Esta página se muestra en inglés. Una traducción al español está en curso.
MCP ConfigsMay 12, 2026·2 min de lectura

pentest-ai — Offensive Security MCP for Claude Code

pentest-ai is a Python CLI and MCP server that lets Claude Code run verified probes, chain attack paths, and export reports for authorized testing.

Listo para agents

Staging seguro para este activo

Este activo primero queda en staging. El prompt copiado pide inspeccionar los archivos staged antes de activar scripts, config MCP o config global.

Stage only · 17/100Política: staging
Superficie agent
Cualquier agent MCP/CLI
Tipo
Mcp Config
Instalación
Stage only
Confianza
Confianza: Established
Entrada
Asset
Comando de staging seguro
npx -y tokrepo@latest install f76cd84e-181d-5048-9a71-48fd466a37ca --target codex

Primero deja archivos en staging; la activación requiere revisar el README y el plan staged.

Introducción

pentest-ai is a Python CLI and MCP server that lets Claude Code run verified probes, chain attack paths, and export reports for authorized testing.

  • Best for: Authorized pentests where you want a probe-by-probe MCP loop (not a black-box scanner)
  • Works with: Claude Code or any MCP client; ptai CLI for standalone/CI; common security tools auto-installed on first run (per README)
  • Setup time: 5–15 minutes

Practical Notes

  • GitHub: 215 stars · 44 forks; pushed 2026-05-12 (verified via GitHub API).
  • README introduces iterative MCP tools list_probes / run_probe / http_request for scoped, step-by-step driving.
  • README claims 47 MCP tools and 200+ tool wrappers (nmap, nuclei, ffuf, sqlmap, gobuster, …) with auto-install on first run.

Main

A practical “agent-safe pentest” setup looks like this:

  1. Declare scope explicitly (domains, auth method, rate limits) in the prompt you give Claude Code.
  2. Use iterative driving: start with list_probes, run one probe at a time, and only escalate when evidence supports it.
  3. Prefer proof over guesses: keep PoCs small, reproducible, and logged; treat every finding as “untrusted” until verified.
  4. Keep a clean separation between:
    • tool execution (ptai running probes)
    • reasoning + coordination (your MCP client / assistant)
  5. When you need CI-style runs, switch to the CLI path (ptai start …) and pin provider/model settings so results are comparable run-to-run.

The big win is control: you get a repeatable probe library, plus an MCP interface that lets an LLM coordinate without inventing results.

FAQ

Q: Is it for authorized testing only? A: Yes. The README includes responsible-use warnings; only scan targets you own or have permission to test.

Q: Do I need an API key? A: Not always. The README notes that when wired into Claude Code via MCP, your Claude subscription can run the engagement; otherwise you can run ptai with API keys (or via LiteLLM).

Q: What should I run first? A: Start with low-risk recon-style probes, then iterate: run one probe, inspect evidence, and only then escalate to exploit attempts.

🙏

Fuente y agradecimientos

Source: https://github.com/0xSteph/pentest-ai > License: MIT > GitHub stars: 215 · forks: 44

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados