pentest-ai agents are designed to give deep, methodology-driven responses. That depth costs tokens. This guide covers practical ways to reduce consumption without gutting the quality that makes these agents useful.
When you invoke a pentest-ai agent, tokens are consumed in three places:
- System prompt (the agent's
.mdfile) is loaded once per conversation and stays in context for every message - Your input (prompts, pasted scan output, follow-up questions)
- Agent output (analysis, commands, tables, recommendations)
The system prompt is the fixed cost. A single agent ranges from ~900 tokens (engagement-planner) to ~7,600 tokens (threat-modeler). The average is ~3,100 tokens per agent.
./install.sh --global --liteLite mode installs the same agents with two changes:
- Advisory-only agents (no Bash tool) use
model: haikuinstead ofmodel: sonnet. Haiku is roughly 90% as capable for advisory tasks at a fraction of the cost. - Tier 2 execution agents stay on Sonnet because tool-use accuracy matters when running commands against live targets.
If you only want to change specific agents, edit the frontmatter:
---
model: haiku
---Good candidates for Haiku (advisory-only, no execution risk):
engagement-plannerreport-generatordetection-engineerthreat-modelerctf-solverstig-analystexploit-guideattack-plannerforensics-analystmalware-analyst
Keep on Sonnet (Tier 2 execution agents where tool-use accuracy is critical):
recon-advisorweb-huntervuln-scannerad-attackerexploit-chainerpoc-validatorbizlogic-hunterswarm-orchestrator
Vague prompts cause longer responses. Compare:
# Expensive: agent produces a full methodology walkthrough
"Help me with Active Directory attacks"
# Cheaper: agent gives you exactly what you need
"Show me the Impacket command for Kerberoasting service accounts in corp.local"
Token cost grows with conversation length because the full history stays in context. For multi-phase engagements:
- Start a new Claude Code session for each phase (recon, exploitation, reporting)
- Paste only the relevant subset of scan output, not the full dump
- Use
/clearbetween unrelated tasks in the same session
The swarm orchestrator coordinates multiple agents, which multiplies token usage. Use it for full engagements, not single-agent tasks. If you just need recon analysis, talk to recon-advisor directly.
| Aspect | Standard | Lite |
|---|---|---|
| Advisory agents | Sonnet | Haiku |
| Execution agents | Sonnet | Sonnet |
| Response quality | Full depth | Slightly condensed |
| Token cost | Baseline | ~40-60% reduction for advisory tasks |
| Best for | Professional engagements, training | Personal use, exploration, learning |
Rough estimates for common workflows:
| Workflow | Tokens (approx) |
|---|---|
| Single agent, 5-message conversation | 15,000-30,000 |
| Recon analysis of Nmap output | 10,000-20,000 |
| Full attack chain planning | 30,000-60,000 |
| Swarm orchestration (full engagement) | 100,000-300,000 |
| Report generation from findings | 20,000-40,000 |
If you need aggressive token reduction, you can trim the reference tables and examples from agent system prompts. The core methodology sections (behavioral rules, output format, scope enforcement) should stay intact. The reference tables (tool command syntax, MITRE ATT&CK mappings, example outputs) can be removed if you already know the tools.
See CUSTOMIZATION.md for how to modify agent prompts.