28 Claude AI Subagents for Enhanced Penetration Testing

The open-source toolkit pentest-ai-agents is redefining how security professionals leverage AI in penetration testing workflows. It achieves this by transforming Anthropic’s Claude Code into a fully specialized offensive security research assistant, powered by 28 domain-specific subagents.

Released by security researcher 0xSteph on GitHub, pentest-ai-agents is a collection of 28 Claude Code subagents, each carrying deep domain expertise across the full penetration testing lifecycle.

Coverage spans reconnaissance, web application testing, Active Directory attacks, cloud security, mobile pentesting, wireless attacks, social engineering, exploit chaining, detection engineering, forensics, malware analysis, and report generation.

Rather than relying on a single general-purpose AI model, the framework automatically routes each query to the most appropriate specialist agent.

Pentest-AI-Agents Installation

Setup requires no servers, no external dependencies, and no complex configuration. A single command handles everything:

bashcurl -fsSL https://raw.githubusercontent.com/0xSteph/pentest-ai-agents/main/install.sh | bash

The script clones the repository, copies all 28 agent files to ~/.claude/agents/, and exits cleanly. It is fully idempotent, meaning re-running it safely updates existing agents.

Additional install options support project-scoped deployments (--project) and a cost-optimized lite mode (--global --lite) that runs advisory agents on Claude Haiku for reduced token consumption.

The toolkit introduces a two-tier execution model for safety and flexibility. Tier 1 agents operate in advisory mode, users paste tool output, and receive prioritized analysis, methodology guidance, and recommended next commands.

Tier 2 agents go further, composing and executing commands directly against a declared, authorized scope, with Claude Code displaying each command for explicit approval before execution.

Tier 2 agents include the Recon Advisor (nmap, whois, whatweb), Web Hunter (ffuf, sqlmap, dalfox), AD Attacker (BloodHound, Impacket, CrackMapExec, Certipy), Exploit Chainer, PoC Validator, and Business Logic Hunter. Every offensive action is mapped to MITRE ATT&CK identifiers and paired with defensive context.

Persistent Findings and MCP Support

A built-in SQLite-backed findings database (findings.sh) persists engagement data across Claude Code sessions, enabling multi-day operations with seamless handoffs.

Tier 2 agents write to this database automatically when findings.sh is in the system PATH. The Report Generator agent produces professional pentest reports complete with executive summaries, CVSS scoring, and remediation roadmaps.

For air-gapped or privacy-sensitive environments, agents can be converted to OpenCode custom commands compatible with Ollama, LM Studio, or any local model via the included opencode-setup.sh script.

A companion MCP server (pentest-ai) extends the ecosystem with 150+ tool wrappers, autonomous exploit chaining, and CI/CD pipeline integration for Claude Desktop, Cursor, and VS Code Copilot.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.