Pentagi — Autonomous AI Agents for Penetration Testing

Introduction

Pentagi orchestrates multiple AI agents that collaborate on penetration testing engagements. Each agent specializes in a different phase of the assessment lifecycle, from network scanning and service enumeration to exploit analysis and report generation, all managed through a single web dashboard.

What Pentagi Does

• Deploys specialized AI agents for reconnaissance, scanning, exploitation analysis, and reporting
• Coordinates multi-agent collaboration through a GraphQL-based task queue
• Generates detailed assessment reports with evidence and remediation guidance
• Integrates with standard security tools like Nmap, Nuclei, and custom scripts
• Provides a React-based dashboard for monitoring agent activity in real time

Architecture Overview

Pentagi is built in Go with a React frontend and uses GraphQL for API communication. The orchestration layer manages agent lifecycles, distributes tasks, and aggregates findings into a shared knowledge graph. Each agent runs in an isolated container with access to a curated toolkit. Results are persisted in PostgreSQL and presented through the web UI.

Self-Hosting & Configuration

• Deploy with Docker Compose; requires Docker Engine 20+ and 4 GB RAM minimum
• Configure LLM provider credentials via .env (supports OpenAI and Anthropic APIs)
• Adjust agent concurrency and tool access in config.yaml
• TLS termination handled by your reverse proxy; no built-in certificate management
• Persistent data stored in a PostgreSQL volume; back up with standard pg_dump

Key Features

• Multi-agent architecture with specialized roles per assessment phase
• Real-time dashboard showing agent reasoning and tool invocations
• Automated report generation with structured findings
• Extensible tool integration via container-based plugins
• Self-hosted and air-gappable for sensitive environments

Comparison with Similar Tools

• Nuclei — template-based scanner; Pentagi adds autonomous reasoning and multi-phase orchestration
• Metasploit — framework requiring manual operation; Pentagi automates the workflow with AI agents
• Burp Suite — GUI-centric web app scanner; Pentagi covers broader infrastructure assessments
• PentestGPT — single-agent assistant; Pentagi uses coordinated multi-agent collaboration

FAQ

Q: Is Pentagi intended for authorized testing only? A: Yes. Pentagi is designed for legitimate penetration testing engagements with proper authorization.

Q: Which LLM providers are supported? A: OpenAI and Anthropic APIs are supported out of the box. Local models can be configured via compatible endpoints.

Q: Can I add custom security tools? A: Yes. Tools are containerized plugins; add new ones by defining a Dockerfile and a tool manifest.

Q: Does it store sensitive findings securely? A: Findings are stored in PostgreSQL. Encrypt the volume and restrict dashboard access behind authentication.

Sources

• https://github.com/vxcontrol/pentagi