Pentest Agents

v1.0.0Securitystable

Bug bounty agent framework for Claude Code, Codex, Gemini, Cursor, Windsurf, Copilot, and OpenClaw — 48 agents, 26 commands, 19 CLI tools, 2 MCP servers, autonomous hunt loops, exploit chain builder.

agentsbug-bountybugcrowdclaude-codehackerone
Share:
509
Stars
0
Downloads
0
Weekly
0/5

What is Pentest Agents?

Pentest Agents is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to bug bounty agent framework for claude code, codex, gemini, cursor, windsurf, copilot, and openclaw — 48 agents, 26 commands, 19 cli tools, 2 mcp servers, autonomous hunt loops, exploit chain builder.

Bug bounty agent framework for Claude Code, Codex, Gemini, Cursor, Windsurf, Copilot, and OpenClaw — 48 agents, 26 commands, 19 CLI tools, 2 MCP servers, autonomous hunt loops, exploit chain builder.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Bug bounty agent framework for Claude Code, Codex, Gemini, C

Use Cases

Execute 48 bug bounty agents across HackerOne and Bugcrowd platforms.
Automate security testing with 26 commands and 19 CLI tools.
H-mmer

Maintainer

LicenseMIT
Languagepython
Versionv1.0.0
UpdatedMay 22, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx pentest-agents

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Pentest Agents

Pentest Agents is a comprehensive bug bounty and penetration testing automation framework designed for AI coding assistants including Claude Code, Codex, Gemini, Cursor, and Windsurf. It ships with 50 specialized security agents covering weakness classes from XSS and SQLi to OAuth flaws and Web3/Solidity, alongside 26 slash commands, 19 CLI tools, autonomous hunt loops, and an exploit chain builder. Security researchers can use it to dramatically accelerate their HackerOne and Bugcrowd workflows by letting AI agents handle reconnaissance, vulnerability scanning, PoC building, report writing, and deduplication.

Prerequisites

  • Python 3.10 or later with uv package manager installed
  • Claude Code, Codex CLI, Cursor, or another supported AI coding assistant
  • A HackerOne or Bugcrowd account with API credentials
  • Common security CLI tools: nmap, nuclei, ffuf, etc. (installer handles many)
  • HACKERONE_USERNAME and HACKERONE_TOKEN environment variables
1

Clone the repository

Clone the pentest-agents repository to your local machine and navigate into it.

git clone https://github.com/H-mmer/pentest-agents
cd pentest-agents
2

Run the installer

Use the built-in Python installer to set up agents, CLI tools, and dependencies for your preferred AI coding assistant. The --targets flag accepts: all, claude, codex, gemini, cursor, windsurf.

python3 -m tools.installer install --targets all --scope project
3

Export your HackerOne credentials

Set the required environment variables so agents can interact with the HackerOne API for submission, deduplication checks, and scope validation.

export HACKERONE_USERNAME=your_username
export HACKERONE_TOKEN=your_api_token
4

Scaffold a new bug bounty target

Use the scaffold tool to create a structured workspace for a specific program. Replace 'tesla' with your target program handle.

uv run python3 tools/scaffold.py hackerone tesla
cd ~/bounties/hackerone-tesla
5

Launch your AI assistant and start hunting

Start Claude Code (or your chosen assistant) from the scaffolded directory and use the /hunt command to begin autonomous vulnerability hunting against a target domain.

claude
# Then in the Claude Code session:
/hunt tesla.com
6

Review findings and generate reports

Use the /quality command to validate findings, /chain to build exploit chains, and /report to generate submission-ready reports.

# In your AI assistant session:
/quality
/chain
/report

Pentest Agents Examples

Client configuration

Claude Desktop config for running the Pentest Agents MCP server.

{
  "mcpServers": {
    "pentest-agents": {
      "command": "npx",
      "args": ["pentest-agents"],
      "env": {
        "HACKERONE_USERNAME": "your_username",
        "HACKERONE_TOKEN": "your_api_token"
      }
    }
  }
}

Prompts to try

Commands and prompts to use within your AI assistant session after setup.

- "/hunt target.com" — start autonomous vulnerability hunt on a domain
- "/surface target.com" — enumerate attack surface and endpoints
- "/sast" — run static analysis on JavaScript and source files
- "/dupcheck" — deduplicate findings against public HackerOne hacktivity
- "/autopilot" — fully autonomous end-to-end hunt loop
- "/validate" — validate and triage discovered vulnerabilities"

Troubleshooting Pentest Agents

Installer fails with missing Python dependencies or uv not found

Install uv first with 'curl -LsSf https://astral.sh/uv/install.sh | sh', then retry the installer. Make sure Python 3.10+ is available with 'python3 --version'.

HackerOne API returns 401 or scope validation errors

Verify HACKERONE_USERNAME and HACKERONE_TOKEN are exported in the same shell session where you run the AI assistant. You can test them with 'curl -u $HACKERONE_USERNAME:$HACKERONE_TOKEN https://api.hackerone.com/v1/me'.

Agents fail because CLI tools like nuclei or ffuf are not found

Run the installer with '--targets all' to let it install missing security tools, or manually install them and ensure they are on your PATH. Some tools may require additional system packages.

Frequently Asked Questions about Pentest Agents

What is Pentest Agents?

Pentest Agents is a Model Context Protocol (MCP) server that bug bounty agent framework for claude code, codex, gemini, cursor, windsurf, copilot, and openclaw — 48 agents, 26 commands, 19 cli tools, 2 mcp servers, autonomous hunt loops, exploit chain builder. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Pentest Agents?

Follow the installation instructions on the Pentest Agents GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Pentest Agents?

Pentest Agents works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Pentest Agents free to use?

Yes, Pentest Agents is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

Pentest Agents Alternatives — Similar Security Servers

Looking for alternatives to Pentest Agents? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "pentest-agents": { "command": "npx", "args": ["-y", "pentest-agents"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Pentest Agents?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides