Awesome AI for Offensive Security

A curated list of awesome AI agents and tools specifically designed for AI-powered offensive security, as well as tools for attacking AI systems.

Disclaimer: This list is for educational and authorized testing purposes only. The primary purpose is to enhance defensive capabilities by understanding how autonomous AI attacks operate and how AI systems can be targeted. Ensure you have explicit permission before using any of these tools against any target.

Contents

• OSINT Agents & Tools
• Pentest & Red Teaming Agents
• AI Red Teaming (Testing AI Targets)
• Adversarial Machine Learning
• Vulnerable AI Environments & Labs

Contributing

Contributions are very welcome! Please read the Contribution Guidelines before submitting a pull request.

Note on Accuracy: The information in this list is provided on a best-effort basis. The AI security landscape evolves rapidly. If you notice any inaccuracies, outdated links, or have suggestions for improvements, please feel free to contribute!

---

OSINT Agents & Tools

AI tools focused on Open-Source Intelligence, reconnaissance, and footprinting.

• DarkBERT - DarkBERT: A Language Model for the Dark Side of the Internet.
• OSINT-GPT - AI-powered OSINT tool for automated reconnaissance and analysis from public sources.
• OSINTai - A cutting-edge, AI-enhanced web crawler engineered for OSINT professionals, leveraging advanced asynchronous processing, intelligent proxy rotation, and LLM analysis for automated intelligence gathering.
• Robin - An AI-powered tool designed for dark web OSINT investigations using LLMs to refine searches and summarize results.

Pentest & Red Teaming Agents

AI-driven autonomous or semi-autonomous agents designed to perform active penetration testing, vulnerability exploitation, and red team engagements.

• Ankou - A flexible, AI-powered C2 framework built with operators in mind, featuring a built-in AI companion for target analysis.
• AutoPentest-DRL - Automates penetration testing using deep reinforcement learning.
• AutoPentestX - An automated penetration testing toolkit.
• bug-reaper - Web2 bug bounty Agent Skill that turns any compatible AI agent into a disciplined web2 bug bounty hunter with evidence-based validation.
• BugTraceAI - Autonomous AI-powered security scanning platform combining autonomous AI agents with real security tools to discover, analyze, exploit, and validate vulnerabilities independently.
• burp-ai-agent - Burp Suite extension that integrates AI into your security workflow using local models or cloud providers, connects external AI agents via MCP, and uses passive/active scanners to find vulnerabilities alongside manual testing.
• BurpGPT - A Burp Suite extension that integrates OpenAI's GPT to perform customized, passive scans to identify vulnerabilities in web applications.
• Cybersecurity AI (CAI) - A modular framework for building custom AI security agents across offensive and defensive use cases.
• CyberStrikeAI - Pentesting project with one-command deployment, incorporating tool orchestration and a skills system.
• Deadend CLI - An AI agent that implements a self-correction mechanism: when an attack fails, the agent analyzes the error, rewrites the approach, and retries.
• Decepticon - An AI agent built on LangChain/LangGraph designed to automate red teaming before attackers automate theirs.
• DeepExploit - A fully automatic penetration test tool utilizing Deep Reinforcement Learning.
• DeepSeek-Pentest-AI - A Burp Suite extension combining generative AI with smart fuzzing to automate payload generation and vulnerability testing in web applications.
• guardian-cli - AI-powered penetration testing automation CLI tool that leverages Google Gemini and LangChain to orchestrate intelligent, step-by-step penetration testing workflows.
• HackingBuddyGPT - An autonomous pentesting agent and research framework used for exploring and exploiting environments such as Active Directory.
• HexStrike AI - An MCP server that acts as a control layer between LLMs and over 150 security tools, allowing agents to execute tools, adapt strategies, and generate reports.
• iothackbot - Open-source IoT security testing toolkit with integrated Claude Code skills for automated vulnerability discovery.
• Katana AI Agents - LLM powered agents for scanning vulnerabilities on any website (Llama 3 8B, Groq, Selenium, CrewAI, Exa AI).
• LuaN1aoAgent - A next-generation Autonomous Penetration Testing Agent powered by LLMs, integrating the Planner-Executor-Reflector (P-E-R) Framework with Causal Graph Reasoning.
• MAPTA (Multi-Agent Penetration Testing AI) - An autonomous web application security assessment system orchestrating large language models and tool execution. (ArXiv Paper)
• Nebula - An AI-powered ethical hacking assistant that embeds AI capabilities into the terminal to assist with reconnaissance and note-taking.
• NeuroSploit - AI-driven autonomous agents with 100 vulnerability types, per-scan isolated Kali Linux containers, false-positive hardening, exploit chaining, and a modern React web interface with real-time monitoring.
• nyuctf_agents - The D-CIPHER and NYU CTF baseline LLM Agents built for NYU CTF Bench.
• Offensive-AI-Attack-Path-Visualizer - A Windows-first offensive security framework that correlates recon signals, applies AI reasoning via local LLM, and generates realistic attack paths in an analyst-friendly dashboard.
• Offensive-AI-Agent-Prompts - Prompts for performing tests on your Kali Linux using Gemini-cli, ChatGPT, DeepSeek, CursorAI, Claude Code, and Copilot.
• PentAGI - A multi-agent framework using specialized AI roles for research, coding, and infrastructure to operate autonomously for vulnerability detection.
• Pentest Copilot - An AI-powered, browser-based ethical hacking assistant designed for pentesting workflows, deployable locally with Docker.
• PentestAgent - An AI agent framework for black-box security testing, supporting bug bounty, red-team, and penetration testing workflows.
• PentestGPT - A penetration testing tool powered by ChatGPT. Automates penetration testing by guiding the user and interacting with underlying tools like Nmap and Gobuster.
• RAPTOR - An autonomous offensive/defensive security research framework based on Claude Code, empowering security research with agentic workflows and automation (Recursive Autonomous Penetration Testing and Observation Robot).
• Reaper - Ghost Security's reconnaissance and attack surface discovery tool used for pentesting and identifying exposures.
• RedAmon - An AI-powered agentic red team framework designed to automate offensive security operations from recon to exploitation.
• Shannon - Autonomous AI pentesting tool functioning as a virtual hacker to identify and exploit vulnerabilities, evaluated against benchmarks like XBOW.
• Strix - An AI-powered tool that simulates attacker behavior by executing applications and generating working proof-of-concept exploits.
• TTPRunner - Autonomous execution agent for purple team operations. Processes threat reports to build and run attack plans based on Tactics, Techniques, and Procedures.
• Zen-Ai-Pentest - An AI-Powered Penetration Testing Framework with automated vulnerability scanning, multi-agent system, and compliance reporting.

AI Red Teaming (Testing AI Targets)

Tools specifically designed to test the security of AI systems, LLMs, and autonomous agents (e.g., finding prompt injections, jailbreaks, data leaks).

• AASRT - Automates the discovery of publicly exposed AI agent implementations using the Shodan search engine API through passive reconnaissance.
• AgentDojo - Dynamic environment to evaluate attacks and defenses for LLM agents.
• AgentFence - A platform for automatically testing and securing AI agents against prompt injection, memory manipulation, and workflow corruption.
• AgenticRed - An automated pipeline that leverages LLMs' in-context learning to iteratively design and refine red-teaming systems without human intervention.
• Agentic Security - An open-source vulnerability scanner designed to protect AI systems and agent workflows by identifying jailbreaks, fuzzing, and multimodal attacks in LLMs.
• AgentPoison - Red-teaming LLM Agents via Memory or Knowledge Base Backdoor Poisoning.
• agent-scan - Discover and scan agent components on your machine for prompt injections and vulnerabilities (including agents, MCP servers, skills).
• ai-bom - Tool designed to discover every AI agent, model, and API hiding in your infrastructure.
• AI-Infra-Guard - A comprehensive AI Red Teaming platform developed by Tencent Zhuque Lab that integrates modules for Infra Scan, MCP Scan, and Jailbreak Evaluation.
• ares - A red-teaming programming model for the automated orchestration of AI robustness evaluations natively integrating existing plugins.
• ARES-Dashboard - An enterprise-oriented AI red team operations console for planning, executing, and auditing structured adversarial testing of AI systems across established risk frameworks.
• ARTKIT - An open-source framework for automated LLM red teaming that simulates multi-turn attacker–target interactions.
• augustus - LLM security testing framework for detecting prompt injection, jailbreaks, and adversarial attacks.
• deepteam - A simple-to-use, open-source LLM red teaming framework for penetration testing and safeguarding large language model systems.
• EasyJailbreak - Python framework to generate adversarial jailbreak prompts.
• FuzzyAI - Tool for automated LLM fuzzing designed to help identify and mitigate potential jailbreaks in LLM APIs.
• Garak - An LLM vulnerability scanner that tests various attack vectors using predefined prompts to map findings to AI security frameworks.
• Giskard - An automated red-teaming platform for LLM agents (chatbots, RAG pipelines). Performs dynamic multi-turn stress tests to uncover context-dependent vulnerabilities.
• gptfuzz - Framework for red teaming large language models with auto-generated jailbreak prompts.
• HouYi - Automated prompt injection framework for LLM-integrated applications.
• jailbreakbench - Open robustness benchmark for jailbreaking language models.
• llamator - Framework for testing vulnerabilities of large language models.
• llm-attacks - Universal and transferable attacks on aligned language models.
• llm-security by dropbox - Dropbox LLM security research code and results.
• llm-security by greshake - Demonstrates new ways of breaking app-integrated LLMs.
• MCP Injection Experiments - Code snippets to reproduce MCP tool poisoning attacks.
• OpenPromptInjection - Provides a benchmark for prompt injection attacks and defenses.
• OpenRT - Open-source red teaming framework for MLLMs with 37+ attack methods, modular architecture, and multi-modal support.
• Plexiglass - Toolkit for detecting and protecting against vulnerabilities in large language models.
• Prompt Hacking Resources - Curated list of resources for people interested in AI red teaming, jailbreaking, and prompt injection.
• Promptfoo - A developer-first framework for AI red teaming and evaluations with flexible configuration and Python integration.
• promptmap - Prompt injection scanner for custom LLM applications.
• ps-fuzz - Tool designed to test and harden system prompts for generative AI applications.
• PyMLOKit - Toolkit to attack MLOps platforms via REST APIs, supporting modules for reconnaissance, training data theft, model theft, model poisoning, and notebook attacks.
• PyRIT (Python Risk Identification Tool) - An open-source automation framework from Microsoft's AI Red Team for programmatic multi-turn orchestration and custom attack scenarios against AI systems.
• rogue - Tool to stress-test your AI agents before attackers do by finding prompt injection, sensitive data exposure, and excessive agency.
• spikee - Simple prompt injection kit for evaluation and exploitation.
• system-prompt-benchmark - Test your LLM system prompts against 287 real-world attack vectors, including prompt injection, jailbreaks, and data leaks.
• vigil-llm - Detects prompt injections, jailbreaks, and other potentially risky large language model inputs.
• whistleblower - Offensive security tool for testing against system prompt leakage and capability discovery of an AI application exposed through API.

Adversarial Machine Learning

Tools and libraries focused on the security of classical and deep machine learning models, including evasion, poisoning, extraction, and inference attacks.

• Ad-lib - Game-theoretic adversarial machine learning library providing a set of learner and adversary modules.
• Adversarial Images - Repository exploring the space of adversarial images.
• Adversarial Robustness Toolkit - Focuses on the threats of evasion, poisoning, extraction, and inference.
• BadDiffusion - Official repository to reproduce the paper on backdooring diffusion models published at CVPR 2023.
• Charcuterie - Code execution techniques for ML or ML adjacent libraries.
• cleverhans - Adversarial example library for constructing attacks, building defenses, and benchmarking both.
• Counterfit - Generic automation layer for assessing the security of machine learning systems.
• Deep-pwning - Lightweight framework for experimenting with machine learning models to evaluate their robustness against adversaries.
• DeepFool - Method to fool deep neural networks.
• foolbox - Python toolbox to create adversarial examples that fool neural networks in PyTorch, TensorFlow, and JAX.
• Gym malware - Environment that makes it possible to write agents that learn to manipulate PE files to bypass AV based on a reward.
• OffsecML Playbook - Collection of offensive and adversarial TTPs with proofs of concept.
• TextAttack - Python framework for adversarial attacks, data augmentation, and model training in NLP.

Vulnerable AI Environments & Labs

Intentionally vulnerable AI applications, agents, and LLM implementations designed for practicing and learning AI security testing.

• aifirst-insecure-agent-labs - A hands-on lab for testing prompt injection and system prompt extraction attacks with real-time guardrail protection, tracing, and agent tools.
• ai-goat - Learn AI security through a series of vulnerable LLM CTF challenges. No sign ups, no cloud fees, run everything locally on your system.
• AI Red Team Lab - A controlled security evaluation environment designed to assess, harden, and document defenses against adversarial prompt-based attacks on large language model (LLM) systems.
• AI-Red-Teaming-Playground-Labs - Challenges for the labs used in the course "AI Red Teaming in Practice".
• chat-playground - Browser-only lab (no backend) to probe moderation, prompt injection, and output-filter bypasses in vulnerable chat models and guardrails.
• damn-vulnerable-ai-agent - A deliberately vulnerable AI agent platform for security testing and education. Like DVWA but for AI agents.
• damn-vulnerable-MCP-server - The Damn Vulnerable Model Context Protocol (DVMCP) is an educational project designed to demonstrate security vulnerabilities in MCP implementations through 10 challenges.
• DVAIA (Damn Vulnerable AI Application) - For LLM Red Team Training. LLM testing, RAG testing, Multimodal testing, Agent testing, LLM payload generation.
• DVAIB (Damn Vulnerable AI Bank) - Your training ground for AI security. Exploit a vulnerable AI bank through realistic scenarios, earn achievements, and compete on the leaderboard.
• finbot-ctf-demo - Agentic-AI CTF around a simulated fintech assistant that exercises goal manipulation, prompt handling, and guardrail weaknesses.
• Gandalf - Test Your Prompt Injection Skills!
• llm-attacks - Interactive labs that mirror LLM-enabled web app risks: prompt injection, excessive agency (unsafe tool calls), insecure output handling, and data leakage.
• llmail-inject-challenge - A challenge to evade prompt injection defenses in a simulated LLM-integrated email client, the LLMail service.
• LLMGoat - This project is a deliberately vulnerable environment to learn about LLM-specific risks based on the OWASP Top 10 for LLM Applications.
• local-llm-ctf - Small Go + Ollama harness that routes prompts through “quarantined” vs. “privileged” models to practice bypassing filters and guardrails.
• Prompt Airlines CTF - Test Your AI Security Skills.
• PromptMe - An educational project showcasing security vulnerabilities in LLMs and their web integrations with 10 hands-on challenges inspired by the OWASP LLM Top 10.
• RedAiRange (RAR) - A comprehensive security platform designed specifically for AI red teaming and vulnerability assessment.