Autonomous AI security audit for modern web apps. You give it a URL; a Claude-powered agent recons the target, decides which attacks to run, executes 30+ attack vectors across 6 categories, and chains findings into multi-step exploit narratives — then writes the report itself.
Hackathon 2026 — solo build, ~24 hours, 5th place out of 30+ teams.
Modern web apps in 2025–2026 are hybrid by default:
- A classic web layer (HTML, forms, sessions)
- A REST/GraphQL API
- A Telegram Mini App (TMA) component
- An LLM-based chatbot or assistant
Traditional scanners (Burp, Nuclei, OWASP ZAP) test each layer in isolation with pattern matching. Real attackers move between the layers and chain weaknesses together:
initData HMAC bypass → forged admin session → race condition on a fintech endpoint → draining more balance than you own.
Pattern-matching tools can't find that chain, because finding it requires understanding business logic and reasoning across findings. That's exactly what an LLM agent is good at.
AI RedTeam is an autonomous agent loop built on the Anthropic SDK tool-calling API:
- Input — you enter a target URL, confirm you're authorized to test it, and pick a model + profile + intensity.
- Recon — the agent fetches the target, parses HTML, brute-forces common endpoints/ports, and detects whether the app has an AI or Telegram Mini App component.
- Attack — based on what it found, the agent chooses which attack families to run and calls the matching tools (it isn't a fixed script).
- Chain — it links related findings into multi-step exploit narratives (
chain_with), the part generic scanners miss. - Report — it writes an executive summary and a chain narrative itself, rendered as a structured report with severity, proof-of-concept, impact, and a fix for each finding.
Everything streams live to the browser over Server-Sent Events while the scan runs.
URL ─▶ Recon ─▶ Agent decides ─▶ Attack tools ─▶ Findings ─▶ Chain ─▶ AI report
▲ │
└──────────── loop ◀───────────────┘
38 agent tools total — 4 control + 8 recon + 26 dedicated attack vectors across 6 categories:
| Category | Example checks |
|---|---|
| Recon | endpoint & port discovery, security-header audit, info-disclosure (.env, .git, backups), AI/TMA component detection |
| Telegram Mini App | initData HMAC bypass, initData replay, user_id forgery, bot-token leak, CORS misconfiguration |
| Fintech / business logic | race condition (double-spend), negative amount, decimal precision, idempotency bypass, webhook spoofing, mass assignment |
| Auth | JWT alg:none, weak JWT secret, password-hash leak, cookie flags, session fixation, predictable reset tokens |
| AI / LLM | prompt injection, system-prompt leak, jailbreak, RAG context exfiltration |
| Classical | auth bypass (default creds), account enumeration, IDOR, SQL injection, reflected XSS |
- Model — choose per scan: Opus (
claude-opus-4-7), Sonnet (claude-sonnet-4-6), or Haiku (claude-haiku-4-5). Sonnet is the default balance of depth and speed. - Profile —
quick,full,tma, orfintechto bias the agent toward a layer. - Intensity —
light(15 iterations),standard(30), ordeep(50) — caps how long the agent loop runs.
This is a tool for testing your own applications (or systems you're explicitly authorized to test).
- Every scan requires an explicit authorization confirmation before it starts.
- Host allowlist — by default only hosts in
ALLOWED_HOSTScan be scanned. - SSRF protection — private and link-local ranges (
127.x,10.x,192.168.x,169.254.x, cloud metadata, IPv6 loopback) are always blocked, even in open mode. - Deny list — specific hosts (e.g. the tool's own dev server) are blocked to prevent self-scan loops.
- Next.js 15 (App Router, React Server Components) — UI + API routes in one app
- Anthropic SDK (
@anthropic-ai/sdk) — tool-calling agent loop with prompt caching, retry/backoff, and per-request timeouts - better-sqlite3 — scan + findings persistence
- Zod — request validation
- Tailwind CSS — UI
- Vitest — unit tests for every attack tool and library module
git clone https://github.com/ulugby/ai-redteam.git
cd ai-redteam
npm install
cp .env.example .env.local # add your ANTHROPIC_API_KEY
npm run dev # http://localhost:3000Configuration (.env.local):
| Variable | Description |
|---|---|
ANTHROPIC_API_KEY |
Your Anthropic API key (sk-ant-...) |
ALLOWED_HOSTS |
Comma-separated hosts allowed to be scanned |
DB_PATH |
SQLite database path (default ./data/ai-redteam.db) |
npm test # run the test suite
npm run build # production buildsrc/
├── agent/
│ ├── orchestrator.ts # Claude tool-calling loop (recon → attack → report)
│ ├── system-prompt.ts # agent instructions
│ ├── tool-registry.ts # all 38 tools + dispatch
│ └── tools/ # recon, classical, tma, fintech, auth, ai-attacks
├── app/
│ ├── api/scan/ # start, stream (SSE), report, cancel, config, health
│ └── (pages) # start scan, live feed, final report
├── components/ # LiveFeed, FindingCard, ChainGraph, ...
└── lib/ # db, sse, host-allowed (SSRF), anonymize, types
tests/ # Vitest coverage for tools + lib
Built solo in ~24 hours for Hackathon 2026, where it placed 5th out of 30+ teams. The goal was to show that an LLM agent can do what pattern-matching scanners can't: understand an app's business logic and chain weaknesses across its layers into a real attack story.
Built with Claude Code.