AI-powered penetration testing assistant that analyzes security tool outputs in real time using the Claude API.
Security Copilot is a CLI tool that sits alongside your pentesting workflow. Paste any tool output — Nmap, Nikto, Burp Suite, Gobuster — and get instant expert analysis:
- Attack vectors mapped to CVEs and severity levels
- Recommended next steps ordered by impact
- Critical findings flagged immediately
- Persistent session so Claude remembers context across your whole engagement
███████╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗██╗ ██████╗ ████████╗
...
AI-Powered Penetration Testing Assistant │ Powered by Claude API
copilot> paste
Paste your tool output below. Type END on a new line when done:
Starting Nmap 7.94 scan...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu
80/tcp open http Apache httpd 2.4.18
3306/tcp open mysql MySQL 5.5.62
END
Analyzing...
🎯 CRITICAL FINDINGS
MySQL 5.5.62 is end-of-life with multiple unpatched CVEs including CVE-2020-14550
🔍 ANALYSIS SUMMARY
Three services exposed. SSH version suggests Ubuntu 16.04 (EOL). Apache 2.4.18
has known vulnerabilities. MySQL 5.5.x branch is severely outdated.
⚠️ ATTACK VECTORS
1. [CRITICAL] MySQL CVE-2020-14550 - Authentication bypass
2. [HIGH] OpenSSH 7.2p2 - CVE-2016-6210 user enumeration
3. [HIGH] Apache 2.4.18 - CVE-2017-7679 buffer overflow
4. [MEDIUM] MySQL exposed on 3306 - potential brute force
🛠️ RECOMMENDED NEXT STEPS
1. Run: nmap --script mysql-empty-password -p 3306 <target>
2. Attempt SSH user enumeration with Metasploit auxiliary/scanner/ssh/ssh_enumusers
3. Run nikto -h http://<target> for web surface analysis
4. Check for phpMyAdmin at /phpmyadmin, /pma, /mysql
📋 NOTES
Priority target: MySQL. If accessible without auth, pivot to file read/write
via LOAD DATA INFILE for potential RCE.
# Clone the repo
git clone https://github.com/yourusername/security-copilot-cli
cd security-copilot-cli
# Install dependencies
pip install -r requirements.txt
# Set your Anthropic API key
export ANTHROPIC_API_KEY=your_api_key_here
# Run
python security_copilot.py| Command | Description |
|---|---|
paste |
Paste tool output interactively (type END to finish) |
file /path/to/scan.txt |
Load output directly from a file |
export |
Export full session to a markdown report |
clear |
Clear session history and start fresh |
history |
Show number of exchanges in current session |
help |
Show all commands |
exit |
Exit the tool |
You can also type any free-form question as a follow-up and Claude will answer with context from the current session.
- Nmap — port scans, service detection, script results
- Nikto — web vulnerability scanner
- Gobuster / Dirb — directory enumeration
- Burp Suite — exported request/response data
- Netcat / Curl — raw service banners
- Any text output — Claude understands context
Your tool output
│
▼
Claude API (claude-opus-4-5)
│
▼
Expert analysis with session memory
│
▼
CVEs + Attack vectors + Next steps
The tool maintains a session file (~/.security_copilot_session.json) so Claude remembers everything from the current engagement. Use clear when starting a new target.
- During a pentest — get instant second opinions on findings
- CTF competitions — accelerate enumeration and exploitation ideas
- Learning — understand why certain findings are critical
- Reporting — export session as structured markdown for report writing
- Python 3.8+
- Anthropic API key (get one free at console.anthropic.com)
anthropicPython package
Built as part of an AI + cybersecurity learning project using Anthropic's Claude API and MCP courses.
This tool is intended for authorized penetration testing and educational purposes only. Always obtain proper written authorization before testing any system.