Pentest Ai Agents
Spin up Claude Code subagents to plan pentests, parse recon output, research exploits, write detections, and draft offensive-security reports without hand-picking specialists.
Overview
pentest-ai-agents is an agent skill most often used in Ship (also Operate, Build) that wires Claude Code to 35 offensive-security subagents for planning, recon analysis, exploit research, detections, and reporting.
Install
npx skills add https://github.com/aradotso/security-skills --skill pentest-ai-agentsWhat is this skill?
- 35 specialized subagents route automatically from natural-language task descriptions—no manual agent picker.
- Covers 80+ offensive tools (nmap, nuclei, BloodHound, Impacket, Sliver, Ghidra, and similar).
- End-to-end flows: engagement planning, recon analysis, exploit chaining, detection engineering, and pentest reporting.
- Domains include web, Active Directory, cloud, mobile/wireless, social engineering, payloads, reverse engineering, and fo
- One-line install script copies the full agent bundle into your Claude Code environment.
- 35 specialized offensive-security subagents
- 80+ offensive security tools referenced in agent knowledge
Adoption & trust: 605 installs on skills.sh; 1 GitHub stars; 0/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need penetration-test planning and tool-aware analysis faster than juggling separate playbooks, parsers, and report templates by hand.
Who is it for?
Authorized offensive-security work, red-team style research, and detection engineering when Claude Code is already your daily driver.
Skip if: Casual app builders who only need dependency scanning or basic OWASP checklist pass-through without a scoped, legal penetration test program.
When should I use this skill?
Plan a penetration test engagement, analyze nmap or BloodHound output, research exploits, build detection rules, generate a pentest report, pursue offensive security research, set up AI agents for pentesting, or audit co
What do I get? / Deliverables
You get routed subagent expertise across recon through reporting—including detection-rule drafts and structured engagement output—without manually selecting specialist personas.
- Engagement plans and structured penetration-test reports
- Exploit research summaries and attack-chain reasoning
- Detection-rule drafts aligned to observed TTPs
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Penetration testing, exploit research, and engagement reporting belong on the Ship shelf where you harden and validate attack surface before and around release. Security is the canonical subphase for offensive testing workflows, STIG-style compliance checks, and vulnerability-driven hardening tasks.
Where it fits
Turn scope notes into a structured penetration-test plan before staging a release candidate.
Interpret BloodHound or nmap output into prioritized attack paths for remediation.
Draft Sigma or detection ideas after researching how a specific exploit chain behaves in production logs.
Run the install script and align Claude Code triggers with your engagement checklist.
How it compares
Use for multi-agent offensive-security workflows instead of a single generic “security review” chat prompt.
Common Questions / FAQ
Who is pentest-ai-agents for?
Security practitioners, indie consultants, and small teams running authorized penetration tests or detection research with Claude Code who want specialist subagents on demand.
When should I use pentest-ai-agents?
Use it in Ship when planning engagements or hardening around findings; in Operate when turning TTPs into detection rules; and in Build when installing and configuring the agent bundle for pentest workflows.
Is pentest-ai-agents safe to install?
Treat it as high-trust offensive tooling: review the Security Audits panel on this Prism page, verify the install source, and only run against systems you are explicitly authorized to test.
SKILL.md
READMESKILL.md - Pentest Ai Agents
# pentest-ai-agents > Skill by [ara.so](https://ara.so) — Security Skills collection. pentest-ai-agents transforms Claude Code into an offensive security research assistant through 35 specialized subagents. Each agent carries deep domain knowledge in specific areas: recon, web testing, Active Directory, cloud security, mobile/wireless pentesting, social engineering, payload crafting, reverse engineering, exploit chaining, detection engineering, and forensics. The agents route automatically based on task description—no manual agent selection needed. They understand 80+ offensive security tools (nmap, nuclei, BloodHound, Impacket, Sliver, Ghidra, etc.) and can plan engagements, analyze recon data, research exploits, chain attacks, build detections, and write reports. ## Installation ### Quick Install (Recommended) ```bash curl -fsSL https://raw.githubusercontent.com/0xSteph/pentest-ai-agents/main/install.sh | bash ``` This copies agent files to `~/.claude/agents/` and is idempotent (safe to re-run for updates). ### Manual Clone and Install ```bash git clone https://github.com/0xSteph/pentest-ai-agents.git cd pentest-ai-agents # Install agents globally for all projects ./install.sh --global # Or install for current project only ./install.sh --project # Use Haiku for advisory agents (lower cost) ./install.sh --global --lite # Also install underlying CLI tools (nmap, nuclei, ffuf, etc.) ./install.sh --tools ``` The `--tools` flag installs underlying offensive security tools via apt/brew/pacman + pipx/go/cargo. ### Installation Modes | Flag | Behavior | |------|----------| | `--global` | Install to `~/.claude/agents/` (all projects) | | `--project` | Install to `.claude/agents/` (current project) | | `--lite` | Use Haiku for Tier 1 advisory agents (cost optimization) | | `--tools` | Install underlying tools (nmap, nuclei, BloodHound, etc.) | ## Agent Architecture ### Tier 1 vs Tier 2 - **Tier 1 (Advisory)**: Analyze data, plan engagements, recommend commands. Never execute tools directly. Examples: engagement-planner, exploit-guide, detection-engineer. - **Tier 2 (Execution-capable)**: Can run tools with user approval and declared scope. Examples: recon-advisor, web-hunter, ad-attacker, payload-crafter. All Tier 2 agents enforce scope guards—they require explicit engagement scope declaration and refuse out-of-scope actions. ### Agent Categories ``` Planning & OSINT: - engagement-planner: Phased pentest plans with MITRE ATT&CK mappings - threat-modeler: STRIDE/DREAD threat modeling - opsec-anonymizer: Operator identity hygiene, source IP design - osint-collector: Domain recon, email harvesting, social profiling - recon-advisor: Parses nmap/nuclei/BloodHound, prioritizes targets Vulnerability Discovery: - vuln-scanner: nuclei, nikto, nmap NSE, RouterSploit orchestration - web-hunter: ffuf, gobuster, sqlmap, dalfox, Commix - api-security: API testing (GraphQL, REST, gRPC) - bizlogic-hunter: Business logic flaws, race conditions, IDOR - bug-bounty: Bug bounty workflow optimization - llm-redteam: OWASP LLM Top 10, prompt injection, RAG poisoning Infrastructure Attacks: - ad-attacker: BloodHound, Impacket, NetExec, Certipy, Kerberos abuse - cloud-security: AWS/Azure/GCP misconfig, SCPs, IAM abuse - cicd-redteam: Pipeline exploitation, artifact poisoning - container-breakout: Docker/K8s escape, runc/cri-o CVEs, RBAC abuse Specialized Domains: - mobi