Pentest Agents
Bug bounty agent framework for Claude Code, Codex, Gemini, Cursor, Windsurf, Copilot, and OpenClaw — 48 agents, 26 commands, 19 CLI tools, 2 MCP servers, autonomous hunt loops, exploit chain builder.
What is Pentest Agents?
Pentest Agents is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to bug bounty agent framework for claude code, codex, gemini, cursor, windsurf, copilot, and openclaw — 48 agents, 26 commands, 19 cli tools, 2 mcp servers, autonomous hunt loops, exploit chain builder.
Bug bounty agent framework for Claude Code, Codex, Gemini, Cursor, Windsurf, Copilot, and OpenClaw — 48 agents, 26 commands, 19 CLI tools, 2 MCP servers, autonomous hunt loops, exploit chain builder.
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Bug bounty agent framework for Claude Code, Codex, Gemini, C
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx pentest-agentsConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Pentest Agents
Pentest Agents is a comprehensive bug bounty and penetration testing automation framework designed for AI coding assistants including Claude Code, Codex, Gemini, Cursor, and Windsurf. It ships with 50 specialized security agents covering weakness classes from XSS and SQLi to OAuth flaws and Web3/Solidity, alongside 26 slash commands, 19 CLI tools, autonomous hunt loops, and an exploit chain builder. Security researchers can use it to dramatically accelerate their HackerOne and Bugcrowd workflows by letting AI agents handle reconnaissance, vulnerability scanning, PoC building, report writing, and deduplication.
Prerequisites
- Python 3.10 or later with uv package manager installed
- Claude Code, Codex CLI, Cursor, or another supported AI coding assistant
- A HackerOne or Bugcrowd account with API credentials
- Common security CLI tools: nmap, nuclei, ffuf, etc. (installer handles many)
- HACKERONE_USERNAME and HACKERONE_TOKEN environment variables
Clone the repository
Clone the pentest-agents repository to your local machine and navigate into it.
git clone https://github.com/H-mmer/pentest-agents
cd pentest-agentsRun the installer
Use the built-in Python installer to set up agents, CLI tools, and dependencies for your preferred AI coding assistant. The --targets flag accepts: all, claude, codex, gemini, cursor, windsurf.
python3 -m tools.installer install --targets all --scope projectExport your HackerOne credentials
Set the required environment variables so agents can interact with the HackerOne API for submission, deduplication checks, and scope validation.
export HACKERONE_USERNAME=your_username
export HACKERONE_TOKEN=your_api_tokenScaffold a new bug bounty target
Use the scaffold tool to create a structured workspace for a specific program. Replace 'tesla' with your target program handle.
uv run python3 tools/scaffold.py hackerone tesla
cd ~/bounties/hackerone-teslaLaunch your AI assistant and start hunting
Start Claude Code (or your chosen assistant) from the scaffolded directory and use the /hunt command to begin autonomous vulnerability hunting against a target domain.
claude
# Then in the Claude Code session:
/hunt tesla.comReview findings and generate reports
Use the /quality command to validate findings, /chain to build exploit chains, and /report to generate submission-ready reports.
# In your AI assistant session:
/quality
/chain
/reportPentest Agents Examples
Client configuration
Claude Desktop config for running the Pentest Agents MCP server.
{
"mcpServers": {
"pentest-agents": {
"command": "npx",
"args": ["pentest-agents"],
"env": {
"HACKERONE_USERNAME": "your_username",
"HACKERONE_TOKEN": "your_api_token"
}
}
}
}Prompts to try
Commands and prompts to use within your AI assistant session after setup.
- "/hunt target.com" — start autonomous vulnerability hunt on a domain
- "/surface target.com" — enumerate attack surface and endpoints
- "/sast" — run static analysis on JavaScript and source files
- "/dupcheck" — deduplicate findings against public HackerOne hacktivity
- "/autopilot" — fully autonomous end-to-end hunt loop
- "/validate" — validate and triage discovered vulnerabilities"Troubleshooting Pentest Agents
Installer fails with missing Python dependencies or uv not found
Install uv first with 'curl -LsSf https://astral.sh/uv/install.sh | sh', then retry the installer. Make sure Python 3.10+ is available with 'python3 --version'.
HackerOne API returns 401 or scope validation errors
Verify HACKERONE_USERNAME and HACKERONE_TOKEN are exported in the same shell session where you run the AI assistant. You can test them with 'curl -u $HACKERONE_USERNAME:$HACKERONE_TOKEN https://api.hackerone.com/v1/me'.
Agents fail because CLI tools like nuclei or ffuf are not found
Run the installer with '--targets all' to let it install missing security tools, or manually install them and ensure they are on your PATH. Some tools may require additional system packages.
Frequently Asked Questions about Pentest Agents
What is Pentest Agents?
Pentest Agents is a Model Context Protocol (MCP) server that bug bounty agent framework for claude code, codex, gemini, cursor, windsurf, copilot, and openclaw — 48 agents, 26 commands, 19 cli tools, 2 mcp servers, autonomous hunt loops, exploit chain builder. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Pentest Agents?
Follow the installation instructions on the Pentest Agents GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Pentest Agents?
Pentest Agents works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Pentest Agents free to use?
Yes, Pentest Agents is open source and available under the MIT license. You can use it freely in both personal and commercial projects.
Pentest Agents Alternatives — Similar Security Servers
Looking for alternatives to Pentest Agents? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Pentest Agents in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Pentest Agents?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.