The Open-Source AI-Powered Autonomous Penetration Testing Platform
DarkMoon is an automated penetration testing tool that orchestrates complete security assessments using artificial intelligence security agents. Built as an open-source cybersecurity tool, it enables organizations to run professional-grade vulnerability assessments without manual intervention.
Instead of replacing the pentester, DarkMoon acts as an autonomous security testing system β it reasons, plans, and coordinates specialized agents that execute real offensive security operations through a controlled execution layer.
Watch DarkMoon in action β Full autonomous penetration test demo
Traditional penetration testing is:
- β±οΈ Time-consuming β manual testing takes weeks
- π° Expensive β expert consultants cost thousands per day
- π Inconsistent β results vary by tester expertise
- π Hard to scale β limited by human resources
DarkMoon solves this with AI penetration testing:
- π€ AI-powered pentesting β autonomous agents conduct full security assessments end-to-end
- π‘οΈ Security by design β the AI never directly executes tools; all actions flow through a controlled MCP interface
- βΎοΈ Pentesting automation for CI/CD β run automated security testing post-build to catch critical vulnerabilities before production
- π§ 50+ integrated tools β a comprehensive penetration testing tools suite (Nuclei, NetExec, BloodHound, sqlmap, Naabu, httpx, ffuf, and more)
- π Adaptive multi-agent methodology β specialized agents for Web, Active Directory, Kubernetes, Network, CMS, and more
- π Vulnerability reporting automation β structured, evidence-based reports generated automatically
Perfect for security teams, DevSecOps engineers, ethical hacking professionals, and organizations of all sizes.
- Docker & Docker Compose
- An LLM API key (OpenRouter, Anthropic, OpenAI, or local models)
Note: GPU configuration, NVIDIA driver troubleshooting, and advanced environment setup are covered in the Full Documentation β GPU Troubleshooting.
1. Clone the repository
git clone https://github.com/ASCIT31/darkmoon.git
cd darkmoon2. Configure your LLM provider
# Edit docker-compose.yml with your API credentials
OPENROUTER_API_KEY=your-api-key-here
OPENCODE_MODEL=gpt-4oNote: For detailed environment variable configuration and the role of each variable, see the Full Documentation β Environment Variables.
3. Build and launch
./install.sh # Clean install with full stack reset4. Run your first assessment
./darkmoon.sh "TARGET: example.com"5. Monitor in real-time
./darkmoon.sh --log <session_id>Note: Real-time session logs display every command executed by the MCP server. See Full Documentation β Session Logs for details.
DarkMoon operates as a strategic AI security agent orchestrator aligned with ISO 27001, NIST SP 800-115, and MITRE ATT&CK methodologies.
When you provide a target, the platform automatically:
- π Discovers the target environment (ports, services, protocols)
- π§ Fingerprints the technology stack (frameworks, CMS, APIs)
- π― Models the attack surface
- π Deploys specialized sub-agents based on detected technologies
- π¬ Executes an intelligent vulnerability scanning loop with reactive adaptation
- β Validates findings with evidence (requests, payloads, responses)
- π Generates a structured audit report
DarkMoon dynamically selects and dispatches specialized agents depending on the technologies discovered:
| Detected Technology | Agent Triggered |
|---|---|
| WordPress, Drupal, Joomla, Magento, PrestaShop, Moodle | CMS-specific agent |
| PHP, Node.js, Flask, ASP.NET, Spring Boot, Ruby on Rails | Stack-specific agent |
| GraphQL | GraphQL agent |
| Active Directory | AD agent |
| Kubernetes | Kubernetes agent |
| Headless browser required | Headless browser agent |
Multiple agents can execute in parallel across hybrid architectures.
Note: For the complete list of agents, their structure, lifecycle, and how to create custom agents, see Full Documentation β AI Agents.
User ββ> DarkmoonCLI ββ> OpenCode (AI Brain) ββ> MCP (Security Gatekeeper) ββ> Docker Toolbox (Real Tools)
sequenceDiagram
participant U as User
participant O as OpenCode
participant A as AI Agent
participant M as MCP Darkmoon
participant T as Docker Toolbox
U->>O: User prompt
O->>A: Delegate task
A->>M: MCP function call
M->>T: Execute real tool
T-->>M: Results
M-->>A: Structured output
A-->>O: Next decision
O-->>U: Summary / result
The AI reasons and plans. The MCP controls what can be executed. The Toolbox runs isolated tools inside Docker. The AI never directly touches the system β this is security by design.
Note: For the full architecture breakdown (deployment diagrams, network flows, security boundaries), see Full Documentation β Architecture.
DarkMoon supports flexible scope definition directly from the command line.
Quick pentest (zero config):
./darkmoon.sh "TARGET: http://172.19.0.3:3000"Bug bounty mode (flags activate automatically):
./darkmoon.sh "TARGET: http://172.19.0.3:3000 PROGRAM=\"Juice Shop\" FOCUS=sqli,xss,idor NOISE=moderate FORMAT=h1"Key flags include FOCUS, EXCLUDE, CREDS, TOKEN, NOISE, SEVERITY, FORMAT, and more β all interpreted naturally by the AI.
Note: For the complete flags reference, asset types, EXCLUDE/FOCUS free-form syntax, and advanced multi-target scoping, see Full Documentation β Scope Definition.
DarkMoon ships with a purpose-built Docker image containing 50+ security tools compiled and optimized in a multi-stage build:
| Category | Tools (examples) |
|---|---|
| Port scanning | Naabu, Masscan |
| Web scanning | Nuclei, ffuf, dirb, sqlmap, Arjun, wafw00f |
| Recon & crawling | Subfinder, Katana, Waybackurls, httpx |
| CMS | WPScan, CMSeeK, WhatWeb |
| Active Directory | NetExec, BloodHound, Impacket (30+ scripts) |
| Kubernetes | kubectl, Kubescape, Kubeletctl |
| Network | Hydra, curl, dig, SNMP tools |
| Browser | Lightpanda (headless) |
All tools are directly accessible β no path configuration needed.
Note: For the complete tools list with installation details and how to add new tools, see Full Documentation β Toolbox.
DarkMoon's Full Documentation covers everything you need to operate the platform. Here is a quick reference to the most important sections:
| Topic | What You'll Find | Link |
|---|---|---|
| GPU & Driver Setup | NVIDIA troubleshooting for Docker, WSL, and native Linux | GPU Guide |
| Environment Variables | LLM provider configuration, API keys, model selection | Environment Config |
| Startup & Build | install.sh behavior, docker compose build, stack management | Build & Launch |
| Scope & Flags | TARGET syntax, bug bounty mode, FOCUS/EXCLUDE, credentials | Scope Definition |
| Assessment Workflow | Step-by-step: discovery, fingerprinting, agents, reporting | Assessment Engine |
| Real-Time Session Logs | Monitor commands executed by the MCP server live | Session Logs |
| AI Agents | Agent structure, lifecycle, how to create or modify agents | AI Agents |
| Architecture | Deployment diagrams, security boundaries, execution flow | Architecture |
| Toolbox | Complete tool list, adding tools, Docker image internals | Toolbox |
| MCP Workflows | Workflow structure, creating custom workflows, best practices | MCP Workflows |
| Available Tools List | Full table of 50+ tools with paths and sources | Tools List |
| Training Labs | Recommended vulnerable labs to train DarkMoon | Pentester Labs |
DarkMoon is designed as a versatile security testing platform for:
- π Security teams β run continuous automated penetration testing across your infrastructure
- βοΈ DevSecOps pipelines β integrate AI-driven security research into CI/CD workflows
- π― Bug bounty hunters β accelerate ethical hacking with autonomous target analysis
- π¬ Security researchers β explore attack surfaces with an AI cybersecurity platform that adapts in real time
- π Training & education β learn offensive security with guided, reproducible assessments
# Web application pentest
./darkmoon.sh "TARGET: http://172.19.0.3:3000"
# Active Directory assessment
./darkmoon.sh "TARGET: 192.168.1.10"
# Bug bounty with specific focus
./darkmoon.sh "TARGET: https://app.example.com PROGRAM=\"Example BB\" FOCUS=sqli,rce,ssrf EXCLUDE=H1 FORMAT=h1"Note: For more prompt examples including DVGA, Juice Shop, and headless browser scenarios, see Full Documentation β Prompt Examples.
DarkMoon is open source and welcomes contributions. Whether you want to add new agents, integrate tools, create workflows, or improve documentation β see CONTRIBUTING.md for guidelines.
This project is licensed under the GNU General Public License v3.0. See LICENSE for details.
Built by ASC-IT with π for the global security community
π Open Source Β· π€ AI-Powered Β· π«π· Made in France
β Star us on GitHub Β· π Full Documentation Β·