
The open source agentic pentesting ecosystem went from a curiosity to a real category in about two years, and the good tools are impressive. Fewer than five existed before GPT-4 landed in April 2023; by March 2026 there were around 70, per Hadrian's census. The standouts have earned the attention. XBOW's agent reached number one on HackerOne's global leaderboard, and in the December 2025 ARTEMIS study an autonomous agent out-found 9 of 10 OSCP-certified humans on a live 8,000-host network. The serious tools are not single LLM calls. They are multi-step loops that drive real tooling like nmap, Burp, and sqlmap, read the output, reason about it, and pick the next move, closer to how a tester works than how a scanner runs.
So the question is not whether open source agentic pentesting works. It does. The question is where it tops out, and the answer is consistent. The model and the tooling are the easy part. What separates a strong demo from a real engagement that stays in scope, survives session expiry, controls cost, proves every finding, and lets a team work the results is the harness, the deterministic code wrapped around the model. Open source gives you the loop and the tools. Almost none of it gives you the harness. This guide ranks the ten worth your time on exactly that, what they do well, and how much harness their maintainers actually built.
Open source agentic pentesting tools are self-hostable systems that use a large language model to plan, run, and adjust penetration testing tasks inside a reasoning-and-action loop. That loop of read, reason, and act is what agentic means. Some run fully autonomous workflows, some assist a tester through multi-step attack paths, and some are research frameworks you self-host. Here is how the ten compare.
Here is how the ten open source agentic pentesting tools stack up on the criteria that matter when you are the one running them: architecture, sandboxing, model flexibility, evidence, and license. Scan for your fit, then read the detail below.
| Tool | Type | Architecture | Sandbox | LLM support | License | Evidence |
|---|---|---|---|---|---|---|
| 1. PentAGI | Autonomous agent | Multi-agent + coordinator | Docker | Agnostic (many providers) | MIT | ~15.5k stars, active |
| 2. PentestGPT | Assistant | 3-module reasoning | No | OpenAI / local | MIT | USENIX Security 2024 |
| 3. CAI | Framework | Build-your-own agents | Varies | Agnostic (300+ backends) | MIT | 1k+ commits, 90+ contributors |
| 4. Strix | Autonomous agent | Multi-agent, dynamic | Yes | Configurable | Apache-2.0 | PoC validation, CVSS 10.0 finding |
| 5. Shannon | White-box agent | Source + browser + CLI | Yes | Configurable | Open source | 96.15% white-box XBOW variant |
| 6. HexStrike AI | Orchestration agent | MCP server, 12+ agents | Optional Docker | Agnostic (MCP clients) | Open source | 150+ tools wired |
| 7. BugTrace-AI | Discovery agent | Multi-persona analysis | Docker | OpenRouter / configurable | Open source | Field-tested, low false positives |
| 8. xOffense | Fine-tuned agent | Multi-agent (VulnBot-based) | Varies | Self-hosted (Qwen3-32B) | Open source | 79.17% sub-task completion |
| 9. PentestAgent | Academic framework | Multi-agent + RAG | Varies | Configurable | Open source | AsiaCCS 2025 |
| 10. VulnBot | Academic framework | Multi-agent, task graph | Kali-based | Open-source models | Open source | 69.05% subtask (AutoPenBench) |
We ranked on six things that matter when you are the one running the tool, not buying a managed service. Read together, they are really one question: how much of a harness did the maintainers build around the model?
Architecture. Single-agent wrapper or a coordinated multi-agent team? Hierarchical agent teams have outperformed single-agent setups by roughly 4x in published research (HPTSA).
Sandboxing. Does it isolate execution (Docker, dedicated environments) or run loose on your host?
Model flexibility. Locked to one provider, or model-agnostic so you can swap in local or cheaper models? The model should be rented and replaceable. If the tool is welded to one vendor, you inherit that vendor's pricing and release schedule.
Evidence. Is there a real benchmark or academic paper behind the claims, or just a star count?
License. Genuinely open (MIT, Apache) versus source-available with strings attached.
Honest failure modes. What breaks, where it stalls, what it costs to run, and which parts of a real harness it leaves you to build.
Star counts inform the ranking but don't drive it. A heavily starred repo with no benchmark sits below a well-documented one with published results.
The most complete autonomous multi-agent system you can self-host right now. PentAGI runs a delegation model: a central coordinator hands work to four named sub-agents, each with a defined job. Searcher handles OSINT and intelligence gathering, Coder generates the scripts and payloads, Installer manages dependencies and environment setup, and Pentester runs the offensive operations. They work in parallel to discover, analyze, and exploit. Everything executes inside an isolated Docker environment with its own browser and search, so the agent can pull live CVE data mid-run instead of working from stale training data.
Under the hood it ships with 20-plus built-in tools (Nmap, Metasploit, sqlmap, and more) that the agent runs and interprets on its own, and it uses PostgreSQL with pgvector for semantic long-term memory so a run doesn't lose track of earlier findings. It is written in Go with a React frontend, stays model-agnostic across providers, and is MIT licensed. At roughly 15.5k GitHub stars and 2.1k forks it is the most-starred project in the category, and the commit history shows active maintenance.
Standout: the cleanest multi-agent delegation design of any open source option, with real Docker sandboxing and a usable web dashboard for watching the run.
Watch for: setup is long and the documentation is thin, so first-run friction is real. Token cost climbs fast with the depth of the attack chain.
Best for: teams that want a full autonomous harness they control end to end and can invest a day in standing up.
The tool that started the conversation, and still the best entry point for learning agentic methodology. PentestGPT isn't fully autonomous, it is a reasoning layer that runs on a three-module design: a Reasoning module that maintains a "task tree" and decides the next logical step, a Generation module that turns that decision into actual commands, and a Parsing module that cleans the noisy tool output back into something the reasoning module can use. That structure is what lets it handle multi-stage attacks without losing the thread or looping on itself.
Feed it Nmap or Burp Suite output and it tracks what's been tested and what's still open, then suggests the next move grounded in real attack logic. It covers web, crypto, reverse engineering, forensics, and binary exploitation (PWN). The academic backing is the strongest in this list: the USENIX Security 2024 paper reported a 228.6% task-completion increase over a GPT-3.5 baseline and won a Distinguished Artifact Award. Each of the three modules maintains its own LLM session, which is the trick that keeps context from collapsing on long engagements. Python-based, MIT licensed.
Standout: the task-tree session awareness saves hours of manual note-keeping on long internal engagements, and the methodology is genuinely instructive.
Watch for: documentation is limited, and provider config is finicky. Reviewers hit a problem where it defaulted to OpenAI even when pointed at another provider, then stalled on init. It advises, it doesn't act.
Best for: skilled testers who want a faster manual workflow, and anyone learning how agentic pentesting reasons.
A build-your-own-agent kit, and the most flexible tool here. CAI lets you stitch LLMs to the tools you already run (Nmap, Burp, and friends) and assemble custom agents for web, cloud, network, or even malware analysis. The draw is that you are not locked into someone else's idea of a pentest. Reviewers have built a single agent that scanned an app, analyzed the results, then pivoted into exploitation and reporting from one prompt, and even handled Pass-the-Hash on an internal network.
It is almost entirely Python, MIT licensed, and the activity signals are strong: 1,000-plus commits across 90-plus contributors, which for an open source security project means a real community rather than one maintainer's weekend project. It supports 300-plus model backends, including local models via Ollama, which makes it one of the few options here you can run fully air-gapped for sensitive engagements where nothing can leave the network.
Standout: flexibility well beyond web apps. Cloud audits, internal network work, and malware analysis are all in reach, which most tools here can't touch.
Watch for: it is a framework, not a finished product, so you do the assembly. Reviewers report infinite-loop tuning and slow, error-prone behavior on small local models.
Best for: teams that want to design their own red-team agents rather than run someone else's.
An autonomous agent that simulates attacker behavior and, more importantly, proves what it finds. Strix deploys teams of collaborating agents that run your application dynamically, find runtime flaws static tools miss, and confirm them by generating functional proof-of-concept exploits. That PoC step is the whole point: it cuts the false-positive noise that makes static scanning output so tedious to triage. A developer-first CLI drops it into CI/CD, where it can block vulnerabilities before they ship and attach auto-fix suggestions.
In one published test against a deliberately vulnerable app, Strix confirmed a blind SQL injection on a login endpoint with timing-based proof (rated CVSS 10.0), surfaced an AI chat component leaking backend details, and mapped 40-plus endpoints. Python and Jinja2, Apache-2.0 licensed.
Standout: findings arrive with reproducible evidence attached, which is exactly what a developer needs to act on them.
Watch for: an agent that autonomously exploits and executes code needs scope limits and approval gates before it goes anywhere near production.
Best for: dev and security teams that want verified, reproducible results over a longer, noisier alert list.
A white-box pentester that pairs source code analysis with browser automation and CLI tools, which lets it find the class of bugs that only show up when you can see the code. Shannon scored 96.15% (100 of 104 exploits) on a cleaned, hint-free white-box variant of the XBOW benchmark. Keygraph is upfront that this is not directly comparable to XBOW's black-box numbers (~85% on the original benchmark), so read the score as evidence of white-box depth, not a head-to-head win. In a firsthand lab run, reviewers noted it doesn't just flag a weak login, it bypasses it, dumps data, and hands over screenshots and logs as proof. A full run on a mid-sized app cost roughly $8 to $10 in API credits.
Standout: code-level visibility finds the bugs that need to see the source, like taint flows to a dangerous sink or a missing authorization check, with evidence attached.
Watch for: tunnel vision. It is laser-focused on the big OWASP hits (SQLi, XSS, SSRF, auth bypass) and ignores business logic and odd config issues outside that list. White-box also means you need source access.
Best for: source-available targets where you want exploited, proven depth a black-box agent structurally can't reach.
The orchestration layer, and the most practical way to point an LLM you already use at a large toolset. HexStrike AI is an MCP server that lets agents like Claude, GPT, or Copilot autonomously drive 150-plus security tools (Nmap, nuclei, sqlmap, ffuf, ghidra, and the rest) through 12-plus coordinated agents. Built on FastMCP in Python, it exposes recon, web, password, and binary-analysis tooling behind a standard interface, with an optional Docker deployment. Hardened community forks add scope validation, blast-radius tiers (safe, intrusive, destructive), and a per-session kill switch.
Standout: the fastest route from "I have an LLM client" to "my LLM can run 150 offensive tools," without building the plumbing yourself.
Watch for: it is glue, not judgment. It does not validate findings or filter false positives on its own, and an MCP server that can run destructive tools needs the scope and confirmation guardrails enabled before you let it loose.
Best for: teams that want to wire their existing AI client into a broad toolset and drive it conversationally.
A discovery-phase assistant that keeps the noise down. BugTrace-AI analyzes URLs, JavaScript files, and headers to flag patterns that look like trouble (SQLi points, XSS candidates, sloppy JWT configs), but it deliberately does not fire exploits. It hands you a hunch, explains why an endpoint looks vulnerable, and usually includes a sample payload to try yourself. Setup is a standard Docker install plus an OpenRouter API key. It runs multiple "personas" to cross-check itself, which stops the report filling up with five versions of the same finding.
Standout: because it doesn't exploit, you can point it at something close to production without worrying about crashing services, and the false-positive rate stays low.
Watch for: the proof is still on you. It tells you where to look, but you do the work to confirm the bug is real, and reviewers report chasing the occasional dead-end lead.
Best for: safe, low-noise discovery against sensitive or near-production targets.
The fine-tuned, open-weight bet, and a direct evolution of VulnBot (below). Instead of calling an expensive frontier API on every step, xOffense runs on a fine-tuned mid-scale model (Qwen3-32B) inside a multi-agent setup with specialized recon, scanning, and exploitation roles. Fine-tuning on chain-of-thought pentest data is what lets a 32B model hit 79.17% sub-task completion on AutoPenBench and AI-Pentest-Benchmark, beating both VulnBot and PentestGPT running on larger models.
Standout: strong benchmark results without a per-token frontier-model dependency. Run it on your own hardware and the marginal cost of a run drops toward zero.
Watch for: "self-hosted" is doing real work in that sentence. Running a 32B model well means owning GPUs and the ops to keep them fed.
Best for: teams exploring domain-adapted local models over recurring cloud API bills.
An academic multi-agent framework (AsiaCCS 2025) built around RAG-grounded role collaboration. Four agents (Reconnaissance, Search, Planning, and Execution) split the work across the three classic phases: intelligence gathering, vulnerability analysis, and exploitation. The retrieval-augmented design injects pentesting knowledge at decision time, which reduces hallucinated next-steps compared to a bare LLM.
Standout: the RAG grounding makes its next-step selection noticeably more disciplined than ungrounded single-agent tools.
Watch for: it is research-grade. Expect to read the paper and do setup work, not clone-and-run production tooling.
Best for: researchers and teams studying how RAG-grounded multi-agent pentesting behaves.
The academic multi-agent framework that several newer tools build on (xOffense is a refined fork). VulnBot simulates a human pentest team across five modules (Planner, Memory Retriever, Generator, Executor, Summarizer) and a tri-phase design of reconnaissance, scanning, and exploitation. Its signature idea is the Penetration Task Graph, a directed acyclic graph where nodes are tasks and edges are dependencies, so independent branches run in parallel and the plan adapts as new findings appear. It runs on open-source models rather than requiring GPT-4, and ships in automatic, semi-automatic, and human-involved modes. It scored 69.05% subtask and 30.3% overall completion on AutoPenBench, outperforming GPT-4 and Llama 3 baselines.
Standout: the Penetration Task Graph is one of the better answers to long-horizon planning, and it runs without a frontier model.
Watch for: academic maturity. It is Kali-based with a real configuration step (database, RAG setup), and full autonomy on messy real-world targets is still a stretch.
Best for: teams that want a self-hosted, open-model autonomous framework and don't mind the setup.
These are useful inside an agentic pentesting workflow, but they are not agentic pentesting tools by themselves. They are the scanners, recon utilities, and exploitation engines the agents above drive, interpret, or feed on. This is worth saying plainly, because a large share of repos marketed as "agentic pentesting" are really an agent loop orchestrating exactly this list, deciding which tool to run and reading the output back. That is genuinely useful, and more capable than a scanner, but it is tool orchestration, not a harness.
None of these are daily drivers yet, but they're worth a bookmark. The pattern across them is the same: structured planning and domain knowledge beat raw model size, which is the harness argument in miniature.
CHECKMATE. Has the LLM write a PDDL planning problem and hands it to a classical planner, beating a native LLM agent by more than 20% on success rate while running faster and cheaper.
HPTSA. The hierarchical planner-and-sub-agent design behind the roughly 4x multi-agent advantage cited above.
HackSynth and ARACNE. Compact research frameworks (a planner-summarizer pair, and a multi-LLM SSH pentester) worth reading if you're designing your own agent.
Stop hunting for one tool that does everything and layer several instead. Just be clear-eyed about what layering is, because every integration you write between these tools is a piece of harness you're now building and maintaining yourself. The benchmark literature agrees on where AI is strong. It's near-ceiling at the front of the chain, on recon and enumeration, fades through the middle, and is close to useless at the back where deep exploitation and creative chaining live. Build to that curve.

A workable stack runs roughly in this order:

One caution if you lean on the multi-agent tools: the parallelism that makes them fast also makes them brittle. A missed signal cascades, so if the recon agent overlooks an open service, nothing downstream ever tests it and the gap never shows up. Recon is the foundation the whole chain rests on, not plumbing you can take for granted.
The economics are the part that surprises people. Published benchmarks put a full PentestGPT-class engagement in the tens of dollars of API fees against $15,000 to $50,000 for a manual pentest of equal scope, and self-hosting open weights through xOffense, VulnBot, or CAI with Ollama drops the marginal cost toward zero once you own the hardware. The same continuous-versus-point-in-time tradeoff shapes agentic pentesting more broadly.
First, treat benchmark numbers with suspicion. "Exploits 87% of vulnerabilities" sounds human-level, but that score comes from handing the model the vulnerability advisory first, basically the answer. Take it away and the same models solve about 13% of real CVEs, and close to nothing on hard HackTheBox boxes. So when a vendor quotes a big number, ask what the tool was given.

The best real-world test we have is the ARTEMIS study (December 2025, Stanford/CMU/Gray Swan AI), which ran agents and ten OSCP-certified humans against the same live 8,000-host network. The researchers' own agent did genuinely well: 9 valid findings, beating 9 of the 10 humans, at $18 an hour versus $60-plus for a person. But it still came second to a top human, and it lost ground exactly where you'd expect, false positives and GUI-driven work, the messy stuff that doesn't reduce to clean enumeration. That was their purpose-built agent, too. An off-the-shelf one does worse.
Day to day you will hit friction too. Agents get stuck in loops, need prompt-tuning to stay on track, and break on small config issues. None of that is unusual. The honest summary is simple. These tools are great at the routine bugs that make up most of what actually gets exploited, the known CVEs, injection, SSRF, default creds, and exposed admin panels. What they can't do is the creative chaining and business-logic work that separates a real pentest from a scan, and that is still a human's job.
Open source agentic pentesting tools are built for control and experimentation. They give you self-hosted workflows, room to research, point-in-time testing, and your own choice of stack and model. What they don't do is run a program. Most still struggle with long-running continuity, scope control, approval gates, evidence standardization, reporting, and remediation tracking. That is the line between a tool you run and a program you operate.
That is where Strobes takes a platform approach, bringing agentic pentesting into a broader program with validated findings, exploitability-based prioritization, reporting, and finding-to-fix routing into Jira, GitHub, and Azure DevOps across web, API, network, and cloud, continuous rather than point-in-time, aligned with the Continuous Threat Exposure Management approach.
Evaluating managed platforms instead of self-hosted tools? Read our guide to the best AI pentesting tools.
See agentic pentesting run as a program
Point Strobes at one application and watch it validate findings, prioritize by exploitability, and route fixes into Jira, GitHub, and Azure DevOps, continuously.
Validated findings, evidence per step, and remediation tracking across web, API, network, and cloud.
A scanner runs a fixed set of checks. An open source agentic pentesting tool forms a hypothesis, tests it, and changes course when it fails. Nessus or Nuclei fire the same templates at every target. An agent reads that output and reasons about what it implies, then picks a follow-on action.
The practical version: a scanner sees an open port and reports it. An agent sees the open port, fingerprints the service, recalls a likely misconfiguration for that version, tries it, and pivots if it fails. One follows a checklist. The other works a problem.
That is also why agents are harder to run. A checklist can't loop forever; an agent can, and several tools in this list will spin in circles until you tune the prompt or cap the steps. The trade for self-hosting is real: you own the setup, the failure modes, and the token bill.
There is no single winner. PentAGI offers the most polished multi-agent architecture with Docker sandboxing and is the best pick if you want a complete self-hosted harness. PentestGPT has the strongest academic validation and is the better starting point for learning the methodology. Most mature programs run several of these in a layered stack rather than betting on one.
They describe the same trend at different levels of precision. "AI pentesting" is the broad search term for any LLM-assisted security testing. "Agentic pentesting" is the accurate label for tools that reason, act, observe the result, and choose the next step on their own, rather than just generating text. Every tool ranked here is agentic; not everything marketed as "AI pentesting" is.
Yes. PentAGI is MIT-licensed, so you can self-host and modify it freely. The software is free, but the LLM API calls it makes are not. Cost scales with the depth of the attack chain and the model you point it at.
No. They accelerate skilled testers but miss what humans catch. In the December 2025 ARTEMIS study on a live 8,000-host enterprise network, the best autonomous agent beat 9 of 10 OSCP-certified humans, yet still lost to the top human, 9 valid findings to 13. The gap was creative exploit chaining and business logic, not speed. Use agents for breadth and machine speed, keep humans on high-severity validation and novel chains.
Only with guardrails. Autonomous agents that exploit and execute code can cause real damage if pointed at production without scope limits, approval gates, and isolation. Discovery-only tools like BugTrace-AI are safer for sensitive targets because they don't fire exploits. For the rest: start in lab or staging, cap the agent's steps, sandbox execution, and require human approval before any high-risk action.
The tools are free; you pay for model usage. Published benchmarks put a successful PentestGPT test at $0.42 to $1.11 and a five-host Active Directory engagement (Excalibur) at $28.50 total, against $15,000 to $50,000 for a manual pentest of equal scope. Self-hosting open weights via Ollama, xOffense, or VulnBot drops the marginal cost toward zero if you own the hardware.
PentAGI is a fully autonomous multi-agent harness that runs the whole engagement itself inside Docker. PentestGPT is a reasoning assistant that advises your next move while you execute the commands. Pick PentAGI to delegate the run; pick PentestGPT to stay in the loop and learn the methodology.