PentAGI: The Autonomous AI Penetration Testing Platform Changing the Game
A fully autonomous, multi-agent pentest engine that plans, executes, and reports real security engagements — end-to-end, with no hand-holding required.
PentAGI isn’t a chatbot with a hacking skin. It’s a production-grade AI orchestration engine that runs a full team of specialized security agents — each with real tools, real memory, and real objectives — against a target you define in plain English.
The security industry has spent years debating whether AI can truly automate penetration testing. Most tools have landed somewhere in the middle: AI-assisted, copilot-style helpers that still need a skilled human driving every decision. PentAGI takes a fundamentally different approach. You describe the target. The platform decomposes the engagement into subtasks, assigns specialized agents, executes real offensive tools inside isolated Docker containers, tracks findings in a multi-tier memory system, and delivers a structured vulnerability report — all without you writing a single command.
In this post, we’ll break down how PentAGI actually works under the hood: the agent team, the architecture, how to get it running, and — critically — what the security community should know before trusting it with a real engagement.
Specialized AI Agents
Supported LLM Providers
Tiers of Agent Memory
Supervision & Safety Layers
What PentAGI Actually Is
PentAGI is a fully autonomous, multi-agent penetration testing platform written in Go (backend) and TypeScript/React (frontend). Given a natural-language description of a target — say, “assess the web application at 192.168.1.100 for OWASP Top 10 vulnerabilities” — it plans, executes, and reports the entire engagement on its own.
To be clear about what this is not: it’s not a wrapper around a security-flavored LLM. It’s a production-grade orchestration engine with a named team of specialized AI agents, real offensive tooling (nmap, Metasploit, sqlmap, and more) running in isolated Docker containers, and a full observability stack so you can audit every decision the AI made and why.
A named team of 13 specialized agents — from the Primary Orchestrator to the Pentester, Coder, Searcher, and Reporter — each with a dedicated system prompt and toolset. They delegate tasks to each other automatically.
Core Engine
All offensive tools run inside sandboxed Docker containers. The platform’s terminal module manages Docker exec sessions — stdout, stderr, timeouts — keeping the host environment clean and execution auditable.
Infrastructure
Every LLM call, tool execution, and agent decision is traced via OpenTelemetry, logged to Loki, visualized in Grafana, and tracked for LLM cost and token usage in Langfuse. Nothing is a black box.
Monitoring
PentAGI supports 10 LLM providers out of the box: OpenAI, Anthropic, Google Gemini, AWS Bedrock, Ollama (local), DeepSeek, GLM, Kimi, Qwen, and a custom provider option. This means you can run it entirely on a local model if data sovereignty is a concern.
The Agent Team: Roles & Responsibilities
This is where PentAGI separates itself from every other “AI security tool” on the market. Rather than a single general-purpose LLM trying to do everything, PentAGI fields a coordinated team of 13 specialized agents. Each has a distinct system prompt, a specific toolset, and a designated “barrier function” — a special tool the agent calls when it’s done with its work, signaling the orchestrator to move on.
The Orchestration Layer
The Primary Agent is the top-level orchestrator. It receives your natural-language target description and coordinates everything below it. Before any agent starts work, the Generator agent decomposes the input into an ordered list of subtasks, and the Refiner agent reviews and patches that list as the engagement evolves. The Adviser agent operates in three modes — as a planner, a mentor, and a strategic advisor — and can be injected at any point to course-correct agents that are stuck or going in circles.
The Execution Layer
| Agent | Primary Role | Key Tools | Max Iterations |
|---|---|---|---|
| Pentester | Elite red teamer — runs actual exploits | nmap, Metasploit, sqlmap, terminal | 100 |
| Coder | Exploit & script developer | Terminal, file I/O, code execution | 100 |
| Installer | Environment & DevOps setup | Package managers, Docker, shell | 100 |
| Searcher | OSINT & web research | DuckDuckGo, Tavily, Sploitus, browser | 20 |
| Memorist | Vector DB query agent | pgvector semantic search | 20 |
| Reporter | Structured vulnerability reporting | Template rendering, finding aggregation | 20 |
| Reflector | LLM failure recovery | Guidance injection (no tools) | Supervisor only |
The Agent Loop — How Every Agent Thinks
Every agent — regardless of its role — runs the same core loop, called performAgentChain. Understanding this loop is key to understanding PentAGI’s reliability and its limits.
pkg/providers/performer.go
for iteration := 0; ; iteration++ {
// 1. Hard limit check (100 iterations for main agents, 20 for support agents)
if nearLimit(iteration) { injectGracefulShutdown() }
// 2. Call LLM with retry logic (3 attempts, 5s delay)
response, err := callWithRetries(chain, tools)
if err != nil { invokeCallerReflector() }
// 3. If no tool calls returned, invoke Reflector to force tool usage
if len(response.ToolCalls) == 0 { performReflector() }
// 4. Execute each tool call
for _, call := range response.ToolCalls {
checkRepeatingDetector(call) // block identical calls × 3
result := executor.Execute(call)
if shouldInvokeMentor() { performMentor() } // course-correct if looping
if isBarrierFunction(call) { wantToStop = true }
}
if wantToStop { return }
summarizeChainIfNeeded() // compress context window
}
The Planner feature (enabled via AGENT_PLANNING_STEP_ENABLED=true) is worth turning on for complex engagements. Before any Pentester, Coder, or Installer agent starts its main loop, the Adviser generates a 3–7 step execution checklist that’s injected directly into the agent’s task assignment — dramatically reducing wasted iterations.
Memory, Observability & How PentAGI Learns
One of PentAGI’s most underrated capabilities is its three-tier memory architecture. This is what makes it genuinely intelligent rather than just fast — agents don’t just act, they remember, and those memories persist and improve future engagements.
Episodic Memory (Working) — The current conversation chain. Every tool call, result, and AI response in the active engagement. Automatically compressed by the chain summarizer when it grows too large, keeping the context window manageable.
Short-Term Memory (In-Flow) — PostgreSQL with pgvector. Agents store and retrieve findings semantically within the current flow using the search_in_memory tool. Up to 5 parallel semantic queries, merged and deduplicated by relevance score.
Long-Term Memory (Cross-Flow) — Typed vector storage for guides, code samples, and Q&A pairs. A technique the Pentester discovers in one engagement is stored (with targets anonymized) and available in all future engagements.
Knowledge Graph (Optional) — Neo4j via Graphiti. Every agent response and tool execution is shipped to a temporal knowledge graph. Agents can query it with 7 search modes including entity_relationships, successful_tools, and temporal_window.
Observability Pipeline — OpenTelemetry → VictoriaMetrics + Jaeger + Loki → Grafana. Every LLM call logs model name, token counts, cost, duration, and the full chain. You can replay exactly what the AI decided and why.
The Pentester’s guide storage anonymization — replacing real IPs with {target_ip} and domains with {target_domain} — is a prompt-level instruction, not a technical control. If the LLM fails to anonymize, real credentials, IPs, and session tokens could be stored in the vector DB and retrieved in future engagements against different targets. Audit your long-term memory store regularly.
Getting PentAGI Up and Running
PentAGI ships with a Docker Compose stack that bundles every service you need. Here’s the deployment path from zero to your first autonomous pentest flow.
-
Clone the Repository & Configure Environment
Clone the PentAGI repo, copy
.env.exampleto.env, and fill in your LLM provider credentials. At minimum you need one provider key (e.g.,OPENAI_API_KEYorANTHROPIC_API_KEY) and aCOOKIE_SIGNING_SALTfor session security. Set strong passwords — the platform enforces a minimum of 12 characters with mixed case, numbers, and special characters. -
Run the Interactive Installer (or Docker Compose)
PentAGI ships with a TUI deployment wizard (
cmd/installer) that walks you through configuration interactively. Alternatively, rundocker compose up -ddirectly. The compose file brings up PostgreSQL (with pgvector), the Go backend, the React frontend, and the full observability stack — Grafana, Loki, VictoriaMetrics, and Jaeger. -
Enable Optional Features via Environment Variables
PentAGI’s most powerful features are opt-in. Enable
EXECUTION_MONITOR_ENABLED=trueto activate the Mentor supervision layer. SetAGENT_PLANNING_STEP_ENABLED=trueto add pre-task planning checklists. EnableGRAPHITI_ENABLED=trueto spin up Neo4j and activate knowledge graph memory. These have cost and performance implications, so start without them and layer in as needed. -
Create Your First Flow
Log into the React frontend, select your LLM provider, and describe your target in natural language. The platform creates a flow, the Generator agent decomposes it into subtasks, and the agent team goes to work. Real-time updates stream to the UI via GraphQL subscriptions over WebSocket — you watch the engagement unfold live.
Security Considerations & Benefits to the Security Community
PentAGI is one of the most technically sophisticated open-source security tools released in recent years. But sophistication cuts both ways. Here’s an honest assessment of where it delivers genuine value — and where you need to go in with your eyes open.
Why This Matters for the Security Community
Smaller security teams and solo practitioners can now run structured, multi-phase penetration tests without a full red team. PentAGI handles enumeration, exploitation attempts, lateral movement research, and report generation — compressing days of work into hours.
High Value
The long-term vector memory means techniques discovered in one engagement inform the next. For a consultancy running repeated engagements, PentAGI gets smarter over time — building an organization-specific knowledge base of what works against which target types.
Strategic
The Langfuse + OpenTelemetry observability pipeline means every AI decision is logged, timestamped, and replayable. For regulated industries requiring documented testing methodology, PentAGI’s audit trail is a major advantage over ad-hoc manual testing.
Compliance
Key Security Risks to Understand
| Design Decision | Risk | Mitigation |
|---|---|---|
Runs as root, mounts docker.sock |
Container escape = host escape | Deploy on a dedicated, isolated host. Never share with production workloads. |
| Authorization bypass language in all agent prompts | A rogue/compromised LLM provider could act without restriction | Use only trusted, verified LLM providers. Audit provider API traffic. |
Credentials stored in .env file |
Secret sprawl in production | Replace with a secrets manager (HashiCorp Vault, AWS Secrets Manager) before production deployment. |
| Scope control is prompt-level only | No hard technical boundary prevents out-of-scope actions | Network-level controls (firewall rules, VLANs) are essential. Never rely solely on prompt boundaries. |
EXTERNAL_SSL_INSECURE=true option |
Disables TLS verification to LLM providers | Never use this in production. Keep TLS verification enabled at all times. |
PentAGI is designed for authorized penetration testing only. Every agent’s system prompt contains an explicit authorization declaration. Running this tool against targets you don’t have written permission to test is illegal and unethical. Treat it with the same operational security discipline you’d apply to any live red team tooling.
Start with PentAGI in assistant mode — the non-flow chat interface — before running full autonomous flows. This lets you get a feel for how the underlying LLM interprets your target descriptions and tune your inputs before committing to a full agentic engagement that could run for hours.
The Bottom Line
PentAGI represents a genuine leap forward in what’s possible with AI-powered security tooling. The combination of specialized agents, persistent multi-tier memory, real offensive tooling in sandboxed containers, and a full observability stack puts it in a different league from anything that came before it. For security teams willing to invest the time to deploy and tune it responsibly, it’s a force multiplier that can meaningfully expand testing coverage and capacity.
But it is not a silver bullet. Prompt-level scope controls are not a substitute for network segmentation. Long-term memory requires active curation. And the attack surface it introduces — docker.sock exposure, headless Chromium for scraping, wide port allocation for out-of-band callbacks — needs to be treated seriously. Use it as one powerful layer in a mature security program, not as a replacement for one.