Cette page est affichée en anglais. Une traduction française est en cours.
MCP ConfigsMay 12, 2026·2 min de lecture

pentest-ai — Offensive Security MCP for Claude Code

pentest-ai is a Python CLI and MCP server that lets Claude Code run verified probes, chain attack paths, and export reports for authorized testing.

MCP Hub
MCP Hub · Community
Prêt pour agents

Staging sûr pour cet actif

Cet actif est d'abord staged. Le prompt copié demande à l'agent d'inspecter les fichiers staged avant d'activer scripts, config MCP ou config globale.

Stage only · 17/100Policy : staging
Surface agent
Tout agent MCP/CLI
Type
Mcp Config
Installation
Stage only
Confiance
Confiance : Established
Point d'entrée
Asset
Commande de staging sûr
npx -y tokrepo@latest install f76cd84e-181d-5048-9a71-48fd466a37ca --target codex

Stage les fichiers d'abord; l'activation exige la revue du README et du plan staged.

Introduction

pentest-ai is a Python CLI and MCP server that lets Claude Code run verified probes, chain attack paths, and export reports for authorized testing.

  • Best for: Authorized pentests where you want a probe-by-probe MCP loop (not a black-box scanner)
  • Works with: Claude Code or any MCP client; ptai CLI for standalone/CI; common security tools auto-installed on first run (per README)
  • Setup time: 5–15 minutes

Practical Notes

  • GitHub: 215 stars · 44 forks; pushed 2026-05-12 (verified via GitHub API).
  • README introduces iterative MCP tools list_probes / run_probe / http_request for scoped, step-by-step driving.
  • README claims 47 MCP tools and 200+ tool wrappers (nmap, nuclei, ffuf, sqlmap, gobuster, …) with auto-install on first run.

Main

A practical “agent-safe pentest” setup looks like this:

  1. Declare scope explicitly (domains, auth method, rate limits) in the prompt you give Claude Code.
  2. Use iterative driving: start with list_probes, run one probe at a time, and only escalate when evidence supports it.
  3. Prefer proof over guesses: keep PoCs small, reproducible, and logged; treat every finding as “untrusted” until verified.
  4. Keep a clean separation between:
    • tool execution (ptai running probes)
    • reasoning + coordination (your MCP client / assistant)
  5. When you need CI-style runs, switch to the CLI path (ptai start …) and pin provider/model settings so results are comparable run-to-run.

The big win is control: you get a repeatable probe library, plus an MCP interface that lets an LLM coordinate without inventing results.

FAQ

Q: Is it for authorized testing only? A: Yes. The README includes responsible-use warnings; only scan targets you own or have permission to test.

Q: Do I need an API key? A: Not always. The README notes that when wired into Claude Code via MCP, your Claude subscription can run the engagement; otherwise you can run ptai with API keys (or via LiteLLM).

Q: What should I run first? A: Start with low-risk recon-style probes, then iterate: run one probe, inspect evidence, and only then escalate to exploit attempts.

🙏

Source et remerciements

Source: https://github.com/0xSteph/pentest-ai > License: MIT > GitHub stars: 215 · forks: 44

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires