Professional security testing CLI for deployed web applications. No Python required - download a single binary and run.
40+ commands covering OWASP WSTG, PTES, and modern attack vectors. Integrates with Kali Linux tools (nmap, sqlmap, hydra, nikto, nuclei).
Linux/macOS:
curl -fsSL https://raw.githubusercontent.com/sabania/pentest-cli/main/install.sh | bashWindows (PowerShell):
irm https://raw.githubusercontent.com/sabania/pentest-cli/main/install.ps1 | iexOr download directly from Releases.
Linux/macOS:
rm ~/.local/bin/pentestWindows (PowerShell):
Remove-Item "$env:USERPROFILE\.local\bin\pentest.exe"This repo also ships a Claude Code plugin with 12 skills and 8 AI agents that use the CLI as their backend. The plugin turns Claude Code into a full security testing platform.
Install the plugin:
/plugin marketplace add sabania/pentest-cli
Then run:
/setup # Install CLI + verify environment
/pentest-full https://your-app.com # Complete security audit
See the full plugin documentation: Plugin README
| Skill | Type | Description |
|---|---|---|
/setup |
Utility | Install pentest-cli and verify environment |
/cli-reference |
Utility | Show all 40+ CLI commands |
/pentest-recon <url> |
Passive | Subdomains, DNS, ports, OSINT, tech stack |
/pentest-scan <url> |
Passive | Headers, SSL/TLS, CORS, WAF |
/pentest-discover <url> |
Passive | JS bundles, APIs, secrets, BaaS backends |
/pentest-auth <url> |
Passive | JWT, OAuth, session management |
/pentest-cloud <url> |
Passive | S3/Azure/GCS misconfig, email security |
/business-logic <url> |
Passive | IDOR, privilege escalation, payment bypass |
/pentest-inject <url> |
Active | SQLi, XSS, SSTI, SSRF, XXE, LFI |
/pentest-advanced <url> |
Active | Request smuggling, race conditions, cache poisoning |
/pentest-full <url> |
Full | All scans combined + PDF report |
/pentest-report |
Utility | Generate PDF report from findings |
8 specialized AI agents work as your security testing team:
| Agent | Model | Role |
|---|---|---|
recon-agent |
sonnet | Attack surface mapping |
scanner-agent |
sonnet | Configuration & hardening |
discovery-agent |
sonnet | Secrets, APIs, BaaS probing |
injection-agent |
sonnet | Injection vulnerability testing |
auth-agent |
sonnet | Authentication & session security |
advanced-agent |
opus | Request smuggling, race conditions |
logic-agent |
opus | Business logic & authorization flaws |
report-agent |
haiku | Report generation |
# Passive scans (safe, no payloads sent)
pentest scan headers https://example.com
pentest scan ssl example.com
pentest scan cors https://example.com
pentest recon subdomains example.com
pentest discover bundle https://example.com
pentest cloud email example.com
# Active scans (sends payloads - requires --active flag)
pentest --active --yes inject sqli https://example.com
pentest --active --yes discover fuzz https://example.com
# Full pentest
pentest full https://example.com
# JSON output (for CI/CD or Claude Code agents)
pentest --json scan headers https://example.com
# Generate PDF report
pentest report ./findings/| Command | Description |
|---|---|
recon subdomains |
Subdomain enumeration (crt.sh, dnsrecon, DNS brute) |
recon ports |
Port scanning (nmap integration) |
recon dns |
DNS records, zone transfer, SPF/DMARC, DNSSEC |
recon whois |
WHOIS lookup |
recon crawl |
Web crawling & URL discovery |
recon osint |
Google dorks, Wayback Machine, email harvesting |
| Command | Description |
|---|---|
scan headers |
HTTP security headers (CSP, HSTS, X-Frame-Options, SRI) |
scan ssl |
SSL/TLS protocols, ciphers, certificate analysis |
scan cors |
CORS misconfiguration (origin reflection, null, wildcards) |
scan nikto |
Nikto web server scanner |
scan nuclei |
Nuclei vulnerability scanner (9000+ templates) |
| Command | Description |
|---|---|
discover bundle |
JS bundle reverse engineering (source maps, API keys, secrets) |
discover api |
API endpoint discovery, GraphQL, error disclosure |
discover graphql |
GraphQL introspection & attack testing |
discover fuzz |
Content discovery / directory fuzzing |
discover tech |
Deep technology fingerprinting (whatweb) |
| Command | Description |
|---|---|
inject sqli |
SQL injection (+ sqlmap integration) |
inject xss |
Cross-site scripting |
inject ssti |
Server-side template injection |
inject cmdi |
OS command injection |
inject ssrf |
Server-side request forgery |
inject xxe |
XML external entity injection |
inject nosql |
NoSQL injection |
inject lfi |
Local file inclusion & path traversal |
| Command | Description |
|---|---|
auth brute |
Credential brute force (hydra integration) |
auth jwt |
JWT token analysis |
auth oauth |
OAuth/OIDC vulnerability testing |
auth session |
Session management testing |
| Command | Description |
|---|---|
advanced smuggle |
HTTP request smuggling |
advanced race |
Race condition testing |
advanced cache |
Web cache poisoning & deception |
advanced takeover |
Subdomain takeover detection |
advanced websocket |
WebSocket security testing |
advanced redirect |
Open redirect testing |
| Command | Description |
|---|---|
cloud storage |
Cloud storage misconfiguration (S3, Azure, GCS) |
cloud waf |
WAF detection & fingerprinting |
cloud email |
Email security (SPF, DKIM, DMARC) |
| Command | Description |
|---|---|
baas |
BaaS backend probing (Supabase, Firebase, Convex) |
full |
Full pentest (all commands combined) |
report |
Generate PDF report from findings |
--json, -j JSON output to stdout (for automation/agents)
--verbose, -v Verbose output
--active Enable active testing (sends payloads)
--yes, -y Auto-confirm active testing consent
--output-dir, -o Output directory for findings
--timeout, -t HTTP timeout in seconds (default: 30)
--insecure, -k Disable SSL verification
--rate-limit Seconds between requests
--threads Max concurrent threads (default: 10)
These tools are not required but unlock additional capabilities when installed:
| Tool | Used by | Install |
|---|---|---|
| nmap | recon ports |
apt install nmap |
| sqlmap | inject sqli |
apt install sqlmap |
| hydra | auth brute |
apt install hydra |
| nikto | scan nikto |
apt install nikto |
| nuclei | scan nuclei |
projectdiscovery/nuclei |
| whatweb | discover tech |
apt install whatweb |
| dnsrecon | recon subdomains |
apt install dnsrecon |
| gobuster | discover fuzz |
apt install gobuster |
# Install from source
git clone https://github.com/sabania/pentest-cli.git
cd pentest-cli
pip install -e .
# Run from source
python -m pentest --help
# Build standalone binary
pip install pyinstaller
pyinstaller --onefile --name pentest --collect-submodules pentest pentest/cli.py
./dist/pentest --helpThis tool is intended for authorized security testing only. Always obtain written permission before testing systems you do not own. The authors are not responsible for misuse.
MIT