|
4 | 4 |
|
5 | 5 | <h1>pentest-ai</h1> |
6 | 6 |
|
7 | | -**Autonomous pentests from one command. Real tools, working PoCs, audit-ready reports.** |
| 7 | +**The pentest tool that proves its findings. No oracle, no badge.** |
8 | 8 |
|
9 | 9 | [](https://pypi.org/project/ptai/) |
10 | 10 | [](https://pypi.org/project/ptai/) |
|
13 | 13 | [](https://github.com/0xSteph/pentest-ai/stargazers) |
14 | 14 | [](https://discord.gg/6weeTAubJw) |
15 | 15 |
|
16 | | -[**Website**](https://pentestai.xyz) · [**Install**](#install) · [**Docs**](docs/) · [**Benchmarks**](docs/benchmarks/juice-shop.md) · [**Agents**](https://github.com/0xSteph/pentest-ai-agents) · [**Discord**](https://discord.gg/6weeTAubJw) |
| 16 | +[**Website**](https://pentestai.xyz) · [**Install**](#install) · [**Why verification**](docs/why-verification.md) · [**Docs**](docs/) · [**Benchmarks**](docs/benchmarks/juice-shop.md) · [**Agents**](https://github.com/0xSteph/pentest-ai-agents) · [**Discord**](https://discord.gg/6weeTAubJw) |
17 | 17 |
|
18 | 18 | </div> |
19 | 19 |
|
20 | 20 | > ⚠️ **Offensive tooling, authorized testing only.** By installing you accept the [AUP](https://pentestai.xyz/aup) and [Terms](https://pentestai.xyz/terms). Full text in [Responsible use ↓](#responsible-use) |
21 | 21 |
|
22 | | -Point ptai at a target. It runs recon, logs in, and ties findings into multi-step attack paths. Every finding comes with a working PoC. The report writes itself. |
| 22 | +ptai is an AI-driven pentest tool that re-runs every exploit to confirm it. It runs recon, logs in, and chains findings into multi-step attack paths, but it does not ask you to trust the results. The way TruffleHog confirms a leaked secret by logging in with it, ptai confirms a web finding by re-running the exploit: a finding stays a candidate until a machine oracle reproduces it N out of N, and only then does it earn a VERIFIED badge. Third-party scanner output (nuclei, nikto, zap) is held back until an oracle re-proves it. Scanner noise is what trains teams to ignore their tools, so the report carries only what ptai could prove, each VERIFIED finding with a portable proof capsule you can replay yourself. |
23 | 23 |
|
24 | | -Runs on your laptop. No cloud, no telemetry. |
| 24 | +On a private 20-bug honeypot: 19/20 caught, 100% precision, zero false positives, four bug classes oracle-verified. Runs on your laptop. No cloud, no telemetry. |
25 | 25 |
|
26 | | -> **What's new in 0.15.1 (2026-05-16).** Three new flags for pointing ptai at real production targets without breaking the engagement rules. `intensity=safe` skips probes that mutate server state (no mass-assignment, no stored XSS, no race conditions). `respect_rate_limits=true` honors HTTP 429 and `Retry-After` instead of hammering through them. `strict_scope=true` refuses any request whose host doesn't match the engagement target, and turns off redirect-following so a 302 to attacker.com can't pull the scan off-target. All three default off - existing 0.14.x behavior is unchanged unless you opt in. There's also a working `bearer` auth flow now: POST your creds, ptai pulls the JWT out of a JSON path you configure, then attaches it to every probe. JWT-style APIs (Juice Shop, crAPI, most modern bug-bounty stacks) actually work. Measured: **63.24% catch rate (43/68 in-scope challenges)** on OWASP Juice Shop v19.2.1 with `intensity=aggressive` + `strict_scope=true`. See [CHANGELOG](CHANGELOG.md#0151--2026-05-16). |
27 | | -> |
28 | | -> Also in 0.14.0 (2026-05-13): 200+ wrapped security tools (wpscan, dalfox, hydra, hashcat, paramspider, ffuf, gobuster, sqlmap, ...) are reachable from Claude Code, Cursor, Codex, and any MCP client via `list_tools`, `run_tool`, `plan_tools`, `ensure_tools_installed`. **No Anthropic API key required.** Pick a tool, install missing ones in one batched prompt, run, get findings. |
| 26 | +## Prove it yourself |
| 27 | + |
| 28 | +<p align="center"> |
| 29 | + <img src="assets/ptai-demo.gif" alt="ptai demo: oracle-VERIFIED findings on a vulnerable app, then zero on the hardened twin" width="900"> |
| 30 | +</p> |
| 31 | + |
| 32 | +```bash |
| 33 | +pip install ptai && ptai demo |
| 34 | +``` |
| 35 | + |
| 36 | +`ptai demo` scans a bundled vulnerable app and reports `4 findings, 3 oracle-VERIFIED`, replays one live from a proof capsule (`replay 3/3`), then runs the same routes hardened and reports `0 findings`. The only thing that changed between the two runs is the fix, so the findings appear and disappear with the vulnerability, not because the tool went quiet. Two minutes, no API key, no target of your own. Re-prove any capsule yourself with `ptai replay`. |
| 37 | + |
| 38 | +> **Honest numbers.** The 19/20 at 100% precision figure is one run against a private 20-bug honeypot (39 findings total), not a field false-positive rate. The oracle gate buys precision without costing recall: it removes false positives, it does not raise catch rate. "Four oracle-verified classes" means four bug classes have a concrete oracle today; more land each release. OAST proves the HTTP-callback blind tier; DNS-only callbacks are a follow-on. The honeypot harness (`tests/honeypot/`) and a clean-app zero-FP gate (`tests/cleanapp/`) ship in the repo, so the claims are reproducible rather than screenshots. |
| 39 | +
|
| 40 | +## What's new: the Trust Spine |
| 41 | + |
| 42 | +Every VERIFIED finding now comes from a named machine oracle, never an LLM assertion, and it is enforced in code: a verdict that cannot name its oracle is rejected. This release adds: |
| 43 | + |
| 44 | +- **Eight machine oracles** that re-run the exploit to confirm it: reflection, open-redirect, IDOR/BOLA, error-disclosure, MCP-exposure, SQLi (boolean and blind), and out-of-band (OAST) for blind SSRF/XXE over a self-hosted collaborator. |
| 45 | +- **Prove-or-kill gating**: third-party scanner output stays hidden until an oracle re-proves it. |
| 46 | +- **Portable proof capsules** with `ptai replay`, a live TUI that shows verdicts flip to VERIFIED on screen, and a CI gate (`--fail-on verified`) that breaks a build only on proven findings. |
29 | 47 |
|
30 | 48 | ## See it run |
31 | 49 |
|
32 | 50 | <p align="center"> |
33 | | - <img src="assets/demo.gif" alt="ptai-via-Claude-Code-MCP scanning OWASP Juice Shop: 17 critical findings, 7 attack chains, 264 detection rules generated" width="900"> |
| 51 | + <img src="assets/demo.gif" alt="ptai scanning OWASP Juice Shop via Claude Code over MCP, streaming findings with working PoCs back into the session" width="900"> |
34 | 52 | </p> |
35 | 53 |
|
36 | 54 | One prompt to Claude Code. The MCP server ran ptai's tools against the target, and Claude streamed findings back into the session. Subscription-driven, no API key. |
37 | 55 |
|
38 | | -The scan returned **17 critical, 53 high, 107 total findings, 7 confirmed attack chains, and 264 generated detection rules** against a stock OWASP Juice Shop instance. JWT `alg:none` accepted on 8+ protected endpoints, SQLi auth bypass on `/rest/user/login`, UNION-based SQLi on `/rest/products/search`, path-filter bypass via NUL byte, XXE disclosing `/etc/passwd`, file upload polyglot, mass assignment, password reset bypass. Each one has a working PoC. |
| 56 | +Pointed at a stock OWASP Juice Shop through Claude Code over MCP, ptai found and PoC'd the headline bugs: JWT `alg:none` accepted on 8+ protected endpoints, SQLi auth bypass on `/rest/user/login`, UNION-based SQLi on `/rest/products/search`, path-filter bypass via NUL byte, XXE disclosing `/etc/passwd`, file-upload polyglot, mass assignment, password reset bypass. Each one has a working PoC. Juice Shop is a heavily-studied target, so read the raw finding volume as breadth; the precision story, only what an oracle could prove, is the demo and honeypot above. |
39 | 57 |
|
40 | 58 | > Recording is the actual output of `claude -p` against a local OWASP Juice Shop with `pentest-ai` registered as an MCP server. Cast file in [`assets/realdemo.cast`](assets/realdemo.cast); the time-paced re-render used for the GIF is in [`assets/realdemo-paced.cast`](assets/realdemo-paced.cast). Findings are real; inter-line timing was reconstructed for watchability since `claude -p` buffers and dumps in non-interactive mode. A deterministic synthesized fallback ([`assets/demo.tape`](assets/demo.tape) + [`assets/demo.sh`](assets/demo.sh)) is kept for reproducible re-renders. |
41 | 59 |
|
|
0 commit comments