https://github.com/juliosuas/vulcan
π AI-Powered Autonomous Penetration Testing Agent β ReAct loop with Claude/GPT-4, full pipeline from recon to report
https://github.com/juliosuas/vulcan
ai automation cybersecurity ethical-hacking penetration-testing pentesting python security
Last synced: 2 months ago
JSON representation
π AI-Powered Autonomous Penetration Testing Agent β ReAct loop with Claude/GPT-4, full pipeline from recon to report
- Host: GitHub
- URL: https://github.com/juliosuas/vulcan
- Owner: juliosuas
- Created: 2026-03-16T04:11:51.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2026-04-20T05:58:51.000Z (2 months ago)
- Last Synced: 2026-04-20T07:37:15.279Z (2 months ago)
- Topics: ai, automation, cybersecurity, ethical-hacking, penetration-testing, pentesting, python, security
- Language: Python
- Homepage: https://github.com/juliosuas/vulcan
- Size: 87.9 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 15
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
```
βββ ββββββ ββββββ βββββββ ββββββ ββββ βββ
βββ ββββββ ββββββ βββββββββββββββββββββ βββ
βββ ββββββ ββββββ βββ ββββββββββββββ βββ
ββββ βββββββ ββββββ βββ ββββββββββββββββββ
βββββββ ββββββββββββββββββββββββββββ ββββββ ββββββ
βββββ βββββββ ββββββββ ββββββββββ ββββββ βββββ
```
π VULCAN
The Sovereign AI Pentester
Full-local. Zero API keys. 117 tools. One command.
Why Vulcan β’
60-Second Quick Start β’
Three Modes β’
How It Works β’
Architecture β’
Landscape β’
Roadmap β’
Disclaimer
---
> ### β‘ **v2.0 β BESTIA Mode just dropped.**
> One command. Full pentest. **No API keys. No egress. No vendor lock-in.**
> 117 security tools orchestrated by a ReAct-loop AI agent running entirely on your metal.
> ```bash
> ./run-beast.sh scanme.nmap.org
> ```
---
## π€ Why Vulcan?
Existing pentest automation forces you to choose:
- **Cloud AI** (Burp, commercial scanners) β your target data leaves the perimeter.
- **Scriptable tools** (Metasploit, Nuclei) β powerful, but *you* still plan every step.
- **LLM wrappers** (Claude Code, Copilot) β great for ideation, useless without tool execution.
**Vulcan fuses all three.** A ReAct-loop agent plans the attack. A 127-tool API executes it. An LLM β cloud *or* local β drives decisions. Everything flows into a professional HTML/PDF report. Assessment-ready in one command.
> The AI thinks. The tools execute. You get the report.
### π― Who this is for
- **Red teamers** who want a force-multiplier, not a replacement.
- **CTF players** who want autonomous recon β exploit chains on HackTheBox / TryHackMe / VulnHub boxes.
- **Bug bounty hunters** who need to cover wide scope fast.
- **Security researchers** who refuse to ship target data to third-party clouds.
- **Consultants** whose clients demand 100% on-prem tooling.
---
## β‘ 60-Second Quick Start
```bash
# Clone
git clone https://github.com/juliosuas/vulcan.git && cd vulcan
# Install
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
# Run β full autonomous pentest, local-only (no API keys required)
./run-beast.sh scanme.nmap.org
```
That's it. `run-beast.sh` auto-launches the HexStrike API, warms your local LLM, runs the full ReAct pipeline, and opens the HTML report in your browser.
**Want to use Claude instead?**
```bash
export ANTHROPIC_API_KEY=sk-ant-...
vulcan scan --target example.com --llm claude --hexstrike
```
**Want classic subprocess-only mode?**
```bash
vulcan scan --target example.com --llm claude
```
---
## π₯ Three Modes. One Binary.
Vulcan exposes two orthogonal axes β the LLM provider and the execution backend β giving you four deployment profiles:
| Mode | Command | LLM | Tools | API keys | Egress | When to use |
|------|---------|:---:|:---:|:---:|:---:|---|
| π΄ **BESTIA** (full-local) | `./run-beast.sh ` | smart-llm (Ollama, local) | HexStrike API (117 tools) | β none | β zero | Air-gapped labs Β· sensitive clients Β· CTF grind |
| π‘ **Hybrid** | `--llm claude --hexstrike` | Claude / GPT-4 | HexStrike API (117 tools) | β
LLM only | β οΈ reasoning only | Best-of-both: heavy iron executing, frontier model thinking |
| π’ **Cloud classic** | `--llm claude` | Claude / GPT-4 | Local subprocess (5 tools) | β
LLM only | β οΈ reasoning only | Laptop, fast iteration, full frontier reasoning |
| β« **OSS-only** | `--llm openai` + Ollama base URL | Local Ollama model | Local subprocess | β none | β zero | Legacy hosts, minimal install |
**Why this matters:** most "AI pentest" tools lock you into one cloud LLM *and* one tool orchestration choice. Vulcan lets you mix them independently β and switch modes with a single flag.
---
## π§ How It Works
Vulcan runs a **ReAct (Reason β Act β Observe)** loop β the canonical autonomous-agent pattern β across four phases:
```
βββββββββββββββββββββββ
β π― TARGET β
β example.com β
βββββββββββ¬ββββββββββββ
β
βββββββββββββββββΌββββββββββββββββ
βΌ βΌ βΌ
ββββββββββββ ββββββββββββ ββββββββββββ
β RECON β β PLANNING β β EXECUTIONβ
β (auto) ββ β (LLM) ββ β (ReAct) β
ββββββββββββ ββββββββββββ βββββββ¬βββββ
β
βΌ
ββββββββββββ
β REPORT β
β HTML/PDF β
ββββββββββββ
```
Inside the execution phase, every iteration:
```
π§ REASON βββΊ LLM reads state, picks next action, emits JSON
β‘ ACT βββΊ Vulcan dispatches to module β Executor β tool
ποΈ OBSERVE βββΊ Parse output, extract findings, update conversation
β β
βββββββββββββββββββ loop βββββββββββββββββββββββββββ
(up to max_iterations=50)
```
The LLM decides when to pivot, what to investigate deeper, when to drop a thread, and when the assessment is complete.
---
## β¨ Features
| Feature | Description | v1 | v2 |
|---|---|:---:|:---:|
| π§ AI-driven attack planning | LLM plans & re-plans in real time | β
| β
|
| π ReAct (Reason β Act β Observe) loop | Canonical autonomous-agent pattern | β
| β
|
| π‘ Full recon pipeline | Subdomains Β· ports Β· tech Β· dirs Β· DNS | β
| β
|
| π Automated vuln scanning | Nuclei + custom checks | β
| β
|
| π Exploitation modules | SQLi Β· XSS Β· SSRF Β· CMD injection | β
| β
|
| π Professional reports | HTML (validated) + PDF via weasyprint (optional) | β
| β
|
| π€ Claude / GPT-4 support | Frontier cloud LLMs | β
| β
|
| π₯οΈ Rich CLI | Beautiful terminal UI | β
| β
|
| π³ Docker | Isolated execution | β
| β
|
| π΄ **BESTIA mode** | **Full-local, zero API keys** | β | β
|
| βοΈ **HexStrike integration** | **5 β 127 security tools** | β | β
|
| π **smart-llm routing** | **Local Ollama via heuristic router** | β | β
|
| π‘οΈ **Data sovereignty** | **Target data never leaves your host** | β | β
|
| π **Mix-and-match modes** | **LLM Γ executor independent axes** | β | β
|
| π§© **Graceful fallback** | **Auto-fallback to local subprocess if API down** | β | β
|
---
## π How Vulcan fits the landscape
| Capability | Vulcan v2 | Metasploit | Burp Pro | Nuclei |
|---|:---:|:---:|:---:|:---:|
| AI-driven planning | β
| β | β | β |
| Autonomous ReAct loop | β
| β | β | β |
| Recon β Exploit β Report pipeline | β
| β οΈ Manual | β οΈ Manual | β Scan only |
| Multi-tool orchestration | β
117 tools | β Single | β Single | β Single |
| Runs 100% local (no cloud) | β
| β
| β | β
|
| **Local LLM reasoning** | β
| β | β | β |
| **Zero egress mode** | β
| β
| β | β
|
| Auto-generated reports | β
HTML (PDF opt.) | β οΈ Basic | β
| β οΈ JSON |
| Natural language control | β
| β | β | β |
| Open source | β
MIT | β
| β | β
MIT |
| Docker ready | β
| β
| β | β
|
> **Vulcan doesn't replace these tools β it orchestrates them.** Nmap, Nuclei, SQLMap, Gobuster, Subfinder, Hydra, NetExec, MSFVenom, Hashcat, FFuf, WPScan, Amass, and 100+ more run underneath, guided by AI.
>
> *Other autonomous-pentest projects exist (PentestGPT, Shennina, etc.) β Vulcan's differentiator is the independently swappable LLM Γ executor axes and the full-local BESTIA mode.*
---
## ποΈ Architecture
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VulcanAgent β
β (ReAct Orchestrator) β
ββββββββββββββββ¬βββββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββββ€
β Planner β LLM β Executor β Reporter β
β (strategy) β βββββββββββββ β ββββββββββββββ (HTML/PDF/JSON)β
β β β’ Anthropic β β’ Subproc β β
β β β’ OpenAI β β’ HexStrike β β
β β β’ smart-llm β‘ β API :8888 β β
ββββββββββββββββ΄βββββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββββ€
β Modules β
β βββββββββββ ββββββββββββ ββββββββββββ ββββββββ ββββββββββββ β
β β Recon β β Scanner β β Exploit β β Web β β Network β β
β βββββββββββ ββββββββββββ ββββββββββββ ββββββββ ββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Execution Layer β
β Local subprocess ββββββββ OR ββββββββΊ HexStrike API :8888 β
β (5 tools by default) (117 tools, shared) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
### The key insight
Vulcan's executor is **swappable at init time**:
- `Executor` β runs `nmap -sV target` via `asyncio.create_subprocess_shell` on localhost.
- `HexStrikeExecutor` β parses the same command, POSTs to `/api/tools/nmap` on a remote HexStrike server, returns the same `ExecutionResult`.
**Modules, tool wrappers, and the ReAct loop don't change.** You swap the executor with `--hexstrike` and you're now orchestrating 117 tools instead of 5, with caching, concurrency, and graceful fallback baked in.
---
## π Installation
### Option 1: Full install (recommended)
```bash
git clone https://github.com/juliosuas/vulcan.git
cd vulcan
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
```
### Option 2: Docker
```bash
git clone https://github.com/juliosuas/vulcan.git
cd vulcan
docker compose up --build
```
### Option 3: Pip (coming soon)
```bash
pip install vulcan-pentest
```
### Config
```bash
cp .env.example .env
# Edit .env with your keys (optional β BESTIA mode needs none)
```
```env
ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...
VULCAN_LLM_PROVIDER=smartllm # claude | openai | smartllm
VULCAN_USE_HEXSTRIKE=1 # route through HexStrike :8888
VULCAN_HEXSTRIKE_SERVER=http://127.0.0.1:8888
VULCAN_SMARTLLM_BIN=smart-llm # or absolute path
```
### Optional: local LLM stack (for BESTIA mode)
Install [Ollama](https://ollama.com), pull a model, and install [`smart-llm`](https://github.com/juliosuas/smart-llm) (the heuristic router):
```bash
curl -fsSL https://ollama.com/install.sh | sh
ollama pull qwen3:32b # recommended for reasoning
ollama pull qwen2.5-coder:7b # for code/payload tasks
```
### Optional: HexStrike AI (for 127-tool mode)
```bash
git clone https://github.com/0x4m4/hexstrike-ai.git
cd hexstrike-ai && python3 -m venv hexstrike-env && source hexstrike-env/bin/activate
pip install -r requirements.txt
./hexstrike_server.py # Flask API on :8888
```
---
## π Usage
### BESTIA β zero keys, full pipeline
```bash
./run-beast.sh [quick|standard|full]
```
### Classic scan (cloud LLM)
```bash
vulcan scan --target example.com --llm claude --mode full
```
### Hybrid (cloud LLM + HexStrike)
```bash
vulcan scan --target example.com --llm claude --hexstrike
```
### Recon only
```bash
vulcan recon --target example.com --modules subdomains,ports,tech,dirs,dns
```
### Generate report from existing data
```bash
vulcan report --input ./vulcan_output/example.com --format html
# PDF: pip install weasyprint && vulcan report --input ./vulcan_output/example.com --format pdf
```
### All flags
```
vulcan scan --help
--target, -t Target domain or IP [required]
--mode, -m quick | standard | full [standard]
--llm claude | openai | smartllm [claude]
--local Shortcut: --llm smartllm --hexstrike
--hexstrike/--no-hexstrike Route tools through HexStrike [off]
--hexstrike-url HexStrike server URL [http://127.0.0.1:8888]
--report html | pdf | json [html]
--output, -o Output directory [./vulcan_output]
--config, -c YAML config path
--verbose, -v Verbose output
```
---
## π¬ How BESTIA Mode Works Under the Hood
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ./run-beast.sh scanme.nmap.org β
ββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββ
β
ββββββββΌβββββββββββ ββββββββββββββββββββββββ
β Preflight βββββββββΊβ curl :8888/health β
β β β if down β start β
ββββββββ¬βββββββββββ ββββββββββββββββββββββββ
β
ββββββββΌβββββββββββ ββββββββββββββββββββββββ
β Warm smart-llm βββββββββΊβ Ollama models β VRAM β
β β β (avoid cold-start) β
ββββββββ¬βββββββββββ ββββββββββββββββββββββββ
β
ββββββββΌβββββββββββ
β vulcan scan βββββ ReAct loop βββΊ smart-llm (qwen3:32b)
β --local β β
β β βΌ
β β JSON action
β β β
β β βββββββββββββββββ
β βΌ βΌ
β ββββββββββββββββββββββββββ
β β HexStrikeExecutor βββPOST /api/tools/nmapβββΊ HexStrike :8888
β β (aiohttp + semaphore) β β
β β βββββJSON resultβββββββββββ β
β ββββββββββββββββββββββββββ [subprocess Β· caching Β· recovery]
β β
β βΌ
β Finding extracted β Reporter
β
ββββΊ xdg-open vulcan_output/*.html
```
Every component degrades gracefully:
- **HexStrike down** β `HexStrikeExecutor.fallback_local=True` silently falls back to subprocess.
- **smart-llm missing** β raises with exact env var to set.
- **Model cold** β `run-beast.sh --warmup` keeps them hot in VRAM with `keep_alive=24h`.
---
## β
Built-in Pentest Verification
Every Vulcan run includes verification checklists inspired by industry methodology:
### Reconnaissance
| Check | Criteria | How to confirm |
|---|---|---|
| Subdomain coverage | All passive + active sources queried | Compare subfinder/amass/DNS results |
| Port scan completeness | Top 1000+ on all live hosts | Verify nmap params in output |
| Service identification | Versions extracted for all open ports | Check `-sV` for "unknown" entries |
| Scope compliance | No out-of-scope targets contacted | Cross-reference scope doc |
### Vulnerability Scanning
| Check | Criteria | How to confirm |
|---|---|---|
| Template coverage | Critical + High executed | Verify nuclei template count |
| False-positive review | Each critical/high validated | Request/response pairs saved |
| CVE mapping | Findings mapped to CVE IDs | CVE column populated in report |
| Remediation guidance | Fix rec per finding | Review report remediation section |
### Exploitation
| Check | Criteria | How to confirm |
|---|---|---|
| Authorization | Explicit written permission | Scope doc reviewed before exploit |
| Evidence capture | Proof documented | Screenshots / request-response saved |
| Impact assessment | Business impact described | Impact field populated |
| Cleanup | All test artifacts removed | Post-exploitation checklist done |
### Report Quality
| Check | Criteria | How to confirm |
|---|---|---|
| Exec summary | Non-technical overview present | Readable by C-suite |
| Finding accuracy | No dupes/contradictions | Peer review or AI cross-check |
| Severity distribution | Aligns with CVSS + business context | No Medium with Critical impact |
| Remediation priority | Ordered by risk, not CVSS alone | Considers exploitability + asset value |
---
## π₯οΈ Platform Compatibility
| Platform | Status | Notes |
|---|:---:|---|
| Debian 12 | β
Tested | Primary dev + validation platform |
| Kali / Parrot | π’ Expected | Derivatives of Debian; most tools pre-installed |
| Ubuntu 22.04+ | π’ Expected | Debian-family; should work out of the box |
| Arch / Fedora | π‘ Untested | Python deps portable; tool install paths differ |
| macOS 13+ (Apple Silicon) | π‘ Untested | Homebrew for Nmap/Nuclei; Ollama native |
| Windows 11 (WSL2) | π‘ Untested | Run inside Ubuntu for best results |
| Docker | π’ Expected | `docker compose up --build` (Dockerfile + compose file shipped, validation pending) |
> **Current validation status (v2.0):** end-to-end pipeline (recon β planning β ReAct β HTML report) validated against `scanme.nmap.org` on Debian 12 in both `--local` (BESTIA) and `--llm claude --hexstrike` (hybrid) modes. PDF export uses `weasyprint` (optional dep, untested this release). Other platforms expected to work but not independently verified yet β PRs confirming are welcome.
### LLM Compatibility
| Provider | Models | BESTIA? | Notes |
|---|---|:---:|---|
| Anthropic | Claude Sonnet 4 / Opus | β (cloud) | Recommended for frontier reasoning |
| OpenAI | GPT-4o / GPT-4 Turbo | β (cloud) | Fully supported |
| **smart-llm + Ollama** | **qwen3:32b / qwen2.5-coder:7b** | β
| **Default in BESTIA mode** |
| LiteLLM proxy | 100+ models | β οΈ Experimental | Via OpenAI-compatible base URL |
---
## πΊοΈ Roadmap
- [x] Core ReAct loop with Claude/GPT-4
- [x] Recon Β· Scanner Β· Exploit Β· Web Β· Network modules
- [x] HTML/PDF/JSON report generation
- [x] Rich CLI + beautiful terminal UI
- [x] Docker support
- [x] **v2.0 β HexStrike integration (117 tools)**
- [x] **v2.0 β smart-llm local-only mode**
- [x] **v2.0 β Graceful subprocess fallback**
- [x] **v2.0 β Hybrid mode (cloud LLM + local exec)**
- [ ] π Plugin system for custom tool integration
- [ ] π Multi-target campaign mode
- [ ] π API server mode (REST + WebSocket)
- [ ] π Collaborative mode (agent swarms)
- [ ] π MITRE ATT&CK mapping per finding
- [ ] π Evidence chain visualization (graph)
- [ ] π OWASP ZAP integration
- [ ] π Slack / Discord / Telegram webhooks
- [ ] π Cloud deployment templates (AWS/GCP)
- [ ] π CTF-specific heuristics (flag sniffing, well-known ports)
- [ ] π Replay mode (re-run from cached output, zero tool exec)
---
## π€ Contributing
PRs are welcome β especially new tool wrappers, additional LLM providers, and report templates.
1. Fork β `git checkout -b feat/your-feature`
2. `pip install -e ".[dev]"`
3. `python -m pytest tests/`
4. Open a PR with a clear description
### Guidelines
- Follow existing code style (Black, 100 char lines)
- Add tests for new features
- Keep PRs focused and atomic
- New tool wrappers must subclass `ToolWrapper` in `tools/wrapper.py`
- New LLM providers must implement `_call_llm()` in `core/agent.py`
---
## β οΈ Disclaimer
> **β οΈ AUTHORIZED USE ONLY**
>
> Vulcan is designed **exclusively for authorized security testing and educational purposes**.
>
> - **Always** obtain **explicit written permission** before testing any system.
> - **Never** use this tool against systems you do not own or have authorization to test.
> - Unauthorized access to computer systems is **illegal** in most jurisdictions.
> - Users are **solely responsible** for ensuring compliance with all applicable laws.
> - The authors and contributors assume **no liability** for misuse.
>
> By using Vulcan, you agree to use it responsibly and legally. When in doubt, **don't run it**.
**Legal testing sandboxes to learn on:** `scanme.nmap.org` Β· [HackTheBox](https://hackthebox.com) Β· [TryHackMe](https://tryhackme.com) Β· [VulnHub](https://vulnhub.com) Β· [DVWA](https://github.com/digininja/DVWA) Β· [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/).
---
## π License
MIT β see [LICENSE](LICENSE).
---
Built with π by @juliosuas
If Vulcan saves you a weekend, consider dropping a β
---
### π± Also from @juliosuas
- **[Ghost](https://github.com/juliosuas/ghost)** β AI-powered OSINT platform
- **[Phantom](https://github.com/juliosuas/phantom)** β LLM red teaming Β· OWASP Top 10 for LLMs
- **[Sentinel](https://github.com/juliosuas/sentinel)** β AI-powered SOC Β· real-time log analysis
- **[Cerberus](https://github.com/juliosuas/cerberus)** β Security-as-a-Service for SMBs
- **[AI Garden](https://github.com/juliosuas/ai-garden)** β A pixel-art world built by AI agents. Watch it grow.
### π Built on top of
- **[HexStrike AI](https://github.com/0x4m4/hexstrike-ai)** by [@0x4m4](https://github.com/0x4m4) β the 117-tool Flask API that powers BESTIA mode's execution layer.
- **[Ollama](https://ollama.com)** β the local LLM runtime.