Pentest AI

v1.0.0Securitystable

Offensive-security MCP server with 205 wrapped tools, 17 specialist agents, and 60 SPA-aware probes for OWASP Top 10. CLI + MCP, BYO LLM. No API key needed on MCP path.

ai-securitybug-bountyclaudectfcybersecurity
Share:
285
Stars
0
Downloads
0
Weekly
0/5

What is Pentest AI?

Pentest AI is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to offensive-security mcp server with 205 wrapped tools, 17 specialist agents, and 60 spa-aware probes for owasp top 10. cli + mcp, byo llm. no api key needed on mcp path.

Offensive-security MCP server with 205 wrapped tools, 17 specialist agents, and 60 SPA-aware probes for OWASP Top 10. CLI + MCP, BYO LLM. No API key needed on MCP path.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Offensive-security MCP server with 205 wrapped tools, 17 spe

Use Cases

Run automated penetration tests
Exploit OWASP Top 10 vulnerabilities
Perform security reconnaissance
0xSteph

Maintainer

LicenseMIT
Languagepython
Versionv1.0.0
UpdatedMay 22, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx pentest-ai

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Pentest AI

Pentest AI is an offensive-security MCP server that wraps over 200 security tools — including nmap, sqlmap, ffuf, gobuster, dalfox, wpscan, and bloodhound-python — behind an AI-driven interface with 17 specialist agents and 60 SPA-aware web probes covering the OWASP Top 10 and API Top 10. It can be used as an MCP server integrated directly into Claude Code (no API key required on that path) or as a standalone CLI for automated penetration testing engagements. Output supports Markdown, HTML, PDF, SARIF 2.1.0, and JUnit XML, making it suitable for both manual bug bounty work and CI/CD security gates.

Prerequisites

  • Python 3.10+ and pip
  • Written authorization to test any target — unauthorized use is illegal
  • Security tools installed via 'ptai setup --tier recommended' or higher (nmap, sqlmap, ffuf, etc.)
  • Claude Code or another MCP client for the MCP integration path (no LLM API key required when using MCP path)
  • Optional: ANTHROPIC_API_KEY or OPENAI_API_KEY for standalone CLI path; or a local Ollama instance for air-gapped operation
1

Install the ptai Python package

Install pentest-ai from PyPI. Use the [api] extra if you plan to use the REST API server feature.

pip install ptai
# Or with REST API support:
pip install ptai[api]
2

Accept the Acceptable Use Policy

On first run, ptai will prompt you to accept the AUP confirming you have authorization to test your targets. In CI environments, set the environment variable to accept non-interactively.

export PENTEST_AI_AUP_ACCEPTED=1
3

Install security tools

Use the built-in setup wizard to install the underlying security tools. The 'recommended' tier installs the most commonly used tools including fuzzers and crawlers.

# Recommended tier (fuzzers, crawlers, core scanners)
ptai setup --tier recommended

# Full suite (200+ tools)
ptai setup --tier full

# Interactive selection
ptai setup --wizard
4

Add to Claude Code as an MCP server

Register pentest-ai as an MCP server in Claude Code. On this path, no LLM API key is required — Claude Code provides the model.

claude mcp add pentest-ai -- ptai mcp
5

Configure your MCP client (alternative clients)

For MCP clients other than Claude Code, use ptai setup to generate the configuration or add it manually.

{
  "mcpServers": {
    "pentest-ai": {
      "command": "ptai",
      "args": ["mcp"]
    }
  }
}
6

Run a standalone scan via CLI

For standalone use without an MCP client, run ptai start directly against your authorized target. Set a spending limit to cap LLM API costs.

export ANTHROPIC_API_KEY=sk-ant-...
export PTAI_PRICE_LIMIT=10
ptai start https://your-authorized-target.com

Pentest AI Examples

Client configuration

Claude Desktop configuration to run pentest-ai as an MCP server using the ptai binary.

{
  "mcpServers": {
    "pentest-ai": {
      "command": "ptai",
      "args": ["mcp"]
    }
  }
}

Prompts to try

Example prompts for penetration testing tasks via the MCP server (only use on authorized targets).

- "Start a recon engagement against https://staging.acme.com and identify open ports and services."
- "Run OWASP Top 10 web probes against https://testphp.vulnweb.com and report findings."
- "List all available security tools and their categories."
- "Scan https://authorized-target.com for SQL injection vulnerabilities using sqlmap."
- "Generate a SARIF report of the last engagement findings for import into my CI pipeline."

Troubleshooting Pentest AI

ptai command not found after pip install

Ensure pip's script directory is on your PATH. Try running 'python -m ptai' as a fallback. On macOS/Linux, add ~/.local/bin to your PATH: 'export PATH=$HOME/.local/bin:$PATH'. On Windows, check the Scripts directory of your Python installation.

Security tools fail to run during a scan

Run 'ptai setup --tier recommended' to install the required underlying tools. Some tools like nmap may require sudo/admin privileges. On Linux, run 'sudo ptai setup --tier recommended' or grant nmap the necessary capabilities with 'sudo setcap cap_net_raw+ep $(which nmap)'.

Standalone CLI engagement exceeds expected cost

Set PTAI_PRICE_LIMIT to a dollar amount to cap spending per engagement (e.g., 'export PTAI_PRICE_LIMIT=5'). The default limit is $10 USD. Set PTAI_PRICE_LIMIT=0 only if you explicitly want unlimited spending. Use '--intensity safe' flag to reduce tool aggressiveness and LLM calls.

Frequently Asked Questions about Pentest AI

What is Pentest AI?

Pentest AI is a Model Context Protocol (MCP) server that offensive-security mcp server with 205 wrapped tools, 17 specialist agents, and 60 spa-aware probes for owasp top 10. cli + mcp, byo llm. no api key needed on mcp path. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Pentest AI?

Follow the installation instructions on the Pentest AI GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Pentest AI?

Pentest AI works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Pentest AI free to use?

Yes, Pentest AI is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

Pentest AI Alternatives — Similar Security Servers

Looking for alternatives to Pentest AI? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "pentest-ai": { "command": "npx", "args": ["-y", "pentest-ai"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Pentest AI?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides