AI penetration testing agent in your terminal.
Multi-agent architecture • Engagement state tracking • 20+ LLM providers
Hard fork of OpenCode (MIT). Stripped the code-editing focus, rebuilt for penetration testing.
curl -fsSL https://raw.githubusercontent.com/s0ld13rr/pentestcode/main/install.sh | bashSelf-contained binary — no Bun, Node, or runtime needed.
Other options
Pin version:
PENTESTCODE_VERSION=0.1.7 curl -fsSL https://raw.githubusercontent.com/s0ld13rr/pentestcode/main/install.sh | bashCustom directory:
PENTESTCODE_INSTALL=/usr/local/bin curl -fsSL https://raw.githubusercontent.com/s0ld13rr/pentestcode/main/install.sh | bashFrom source:
bun install
bun run build --single --skip-embed-web-ui
# binary at packages/opencode/dist/pentestcode-<os>-<arch>/bin/pentestcodepentestcode # launch TUI
pentestcode -p "scan 10.10.10.0/24" # one-shot prompt
pentestcode -s <session-id> # resume sessionOn first launch, configure your LLM provider — Anthropic, OpenAI, Google, local Ollama, or any of 20+ providers via ai-sdk.
Strategist-coordinator model based on HPTSA research (4.3x improvement over single-agent):
┌─────────────┐
│ pentest │ strategist / coordinator
│ (lead) │ plans, dispatches, tracks OODA loop
└──────┬──────┘
┌───────┬───────┼───────┬───────┐
▼ ▼ ▼ ▼ ▼
┌──────┐┌──────┐┌──────┐┌──────┐┌──────┐
│recon ││scan- ││explo-││iden- ││post- │
│ ││ner ││iter ││tity ││explo │ ... + 7 more
└──────┘└──────┘└──────┘└──────┘└──────┘
13 specialist agents — scanner, enumerator, exploiter, identity (AD/Kerberos), infrastructure, webapp, post-exploit, exploit-dev, critic, reporter, recon, and more. Each has domain-specific prompts, tool permissions, and knowledge.
Engagement State — persistent tracking of hosts, services, vulns, credentials, access levels, relationships, AD domain model. Shared across all agents in real-time.
18 Pentest Tools — nmap/nuclei/netexec/gobuster/bloodhound/sqlmap parsers, XSS detection, JWT analysis, credential spray planner, tunnel management, attack path derivation (Dijkstra + Yen's K-shortest), scope checker, phase control, report generator.
19 Skills — phase checklists (6), service knowledge packs (9), methodology playbooks (4). Loaded on demand as markdown — no code changes needed to add your own.
Phased Methodology — Recon → Enumeration → Vuln Assessment → Exploitation → Post-Exploitation → Reporting. Quality gates block premature phase transitions.
Three Modes — auto (phased autopilot), free (on-demand), guided (step-by-step approval).
Intelligence Layer — state diffs between turns, auto-critic for unvalidated findings, decision memory with failure tracking, inter-agent interrupt alerts, agent context carry across spawns, cost-based attack path derivation.
| Command | What it does |
|---|---|
/status |
Engagement dashboard |
/targets |
Host & service table |
/vulns |
Findings by severity |
/creds |
Discovered credentials |
/scope |
View/edit scope |
/phase |
Phase management |
/mode |
Switch auto/free/guided |
/report |
Generate report |
Works for penetration testing, bug bounty, vulnerability research, CTF, and infrastructure security. Not narrowly scoped to one use case.
MIT — see LICENSE.
