OffSec Community AI Challenge 2025 Submission
An intelligent Discord bot that combines Google Gemini AI, Groq AI, and PayloadsAllTheThings to create an interactive cybersecurity learning platform.
OffSecMentor is a Discord bot that helps cybersecurity learners, pentesters, and bug bounty hunters by:
- π Instant Payload Access - Fetches real-world payloads from PayloadsAllTheThings (50+ vulnerability categories)
- π AI Study Plans - Generates personalized learning roadmaps for any security topic
- π§ Interactive Quizzes - Tests knowledge with MCQ-style security quizzes
- π Quick Cheatsheets - Provides copy-paste ready payload references
- πΊοΈ Pentest Methodologies - Step-by-step guides for web/network/API pentesting
- π¬ Context-Aware Chat - Remembers conversation history for natural follow-ups
- β‘ Dual AI Fallback - Uses Gemini (primary) + Groq (backup) for 99.9% uptime
- Scattered Resources - Security payloads are spread across multiple repos/sites
- Learning Curve - Beginners don't know where to start or what to learn next
- No Interactive Practice - Most resources are static documentation
- Context Switching - Constantly switching between Discord, browser, notes
- β All-in-One - Payloads, learning plans, quizzes in Discord (where community already is)
- β AI-Powered - Smart responses tailored to your question, not generic docs
- β Interactive - Quizzes, chat memory, and real-time payload generation
- β - Always Available - Dual AI ensures bot never goes down due to rate limits
!payload SQL Injection
!payload XSS
!cheatsheet SSRF
- Fetches from PayloadsAllTheThings in real-time (no local download)
- AI-enhanced explanations with actual working payloads
- Color-coded rich embeds for visual clarity
!studyplan web hacking 7
!studyplan bug bounty 14
- Generates day-by-day learning roadmaps
- Includes resources, tools, and practice tasks
- Customizable duration (1-30 days)
!quiz SQL Injection
!quiz OWASP Top 10
- 5 MCQ questions per topic
- React with emoji to answer (
π °οΈ π ±οΈ Β©οΈ π©) - Instant feedback with explanations
!cheatsheet XSS
!cheatsheet Command Injection
- Compact, copy-paste ready payloads
- No fluff, just code blocks
- Perfect for quick reference during CTFs
!methodology web
!methodology network
- Step-by-step pentest workflows
- Recon β Scanning β Exploitation β Post-Exploitation
- Includes tools and techniques for each phase
!ctf "Found admin login, tried SQL injection but WAF blocking"
!ctf "File upload allows .php but executes as text"
- AI analyzes your CTF challenge
- Identifies vulnerability type automatically
- Fetches relevant payloads from PayloadsAllTheThings
- Provides step-by-step solving strategy
- Recommends tools and bypass techniques
User: What is SQL injection?
Bot: [explains SQL injection]
User: Show me bypass techniques
Bot: [knows you're asking about SQL injection bypasses]
- Remembers last 10 messages per channel
- 30-minute memory timeout
- Natural follow-up questions
!cve CVE-2021-44228
!cve_search apache log4j
!latest_cves 5
!exploit log4j
!poc CVE-2021-44228
- Real-time CVE data from NVD (National Vulnerability Database)
- Color-coded severity embeds (π΄ Critical, π High, π‘ Medium, π’ Low)
- CVSS score with visual bar indicator
- Exploit/PoC search via GitHub
- Affected products, CWE, references
- Smart rate limiting with 24hr cache
- 50 requests/30s with API key
!whois google.com
!dnslookup google.com
!techstack google.com
!recon google.com
- WHOIS: Domain ownership, registrar, dates, name servers
- DNS Lookup: A, AAAA, MX, NS, TXT, CNAME, SOA records
- Tech Stack: Server, CDN, CMS, frontend/backend, security headers, SSL info
- Full Recon: All three combined with 3 rich embeds
- No API keys needed β all free and direct
User Query
β
π’ Try Gemini 2.0 Flash (Primary)
β Success β Response
β Rate Limit/Error
π‘ Fallback to Groq Llama 3.3 70B
β
β
Response Delivered
- Payload Summarization - Converts raw markdown into structured, readable responses
- Study Plan Generation - Creates personalized learning roadmaps based on topic
- Quiz Creation - Generates contextual MCQ questions with explanations
- Methodology Synthesis - Transforms documentation into actionable step-by-step guides
- Context Understanding - Uses chat memory for follow-up questions
- Gemini - Best quality, but has rate limits (1500 req/day free tier)
- Groq - Super fast, generous limits (14,400 req/day), good quality
- Result - Bot never goes down, always responds
- Python 3.8+
- Discord Bot Token (Get here)
- Google Gemini API Key (Get here)
- Groq API Key (Get here)
- GitHub Token (Optional, for higher rate limits - Get here)
- Clone the repository
git clone <your-repo-url>
cd bot- Install dependencies
pip install -r requirements.txt- Configure environment variables
Create a
.envfile:
DISCORD_TOKEN=your_discord_bot_token
GEMINI_API_KEY=your_gemini_api_key
GROQ_API_KEY=your_groq_api_key
GITHUB_TOKEN=your_github_token # Optional- Run the bot
python bot.py- Invite bot to your Discord server Use the OAuth2 URL from Discord Developer Portal with these permissions:
- Send Messages
- Embed Links
- Add Reactions
- Read Message History
| Command | Description | Example |
|---|---|---|
!payload <topic> |
Get payloads for a vulnerability | !payload SQL Injection |
!topics |
List all 50+ available topics | !topics |
!cheatsheet <topic> |
Quick payload reference | !cheatsheet XSS |
!cve <CVE-ID> |
Get detailed CVE information | !cve CVE-2021-44228 |
!cve_search <keyword> |
Search CVEs by keyword | !cve_search apache log4j |
!latest_cves [count] |
Get latest published CVEs | !latest_cves 5 |
!exploit <keyword> |
Search exploits/PoCs | !exploit log4j |
!poc <CVE-ID> |
Find PoC exploits for CVE | !poc CVE-2021-44228 |
!whois <domain> |
WHOIS domain lookup | !whois google.com |
!dnslookup <domain> |
DNS records lookup | !dnslookup google.com |
!techstack <domain> |
Technology detection | !techstack google.com |
!recon <domain> |
Full recon (WHOIS+DNS+Tech) | !recon google.com |
!studyplan <topic> [days] |
Generate AI study plan | !studyplan web hacking 7 |
!quiz <topic> |
Interactive security quiz | !quiz OWASP Top 10 |
!methodology [type] |
Pentest methodology guide | !methodology web |
!ctf <challenge> |
CTF challenge solver | !ctf Found admin panel, can't login |
!ask <question> |
Ask anything (auto-includes payloads) | !ask How does SSRF work? |
@Bot <message> |
Chat with context memory | @OffSecMentor explain XSS |
!aihelp |
Show all commands | !aihelp |
Color-coded embeds with icons, source links, and AI model attribution
Personalized day-by-day learning roadmap
MCQ questions with emoji reactions
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Discord User β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Discord Bot (bot.py) β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Command Handler + Chat Memory + Embeds β β
β ββββββββββββ¬βββββββββββββββββββββββ¬ββββββββββββββ β
βββββββββββββββΌβββββββββββββββββββββββΌβββββββββββββββββββ
β β
βΌ βΌ
βββββββββββββββββββββββ ββββββββββββββββββββββββββββ
β cheatsheet_module.pyβ β Dual AI Engine β
β βββββββββββββββββ β β ββββββββββββββββββββββ β
β β Unified Repos β β β β Gemini (Primary) β β
β β + Fallback β β β β Groq (Fallback) β β
β β Search β β β ββββββββββββββββββββββ β
β βββββββββββββββββ β ββββββββββββββββββββββββββββ
βββββββββββββββββββββββ
- bot.py - Main Discord bot logic, commands, embeds, chat memory
- cheatsheet_module.py - Unified multi-repo payload fetcher (PayloadsAllTheThings + others)
- fallback_search.py - Fallback engine using Google Dork scraping + GitHub Search API
- Dual AI - Gemini + Groq with automatic fallback
- Chat Memory - Per-channel conversation context (10 messages, 30min timeout)
- β No Data Storage - Bot doesn't store user messages permanently
- β Read-Only GitHub Access - Only fetches public PayloadsAllTheThings content
- β
API Key Security - All keys in
.env(never committed to Git) - β Educational Purpose - All payloads are for authorized security testing only
This bot was created for the OffSec Community AI Challenge 2025. Contributions welcome!
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit changes (
git commit -m 'Add amazing feature') - Push to branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- PayloadsAllTheThings - Comprehensive payload repository
- Google Gemini - Primary AI model
- Groq - Fast AI inference (fallback)
- OffSec Community - For hosting this amazing challenge
- GitHub
- Discord
- OffSec Account
Submission for: Build with AI - MCPs for the Community
Category: Discord Helper Bot + AI Study Planner
Impact: Helps OffSec learners access payloads, create study plans, and practice interactively - all within Discord
AI Usage: Dual AI (Gemini + Groq) for payload summarization, study plan generation, quiz creation, and context-aware chat
Built with β€οΈ for the OffSec Community
Making security learning accessible, interactive, and AI-powered