core competency, dynamic security environments match LLM uncertainty tolerance, and commodity API access lowers the cost barrier sharply. The paper distinguishes interactive "vibe-hacking" from emerging fully autonomous attack modes and catalogs applications across the cyber kill chain, then honestly inventories reliability risks, safety concerns, and accountability gaps that remain open. The academic framing layer for practitioners who want to understand the "why" before deploying the "what." (Happe, Cito; arXiv 2507.00829, Jul 2025)

  • HackSynth: LLM Agent and Evaluation Framework for Autonomous Penetration Testing [paper] — Muzsai, Imolai, and Lukács (Eötvös Loránd University) present HackSynth — a dual-module Planner/Summarizer architecture for autonomous CTF-style pentesting — alongside two new benchmark sets drawn from PicoCTF and OverTheWire (200 challenges, varied difficulty). Tested against GPT-4o and open-source models; best results exceeded what GPT-4o's own system card predicted. Notable for being one of the first papers to pair an autonomous agent design with a rigorous benchmark, making it the reference for evaluating future autonomous pentest systems. (Muzsai, Imolai, Lukács; arXiv 2412.01778, Dec 2024)

Tools

  • Strix — Open-source autonomous pentest agents that run code dynamically, find vulnerabilities, and validate them through actual proof-of-concepts — not static pattern matching. Architecture: a graph-of-agents with specialized parallel agents across attack vectors (HTTP proxy, browser automation, terminal, Python runtime, recon, code analysis). Supports GPT-5 and Claude Sonnet; installs via one-line curl; integrates into CI/CD via GitHub Actions. The distinction the authors emphasize: real PoC validation instead of theoretical risk flags. Active (Apr 2026) · 24k stars · see repo for license.

  • mcp-kali-server — The MCP server that bridges Kali Linux tools (nmap, nxc, nikto, sqlmap, hydra, wpscan, metasploit) to any MCP-capable LLM client (Claude Desktop, 5ire). Officially packaged in Kali Linux (apt install mcp-kali-server) and documented with a first-party tutorial on kali.org (see Start here). Runs an API server locally; the LLM client calls it to execute terminal commands in a controlled environment. The best-adoption community implementation of the Kali/LLM integration pattern. Active (Mar 2026) · 649 stars · MIT.

  • PortSwigger/mcp-server — Official Burp Suite MCP server from PortSwigger, installable via the BApp Store. Exposes Burp functionality — HTTP/1.1 and HTTP/2 request sending, proxy history access and filtering, Burp Collaborator payload generation, Repeater tab creation, proxy intercept control — to AI clients including Claude. Turns Burp Suite from a manual intercepting proxy into a harness an LLM agent can operate. Written in Kotlin; auto-configures the Claude client on install. The authoritative integration for practitioners who already run Burp in their workflow. Active (Apr 2026) · 702 stars · see repo for license.

  • HexStrike AI — MCP server that exposes 150+ security tools (nmap, Metasploit, Burp, sqlmap, Nuclei, and more) to any MCP-compatible LLM agent (Claude, GPT, Copilot). Packaged as hexstrike-ai in Kali Linux. The pitch is coverage: 196 tools, modular connector architecture, single MCP interface regardless of which model is driving. Complements tool-specific wrappers (Burp-MCP, Kali-MCP) when breadth across the toolset matters more than depth on one. Active (Mar 2026) · 8.2k stars · see repo for license.

  • transilienceai/communitytools — A curated set of Claude Code skills, agents, and slash commands for offensive security — pentest workflows, bug bounty recon, and research assistants. Turns a general-purpose coding agent into a specialized red-team tool. Includes /pentest, /hackerone, /hackthebox, /reconnaissance, and /source-code-scanning commands; 35+ specialized agents running in parallel; ships with a Kali Linux container pre-configured with Claude Code, Playwright, and all Kali tools. The autonomous pentest agent scores 100% on a published CTF benchmark suite (104/104) and holds Pro Hacker rank on Hack The Box. Active (Apr 2026) · 195 stars · see repo for license.

Watch

  • Chapter 8.4: AI Powered Pen-Testing Tools — Bake Off Results! [video] — Comparative evaluation of XBOW, Strix, Kali-MCP, Burp-MCP, and Claude Code across common pentest tasks; unique in that no other primary source publishes a head-to-head across all five tools in a single session. (KK Mookhey / Transilience AI, ~16 min)
  • → 07 Red Teaming — adversarial evaluation methodology for AI systems; not tool-focused
  • → 08 Attacking AI Tooling — tools that attack AI systems (PyRIT, Garak); topic-08/12 distinction: those tools attack AI, these tools use AI to attack everything else