LLM-powered penetration testing framework with autonomous agents.

⚠️ Vibecoded and under heavy development. Expect breaking changes, rough edges, and the occasional chaos.

feroxmute automates security testing using a hierarchy of specialized AI agents. An orchestrator plans the engagement and delegates to recon, scanner, exploit, and report agents - all executing tools inside a Kali Linux Docker container while you watch from a terminal UI.

• Hierarchical agent architecture - Orchestrator delegates to specialist agents (recon, scanner, exploit, report, script)
• Multi-provider LLM support - Anthropic, OpenAI, Gemini, Cohere, xAI, DeepSeek, Azure, Perplexity, Ollama, and LiteLLM (powered by rig). Tested primarily with Gemini 3 Pro and Gemini 3 Flash.
• Docker isolation - All tools run inside a Kali Linux container
• Terminal UI - Live dashboard showing agent activity, tool output, and findings
• Session persistence - SQLite-backed state with resumable sessions
• Agent memory - Persistent scratchpad for orchestrator context (press p in TUI to view)
• SAST support - Link source code to web targets for combined analysis
• Engagement controls - Passive mode, port restrictions, rate limiting, scope limitations

Agents have access to 17 specialized playbooks that guide testing for specific vulnerability classes. Scanner and exploit agents can request playbooks using the get_playbook tool when they identify potential attack vectors.

Each playbook includes:

• Indicators - Signs the vulnerability may be present
• Tools & commands - Specific tool usage for the vulnerability type
• Exploitation techniques - Manual and automated approaches
• Evasion methods - WAF/filter bypass techniques where applicable

Injection

• SQL Injection, NoSQL Injection, Command Injection, SSTI, XXE

Client-Side

• XSS, CSRF

Server-Side

• SSRF, LFI/RFI, Deserialization, Race Conditions

Authentication & Crypto

• JWT Attacks, Crypto Weaknesses

Protocols & Platforms

• GraphQL, WebSockets, Windows Web, Windows AD

• Rust toolchain (1.75+)
• Docker running
• API key for your LLM provider (e.g., ANTHROPIC_API_KEY)

git clone https://github.com/dilaz/feroxmute
cd feroxmute
cargo build --release

# Interactive configuration wizard
./target/release/feroxmute --wizard

This creates ~/.feroxmute/config.toml with your provider settings.

# Start an engagement (Kali container builds automatically on first run)
./target/release/feroxmute --target example.com

feroxmute [OPTIONS] --target <TARGET>

# Default: Test a web application thoroughly (no discovery, no portscan)
feroxmute --target https://app.example.com

# Enable subdomain discovery for broader coverage
feroxmute --target example.com --discover

# Full network penetration test
feroxmute --target 10.0.0.0/24 --discover --portscan --network

# Combine web target with source code analysis
feroxmute --target https://app.example.com --source ./src

# Source code analysis only
feroxmute --sast-only --target ./my-project

The Kali container builds automatically on first run. For manual control:

# Build the Kali image
docker compose -f docker/compose.yml build

# Start containers
docker compose -f docker/compose.yml up

# Start with LiteLLM proxy sidecar
docker compose -f docker/compose.yml --profile litellm up

This tool is intended for authorized security testing only.

• Only use against systems you own or have explicit written permission to test
• You are solely responsible for your actions
• The authors accept no liability for misuse or damage caused by this software
• This software comes with absolutely no warranty

Use at your own risk.

BSD 3-Clause License. See LICENSE for details.