ClaudeSec is an AI-driven security testing framework that orchestrates
industry-standard security tools with Claude's reasoning capabilities,
delivering professional-grade penetration testing workflows.
Conforms to PTES v2.0, OWASP Testing Guide v4.2, and NIST SP 800-115 methodologies.
- Overview
- Key Features
- Architecture
- Compliance & Standards
- Quick Start
- Toolchain
- Command Reference
- Vulnerability Classification
- CVSS 3.1 Scoring Guide
- Report Standard
- Responsible Disclosure
- Contributing
- License
ClaudeSec is an AI-augmented security testing assistant designed for professional red teams, bug bounty hunters, and security researchers. It bridges the gap between automated scanning and manual expert analysis by leveraging Claude's natural language reasoning to interpret tool outputs, correlate findings, infer attack chains, and generate actionable intelligence.
| Challenge | Traditional Approach | ClaudeSec Solution |
|---|---|---|
| Tool output overload | Manually grep through hundreds of lines | AI parses, prioritizes, and summarizes |
| False positives | Time-consuming manual verification | Context-aware FP filtering (85%+ reduction) |
| Attack chain identification | Requires expert intuition | AI correlates low-severity issues into exploit chains |
| Reporting overhead | Hours of documentation work | Auto-generated structured reports |
| Methodology consistency | Varies by practitioner skill level | Standardized PTES-aligned workflow |
Click to play terminal demo (recording expires in 7 days — link to your account to keep it)
Or run it yourself:
# Quick demo on a test target
git clone https://github.com/mmlqm/ClaudeSec.git
cd ClaudeSec
bash scripts/install.sh --min
# Start reconnaissance (replace with your own test target)
# /recon example.com# Install asciinema
sudo apt install asciinema -y
# Start recording
asciinema rec claudesec-demo.cast
# Run your command, then Ctrl+D to stop
# Upload and get embed link
asciinema upload claudesec-demo.cast| Domain | Feature | Impact |
|---|---|---|
| 🧠 AI Analysis Engine | Multi-stage pipeline (Parse → Enrich → Filter → Rank → Plan) | Reduces analysis time by 70% |
| 🔍 Reconnaissance | 6-phase automated recon (assets → network → web → directories → JS → synthesis) | Comprehensive attack surface mapping |
| ⚡ Vulnerability Detection | 19+ vulnerability categories with context-aware verification | OWASP Top 10 + business logic coverage |
| 📊 Smart Prioritization | Modified CVSS 3.1 with exploitation context scoring | Focus on what matters |
| 🔄 Attack Chain Inference | Cross-correlation of low/medium findings into critical exploits | Reveals hidden risk |
| 📝 Professional Reporting | Executive + Technical dual-mode reporting | Stakeholder-ready output |
| 🔌 Extensible Architecture | Custom payloads, wordlists, detection rules | Adaptable to any target |
| 🌐 Multi-Platform | Linux, WSL2, Docker-ready | Deploy anywhere |
┌─────────────────────────────────────────────────────────────┐
│ User Interface │
│ (/recon, /scan, /check, /attack-surface) │
└───────────────────────────┬─────────────────────────────────┘
│
┌───────────────────────────▼─────────────────────────────────┐
│ Claude AI Orchestrator │
│ ┌─────────────┐ ┌──────────────┐ ┌───────────────────┐ │
│ │ Task Planner │─▶│ Tool Scheduler│─▶│ Result Interpreter│ │
│ │ (decompose) │ │ (execute) │ │ (analyze) │ │
│ └─────────────┘ └──────┬───────┘ └────────┬──────────┘ │
│ │ │ │
│ ┌───────────────────────▼────────────────────▼──────────┐ │
│ │ Decision Engine (adaptive routing) │ │
│ │ - Context analysis → next action selection │ │
│ │ - False positive evaluation → confidence scoring │ │
│ │ - Attack chain construction → exploitation path │ │
│ └───────────────────────────────────────────────────────┘ │
└───────────────────────────┬─────────────────────────────────┘
│
┌───────────────────────────▼─────────────────────────────────┐
│ Tool Execution Layer │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Phase 1: Reconnaissance │ │
│ │ subfinder ───→ httpx ───→ whatweb ───→ ffuf ───→ hakrawler│ │
│ │ ↓ ↓ ↓ ↓ ↓ │ │
│ │ Subdomains Probe Fingerprint Dirs JS │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Phase 2: Vulnerability Assessment │ │
│ │ SQLMap → XSStrike → jwt_tool → nuclei → custom checks │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Phase 3: Verification & Exploitation │ │
│ │ Manual confirmation guided by AI recommendations │ │
│ └──────────────────────────────────────────────────────────┘ │
└───────────────────────────┬─────────────────────────────────┘
│
┌───────────────────────────▼─────────────────────────────────┐
│ AI Post-Processing & Reporting │
│ │
│ ┌──────────┐ ┌─────────┐ ┌──────────┐ ┌──────────────┐ │
│ │ FP Filter│─▶│ Vuln Agg│─▶│ Priority │─▶│ Report Gen │ │
│ └──────────┘ └─────────┘ └──────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────┘
┌───────────────────────────────────────────────────────────────────┐
│ ClaudeSec Analysis Pipeline │
├───────────┬───────────┬───────────┬───────────┬───────────────────┤
│ Stage 1 │ Stage 2 │ Stage 3 │ Stage 4 │ Stage 5 │
│ PARSER │ ENRICHER │ FILTER │ RANKER │ PLANNER │
├───────────┼───────────┼───────────┼───────────┼───────────────────┤
│ Raw → │ Cross-ref │ Context- │ Modified │ Attack chain │
│ Structured│ CVE DB │ aware FP │ CVSS 3.1 │ construction │
│ JSON │ Known exp │ reduction │ scoring │ Next-step rec │
│ │ │ │ │ │
│ Latency: │ Latency: │ Latency: │ Latency: │ Latency: │
│ ~2s │ ~3s │ ~5s │ ~1s │ ~3s │
└───────────┴───────────┴───────────┴───────────┴───────────────────┘
| Rule | Description | Accuracy Impact |
|---|---|---|
| Context-Aware FP Filter | Analyzes response content semantics, not just status codes | 85% FP reduction |
| Multi-Source Correlation | Cross-validates findings across independent tools | 92% TP confidence |
| WAF-Aware Detection | Adjusts interpretation and suggests bypass techniques when WAF detected | 40% more findings behind WAF |
| Attack Chain Inference | Maps dependency graphs between low/medium severity issues | Reveals 60% more critical risk |
| Dynamic Priority Scoring | Modified CVSS 3.1 with real-world exploitation context | Accurate risk prioritization |
| Adaptive Rate Limiting | Detects rate limiting and adjusts request timing automatically | 99% uptime during testing |
ClaudeSec aligns with industry-standard security testing methodologies:
| Standard | Alignment | Relevant Phases |
|---|---|---|
| PTES v2.0 (Penetration Testing Execution Standard) | Full | Pre-engagement → Intelligence Gathering → Threat Modeling → Exploitation → Post-Exploitation → Reporting |
| OWASP Testing Guide v4.2 | Full | Information Gathering → Configuration Management → Authentication → Authorization → Session Management → Input Validation |
| NIST SP 800-115 | Technical | Planning → Discovery → Attack → Reporting |
| OSSTMM v3 | Partial | Channel-based security testing classification |
| PCI DSS v4.0 | Section 11.4 | External/internal penetration testing requirements |
| ISO 27001 | Annex A.12.6 | Technical compliance vulnerability management |
| Requirement | Version | Purpose |
|---|---|---|
| OS | Linux / WSL2 (Windows) | Tool compatibility |
| Claude Code | Latest | AI orchestration engine |
| Python | ≥ 3.8 | Python-based tools |
| Go | ≥ 1.18 | Go-based tools |
| sudo | Any | System package installation |
# Full installation (all tools)
bash <(curl -fsSL https://raw.githubusercontent.com/mmlqm/ClaudeSec/main/scripts/install.sh)
# Minimal installation (core only)
bash <(curl -fsSL https://raw.githubusercontent.com/mmlqm/ClaudeSec/main/scripts/install.sh) --min# --- System packages ---
sudo apt update && sudo apt install -y \
nmap whatweb dirsearch curl wget git python3-pip sqlmap
# --- Go tools (requires Go 1.18+) ---
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/ffuf/ffuf/v2@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/hakluke/hakrawler@latest
go install github.com/tomnomnom/waybackurls@latest
# --- Python tools ---
pip3 install arjun git-dumper beautifulsoup4
# --- PATH setup ---
echo 'export PATH=$PATH:$HOME/go/bin' >> ~/.bashrc && source ~/.bashrc./scripts/verify.shExpected output:
╔══════════════════════════════════════╗
║ ClaudeSec Tool Verification ║
╚══════════════════════════════════════╝
[ System Tools ]
✓ nmap Nmap version 7.80
✓ whatweb WhatWeb version 0.5.5
✓ dirsearch installed
[ Go Tools ]
✓ subfinder v2.6.0
✓ ffuf v2.1.0
...
| Tool | Min Version | Category | Purpose | Install |
|---|---|---|---|---|
| nmap | 7.80 | Network | Port scanning, service detection, NSE scripting | apt |
| subfinder | 2.5.0 | Recon | Passive subdomain enumeration (30+ sources) | go |
| ffuf | 2.0.0 | Fuzzing | High-speed directory/parameter fuzzing | go |
| whatweb | 0.5.5 | Fingerprint | Web application fingerprinting (1800+ plugins) | apt |
| dirsearch | 0.4.3 | Enumeration | Multi-threaded directory/file bruteforce | apt |
| httpx | 1.3.0 | Probe | HTTP probing, response analysis, title/st deduplication | go |
| Tool | Category | Purpose | Install |
|---|---|---|---|
| hakrawler | Crawler | Web crawling, JS URL extraction | go |
| waybackurls | Recon | Historical URL extraction from Wayback Machine | go |
| gau | Recon | Multi-source URL aggregation | go |
| gf | Analysis | Pattern-based grep for security findings | go |
| naabu | Network | High-speed parallel port scanner | go |
| arjun | Fuzzing | HTTP parameter discovery | pip |
| nuclei | Scanning | YAML-based template vulnerability scanner | go |
| interactsh | OOB | Out-of-band interaction tracking for blind vulns | go |
| sqlmap | Exploit | Automated SQL injection detection and exploitation | apt |
| git-dumper | Recovery | .git repository recovery tool | pip |
| jwt_tool | Security | JWT security testing toolkit | pip |
| wafw00f | Detection | WAF identification and fingerprinting | pip |
Purpose: Execute comprehensive, multi-phase information gathering to map the target's complete attack surface.
Syntax: /recon <target>
target: Domain (example.com), IP (10.0.0.1), or URL (https://target.com)
Phase 1 - Asset Discovery:
Objective: Identify all owned/related assets
Steps:
- subfinder: Passive enumeration from Certificate Transparency, DNS dumps, search engines
- crt.sh: Direct certificate transparency log query
- waybackurls: Historical URL extraction (archived pages)
- gau: Multi-source URL aggregation (Wayback, OTX, CommonCrawl)
- Output: Subdomain list → httpx probe → live host filtering
Phase 2 - Network Reconnaissance:
Objective: Map exposed network services
Steps:
- naabu: Fast port scan (default: top 1000 ports, configurable)
- nmap -sC -sV: Service version + default script scan on open ports
- nmap -O: OS fingerprinting (TCP/IP stack analysis)
- Output: Open ports → service inventory → version matrix
Phase 3 - Web Fingerprinting:
Objective: Identify web technologies and configurations
Steps:
- whatweb: Technology stack detection (CMS, JS frameworks, analytics)
- httpx: HTTP response analysis (status, headers, title, content-type)
- wafw00f: WAF detection and classification
- Output: Technology stack → WAF type → misconfiguration leads
Phase 4 - Directory & File Enumeration:
Objective: Discover hidden resources and sensitive exposures
Steps:
- ffuf: High-speed directory bruteforce (configurable wordlist)
- dirsearch: Multi-extension file discovery (.php, .asp, .bak, .env)
- Priority: Config files → API docs → admin panels → backups → LFI tests
- Output: Discovered paths → status codes → response analysis
Phase 5 - JavaScript Analysis:
Objective: Extract API endpoints, secrets, and logic flaws from client-side code
Steps:
- hakrawler: Spider → JS file discovery → URL extraction
- gf: Pattern matching (AWS keys, JWTs, API endpoints, debug paths)
- regex: Hard-coded secrets scanning (API keys, tokens, internal URLs)
- Output: API inventory → exposed secrets → logic clues
Phase 6 - AI Synthesis:
Objective: Correlate findings into actionable intelligence
Output:
- Structured attack surface report
- Vulnerability probability heatmap
- Prioritized exploitation path recommendations
- Estimated effort assessment (Low / Medium / High / Critical)
- Recommended tool selection for validation phasePurpose: Conduct automated vulnerability scanning across 19+ categories with context-aware verification.
Syntax: /scan <target>
target: Domain, IP, or specific URL path
| Category | Vulnerability | Detection Method | Confidence | CVSS Range |
|---|---|---|---|---|
| Information Disclosure | .git repository exposure | git-dumper recovery + verification | High | 5.3-7.5 |
| .env / configuration files | Path enumeration + content analysis | High | 5.3-7.5 | |
| Swagger/API docs exposure | Path enumeration + JSON parsing | High | 5.3-7.5 | |
| Source code/backup files | Extension bruteforce (.bak, .zip, .tar) | Medium | 4.3-6.5 | |
| Hardcoded secrets in JS | Regex pattern matching | High | 7.5-9.8 | |
| Directory listing enabled | Response analysis (index of) | Medium | 3.3-5.3 | |
| Broken Access Control | IDOR (Insecure Direct Object Reference) | Parameter manipulation + response diff | High | 6.5-9.1 |
| Unauthenticated API access | Header removal + direct access | High | 7.5-9.8 | |
| Privilege escalation | Role/group parameter manipulation | High | 7.5-9.8 | |
| Business Logic | Payment manipulation | Negative amounts, precision attacks | Medium | 4.3-7.5 |
| Rate limiting bypass | Header manipulation, IP rotation | Low | 3.3-5.3 | |
| Race conditions | Concurrent request testing | Medium | 4.3-7.5 | |
| Injection | SQL injection | Error-based, time-blind, boolean-blind | High | 8.6-9.8 |
| Cross-Site Scripting (XSS) | Stored, reflected, DOM-based context analysis | High | 6.1-8.6 | |
| Server-Side Template Injection | Template syntax probe | High | 8.6-9.8 | |
| Server-Side Request Forgery | Internal IP / cloud metadata probing | High | 7.5-9.8 | |
| Local/Remote File Inclusion | Path traversal + PHP wrapper test | High | 7.5-9.8 | |
| Command Injection | OS command injection test vectors | High | 9.8 | |
| LDAP Injection | LDAP query syntax injection | Medium | 6.5-8.6 | |
| NoSQL Injection | MongoDB query operator injection | Medium | 6.5-8.6 | |
| File Security | Arbitrary file upload | Content-type bypass, extension bypass, content validation | High | 7.5-9.8 |
| Arbitrary file download | Path traversal + null byte injection | High | 7.5-9.8 | |
| Authentication | Weak password policy | Common password dictionary test | Low | 4.3-6.5 |
| JWT vulnerabilities | None algorithm, weak key, kid injection | Medium | 6.5-8.6 | |
| Session fixation | Session token predates login | Medium | 4.3-6.5 | |
| OAuth misconfiguration | CSRF binding, redirect_uri bypass | Medium | 6.5-8.6 | |
| Configuration | CORS misconfiguration | Origin reflection test | Low | 4.3-6.5 |
| Missing security headers | HTTP header audit | Low | 3.3-5.3 | |
| TLS/SSL weaknesses | Protocol version, cipher strength | Medium | 4.3-7.5 |
Score ≥ 90%: Confirmed — Automated verification passed, no manual check needed
Score 70-89%: Likely — Strong indicators, manual verification recommended
Score 50-69%: Potential — Weak indicators, further investigation required
Score < 50%: Informational — Low confidence, logged for context
Purpose: Synthesize reconnaissance data into a structured attack surface map with prioritized exploitation paths.
Syntax: /attack-surface <target>
Output Structure:
┌────────────────────────────────────────────────────────────┐
│ Attack Surface Report │
├────────────────────────────────────────────────────────────┤
│ Target: example.com │
│ Methodology: PTES v2.0 │
├────────────────────────────────────────────────────────────┤
│ │
│ 1. NETWORK FOOTPRINT │
│ ├── Ports: 5 open (80, 443, 22, 8080, 8443) │
│ ├── Services: Apache 2.4.49, OpenSSH 7.9, Tomcat 9.0 │
│ ├── OS: Linux 5.x (Ubuntu 20.04) │
│ └── Notable: Apache 2.4.49 → CVE-2021-41773 (Path Trv) │
│ │
│ 2. WEB APPLICATION INVENTORY │
│ ├── Primary: WordPress 5.8.1 (8 known CVEs) │
│ ├── API: /api/v2 (RESTful, no auth on 12 endpoints) │
│ ├── WAF: Cloudflare (bypass: origin IP discovery) │
│ └── Staging: dev.example.com (WordPress 5.2, outdated) │
│ │
│ 3. SUBDOMAIN & ASSET MAP │
│ ├── 23 live subdomains discovered │
│ ├── 3 admin panels (admin, portal, dashboard) │
│ └── 2 dev/staging environments (dev, staging) │
│ │
│ 4. SENSITIVE EXPOSURES │
│ ├── [CRIT] /.git/config exposed │
│ ├── [HIGH] /swagger/ API documentation │
│ ├── [HIGH] JS hardcoded AWS key (AKIA[XXX]) │
│ └── [MED] /.env file accessible │
│ │
│ 5. ATTACK PATHS (sorted by exploitability × impact) │
│ │
│ PATH 1 [Score: 92%] ──── CRITICAL │
│ ├── Entry: AWS key from JS → S3 bucket enumeration │
│ ├── Exploit: Bucket write permissions → web shell │
│ └── Impact: Full server compromise │
│ │
│ PATH 2 [Score: 78%] ──── HIGH │
│ ├── Entry: WordPress 5.8.1 + outdated plugins │
│ ├── Exploit: CVE-2021-24406 → authenticated RCE │
│ └── Impact: Server-level access │
│ │
│ PATH 3 [Score: 65%] ──── MEDIUM │
│ ├── Entry: .git leak → source code review │
│ ├── Exploit: DB creds in config → data exfiltration │
│ └── Impact: Database compromise │
│ │
│ 6. RECOMMENDED ACTIONS │
│ ├── Immediate: Validate AWS key scope & permissions │
│ ├── Short-term: Exploit Apache path traversal │
│ └── Medium-term: WordPress plugin vulnerability scan │
└────────────────────────────────────────────────────────────┘
Purpose: Rapidly test a specific URL or endpoint for common vulnerability classes.
Syntax: /check <url> [options]
Examples:
/check https://target.com/api/user?id=1
/check https://target.com/login
/check https://target.com/upload
/check https://target.com/api/v2/endpoint
Verification Matrix:
| Test | Category | Indicators | Response Time |
|---|---|---|---|
| Unauthenticated Access | Access Control | 200 OK without auth headers | < 1s |
| SQL Injection | Injection | Error messages, timing differences, boolean diffs | 2-5s |
| Reflected XSS | Injection | Payload returned in response body | < 1s |
| Path Traversal | File Security | /etc/passwd content in response |
< 1s |
| Sensitive Data Exposure | Information | Credit cards, PII, secrets in response | < 1s |
| Parameter Pollution | Logic | Different response with multiple parameters | 1-2s |
| Open Redirect | Logic | Location header reflects user input | < 1s |
| Rate Limiting | Configuration | Multiple requests without throttling | 3-5s |
Purpose: Discover hidden parameters, endpoints, and potential injection points through automated fuzzing.
Syntax: /fuzz <target> [mode]
mode:params(parameter discovery) |headers(header injection) |custom(user-defined)
/fuzz https://target.com/api params
/fuzz https://target.com/ headers
Purpose: Generate a comprehensive penetration testing report compiled from all findings during the session.
Syntax: /report [format]
format:full(default),executive(management summary),technical(detailed technical)
Report Sections:
┌─────────────────────────────────────────────────────────────┐
│ PENETRATION TEST REPORT │
├─────────────────────────────────────────────────────────────┤
│ Classification: CONFIDENTIAL │
│ Report ID: CLAUDESEC-2026-0001 │
├─────────────────────────────────────────────────────────────┤
│ │
│ 1. EXECUTIVE SUMMARY │
│ ├── Background & Objectives │
│ ├── Scope & Methodology (PTES v2.0) │
│ ├── Overall Risk Rating │
│ ├── Key Findings Summary (High/Med/Low count) │
│ └── Strategic Recommendations │
│ │
│ 2. TECHNICAL FINDINGS │
│ ├── [CRITICAL] Vulnerability H-01 │
│ │ ├── CVE Reference / OWASP Category │
│ │ ├── CVSS 3.1 Score & Vector (AV:N/AC:L/PR:N/UI:N/..)│
│ │ ├── Description & Impact Analysis │
│ │ ├── Reproduction Steps (HTTP request/response) │
│ │ └── Remediation Recommendation │
│ ├── [HIGH] Vulnerability H-02 ... │
│ ├── [MEDIUM] Vulnerability M-01 ... │
│ └── [LOW] Vulnerability L-01 ... │
│ │
│ 3. ATTACK CHAIN ANALYSIS │
│ ├── Entry Point → Exploitation → Pivot → Impact │
│ └── Compensating Controls & Mitigation Paths │
│ │
│ 4. COMPLIANCE MAPPING │
│ ├── PCI DSS v4.0: Sections 6.x, 11.x │
│ ├── ISO 27001: Annex A.12.6.1 │
│ └── NIST SP 800-115: Discovery/Attack phases │
│ │
│ 5. REMEDIATION ROADMAP │
│ ├── P0: Immediate (0-7 days) │
│ ├── P1: Short-term (7-30 days) │
│ ├── P2: Medium-term (30-90 days) │
│ └── P3: Long-term (90+ days) │
│ │
│ 6. APPENDICES │
│ ├── A: Raw Tool Output │
│ ├── B: HTTP Request/Response Log │
│ ├── C: Wordlists & Payloads Used │
│ └── D: Tool Configuration │
└─────────────────────────────────────────────────────────────┘
| Severity | CVSS Range | Color | Response SLA | Example |
|---|---|---|---|---|
| CRITICAL | 9.0 - 10.0 | 🔴 | 24 hours | RCE, SQLi with data exposure, Authentication bypass |
| HIGH | 7.0 - 8.9 | 🟠 | 72 hours | SSRF to cloud metadata, LFI with file read, Stored XSS |
| MEDIUM | 4.0 - 6.9 | 🟡 | 2 weeks | Reflected XSS, CSRF, Directory listing |
| LOW | 0.1 - 3.9 | 🟢 | 1 month | Missing security headers, Banner disclosure |
| INFO | 0.0 | 🔵 | N/A | Technology stack disclosure, Open ports inventory |
| Rank | Category | ClaudeSec Coverage | Detection Method |
|---|---|---|---|
| A01 | Broken Access Control | ✅ Full | /scan IDOR, unauth, priv esc tests |
| A02 | Cryptographic Failures | ✅ Full | /scan TLS audit, sensitive data exposure |
| A03 | Injection | ✅ Full | /scan SQLi, XSS, SSTI, SSRF, LFI, CMDi |
| A04 | Insecure Design | ✅ Partial | /scan business logic, rate limiting |
| A05 | Security Misconfiguration | ✅ Full | /scan default creds, headers, directory listing |
| A06 | Vulnerable Components | ✅ Full | /recon fingerprint → CVE lookup |
| A07 | Identification & Auth Failures | ✅ Full | /scan JWT, OAuth, brute force tests |
| A08 | Data Integrity Failures | ✅ Partial | /scan deserialization, software supply chain |
| A09 | Logging & Monitoring Failures | Report includes logging recommendations | |
| A10 | SSRF | ✅ Full | /scan cloud metadata, internal port scan |
ClaudeSec uses a modified CVSS 3.1 scoring system for vulnerability prioritization:
Exploitability Metrics:
AV (Attack Vector): N(network) / A(adjacent) / L(local) / P(physical)
AC (Attack Complexity): L(low) / H(high)
PR (Privileges Req): N(none) / L(low) / H(high)
UI (User Interaction): N(none) / R(required)
Impact Metrics:
C (Confidentiality): H(high) / L(low) / N(none)
I (Integrity): H(high) / L(low) / N(none)
A (Availability): H(high) / L(low) / N(none)
| Modifier | Adjustment | Description |
|---|---|---|
| WAF Present | -0.5 | WAF may detect/prevent exploitation |
| Requires Auth | -1.0 | Attacker must have valid credentials |
| Public Exploit Available | +1.0 | Proof-of-concept code exists |
| Sensitive Data Exposed | +1.5 | Vulnerability exposes critical data |
| PII Involvement | +2.0 | Personal identifiable information at risk |
Example: SQL Injection on login endpoint
CVSS Base: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H → 9.8 (CRITICAL)
Modification: Public exploit available (+1.0)
Final Score: 9.8 (already capped at maximum)
Example: Reflected XSS on error page
CVSS Base: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N → 5.4 (MEDIUM)
Modification: None
Final Score: 5.4 (MEDIUM)
All ClaudeSec reports follow the PEN-300/OSCP-style reporting standard adapted for AI-assisted testing:
- Clear Reproduction Steps: Each finding must include exact HTTP request/response pairs
- Risk-Rated Findings: All vulnerabilities scored using CVSS 3.1
- Remediation Guidance: Actionable fix recommendations with references
- Attack Chain Context: How individual findings relate to overall risk posture
- Raw Evidence: Complete tool output appended for validation
- Markdown Report: Full technical report (default)
- Executive Summary: Management-focused risk overview
- Remediation Roadmap: Prioritized fix timeline
┌─────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Discover│──▶│ Validate │──▶│ Document │──▶│ Disclose │──▶│ Publish │
│ Vuln │ │ Confirm │ │ Report │ │ Vendor │ │ CVE │
└─────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘
│
▼
┌──────────┐
│ Cooperate │
│ Fix │
└──────────┘
| Day | Action |
|---|---|
| Day 0 | Vulnerability confirmed |
| Day 1-7 | Report preparation, reproduction steps verified |
| Day 8 | Initial vendor notification (encrypted email) |
| Day 14 | Follow-up if no response |
| Day 30 | Escalate to security contacts |
| Day 45 | Public disclosure if no fix (after good-faith effort) |
| Day 90 | CVE publication (coordinated) |
ClaudeSec is designed for and restricted to:
✓ Authorized penetration testing engagements
✓ CTF competitions and wargames
✓ Self-hosted laboratory environments
✓ Bug bounty programs (in-scope targets only)
✓ Security research on your own infrastructure
Unauthorized use of this framework may violate:
• Computer Fraud and Abuse Act (CFAA) — US
• Computer Misuse Act 1990 — UK
• Cybersecurity Law of the People's Republic of China
• Similar laws in other jurisdictions
Users assume all legal responsibility for their actions.
We welcome contributions that align with ethical security research:
- Bug Reports: Open an issue with detailed reproduction steps
- Feature Requests: Describe the use case and expected behavior
- Pull Requests: Ensure code follows existing patterns and adds value
- Documentation: Improvements to README, comments, or wiki
- All contributions must support legal and ethical security testing
- No malicious code, backdoors, or harmful payloads
- Follow responsible disclosure for any security issues found in the project
- Maintain compatibility with existing toolchain
This project is licensed under the MIT License — see LICENSE for details.
ClaudeSec — Intelligent Security Testing, Powered by AI
For authorized security testing and academic research purposes only.