βββ ββββββ ββββββ βββββββ ββββββ ββββ βββ
βββ ββββββ ββββββ βββββββββββββββββββββ βββ
βββ ββββββ ββββββ βββ ββββββββββββββ βββ
ββββ βββββββ ββββββ βββ ββββββββββββββββββ
βββββββ ββββββββββββββββββββββββββββ ββββββ ββββββ
βββββ βββββββ ββββββββ ββββββββββ ββββββ βββββ
The Sovereign AI Pentester
Full-local. Zero API keys. 117 tools. One command.
Why Vulcan β’ 60-Second Quick Start β’ Three Modes β’ How It Works β’ Architecture β’ Landscape β’ Roadmap β’ Disclaimer
One command. Full pentest. No API keys. No egress. No vendor lock-in. 117 security tools orchestrated by a ReAct-loop AI agent running entirely on your metal.
./run-beast.sh scanme.nmap.org
Existing pentest automation forces you to choose:
- Cloud AI (Burp, commercial scanners) β your target data leaves the perimeter.
- Scriptable tools (Metasploit, Nuclei) β powerful, but you still plan every step.
- LLM wrappers (Claude Code, Copilot) β great for ideation, useless without tool execution.
Vulcan fuses all three. A ReAct-loop agent plans the attack. A 127-tool API executes it. An LLM β cloud or local β drives decisions. Everything flows into a professional HTML/PDF report. Assessment-ready in one command.
The AI thinks. The tools execute. You get the report.
- Red teamers who want a force-multiplier, not a replacement.
- CTF players who want autonomous recon β exploit chains on HackTheBox / TryHackMe / VulnHub boxes.
- Bug bounty hunters who need to cover wide scope fast.
- Security researchers who refuse to ship target data to third-party clouds.
- Consultants whose clients demand 100% on-prem tooling.
# Clone
git clone https://github.com/juliosuas/vulcan.git && cd vulcan
# Install
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
# Run β full autonomous pentest, local-only (no API keys required)
./run-beast.sh scanme.nmap.orgThat's it. run-beast.sh auto-launches the HexStrike API, warms your local LLM, runs the full ReAct pipeline, and opens the HTML report in your browser.
Want to use Claude instead?
export ANTHROPIC_API_KEY=sk-ant-...
vulcan scan --target example.com --llm claude --hexstrikeWant classic subprocess-only mode?
vulcan scan --target example.com --llm claudeVulcan exposes two orthogonal axes β the LLM provider and the execution backend β giving you four deployment profiles:
| Mode | Command | LLM | Tools | API keys | Egress | When to use |
|---|---|---|---|---|---|---|
| π΄ BESTIA (full-local) | ./run-beast.sh <target> |
smart-llm (Ollama, local) | HexStrike API (117 tools) | β none | β zero | Air-gapped labs Β· sensitive clients Β· CTF grind |
| π‘ Hybrid | --llm claude --hexstrike |
Claude / GPT-4 | HexStrike API (117 tools) | β LLM only | Best-of-both: heavy iron executing, frontier model thinking | |
| π’ Cloud classic | --llm claude |
Claude / GPT-4 | Local subprocess (5 tools) | β LLM only | Laptop, fast iteration, full frontier reasoning | |
| β« OSS-only | --llm openai + Ollama base URL |
Local Ollama model | Local subprocess | β none | β zero | Legacy hosts, minimal install |
Why this matters: most "AI pentest" tools lock you into one cloud LLM and one tool orchestration choice. Vulcan lets you mix them independently β and switch modes with a single flag.
Vulcan runs a ReAct (Reason β Act β Observe) loop β the canonical autonomous-agent pattern β across four phases:
βββββββββββββββββββββββ
β π― TARGET β
β example.com β
βββββββββββ¬ββββββββββββ
β
βββββββββββββββββΌββββββββββββββββ
βΌ βΌ βΌ
ββββββββββββ ββββββββββββ ββββββββββββ
β RECON β β PLANNING β β EXECUTIONβ
β (auto) ββ β (LLM) ββ β (ReAct) β
ββββββββββββ ββββββββββββ βββββββ¬βββββ
β
βΌ
ββββββββββββ
β REPORT β
β HTML/PDF β
ββββββββββββ
Inside the execution phase, every iteration:
π§ REASON βββΊ LLM reads state, picks next action, emits JSON
β‘ ACT βββΊ Vulcan dispatches to module β Executor β tool
ποΈ OBSERVE βββΊ Parse output, extract findings, update conversation
β β
βββββββββββββββββββ loop βββββββββββββββββββββββββββ
(up to max_iterations=50)
The LLM decides when to pivot, what to investigate deeper, when to drop a thread, and when the assessment is complete.
| Feature | Description | v1 | v2 |
|---|---|---|---|
| π§ AI-driven attack planning | LLM plans & re-plans in real time | β | β |
| π ReAct (Reason β Act β Observe) loop | Canonical autonomous-agent pattern | β | β |
| π‘ Full recon pipeline | Subdomains Β· ports Β· tech Β· dirs Β· DNS | β | β |
| π Automated vuln scanning | Nuclei + custom checks | β | β |
| π Exploitation modules | SQLi Β· XSS Β· SSRF Β· CMD injection | β | β |
| π Professional reports | HTML (validated) + PDF via weasyprint (optional) | β | β |
| π€ Claude / GPT-4 support | Frontier cloud LLMs | β | β |
| π₯οΈ Rich CLI | Beautiful terminal UI | β | β |
| π³ Docker | Isolated execution | β | β |
| π΄ BESTIA mode | Full-local, zero API keys | β | β |
| βοΈ HexStrike integration | 5 β 127 security tools | β | β |
| π smart-llm routing | Local Ollama via heuristic router | β | β |
| π‘οΈ Data sovereignty | Target data never leaves your host | β | β |
| π Mix-and-match modes | LLM Γ executor independent axes | β | β |
| 𧩠Graceful fallback | Auto-fallback to local subprocess if API down | β | β |
| Capability | Vulcan v2 | Metasploit | Burp Pro | Nuclei |
|---|---|---|---|---|
| AI-driven planning | β | β | β | β |
| Autonomous ReAct loop | β | β | β | β |
| Recon β Exploit β Report pipeline | β | β Scan only | ||
| Multi-tool orchestration | β 117 tools | β Single | β Single | β Single |
| Runs 100% local (no cloud) | β | β | β | β |
| Local LLM reasoning | β | β | β | β |
| Zero egress mode | β | β | β | β |
| Auto-generated reports | β HTML (PDF opt.) | β | ||
| Natural language control | β | β | β | β |
| Open source | β MIT | β | β | β MIT |
| Docker ready | β | β | β | β |
Vulcan doesn't replace these tools β it orchestrates them. Nmap, Nuclei, SQLMap, Gobuster, Subfinder, Hydra, NetExec, MSFVenom, Hashcat, FFuf, WPScan, Amass, and 100+ more run underneath, guided by AI.
Other autonomous-pentest projects exist (PentestGPT, Shennina, etc.) β Vulcan's differentiator is the independently swappable LLM Γ executor axes and the full-local BESTIA mode.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VulcanAgent β
β (ReAct Orchestrator) β
ββββββββββββββββ¬βββββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββββ€
β Planner β LLM β Executor β Reporter β
β (strategy) β βββββββββββββ β ββββββββββββββ (HTML/PDF/JSON)β
β β β’ Anthropic β β’ Subproc β β
β β β’ OpenAI β β’ HexStrike β β
β β β’ smart-llm β‘ β API :8888 β β
ββββββββββββββββ΄βββββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββββ€
β Modules β
β βββββββββββ ββββββββββββ ββββββββββββ ββββββββ ββββββββββββ β
β β Recon β β Scanner β β Exploit β β Web β β Network β β
β βββββββββββ ββββββββββββ ββββββββββββ ββββββββ ββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Execution Layer β
β Local subprocess ββββββββ OR ββββββββΊ HexStrike API :8888 β
β (5 tools by default) (117 tools, shared) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Vulcan's executor is swappable at init time:
Executorβ runsnmap -sV targetviaasyncio.create_subprocess_shellon localhost.HexStrikeExecutorβ parses the same command, POSTs to/api/tools/nmapon a remote HexStrike server, returns the sameExecutionResult.
Modules, tool wrappers, and the ReAct loop don't change. You swap the executor with --hexstrike and you're now orchestrating 117 tools instead of 5, with caching, concurrency, and graceful fallback baked in.
git clone https://github.com/juliosuas/vulcan.git
cd vulcan
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txtgit clone https://github.com/juliosuas/vulcan.git
cd vulcan
docker compose up --buildpip install vulcan-pentestcp .env.example .env
# Edit .env with your keys (optional β BESTIA mode needs none)ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...
VULCAN_LLM_PROVIDER=smartllm # claude | openai | smartllm
VULCAN_USE_HEXSTRIKE=1 # route through HexStrike :8888
VULCAN_HEXSTRIKE_SERVER=http://127.0.0.1:8888
VULCAN_SMARTLLM_BIN=smart-llm # or absolute pathInstall Ollama, pull a model, and install smart-llm (the heuristic router):
curl -fsSL https://ollama.com/install.sh | sh
ollama pull qwen3:32b # recommended for reasoning
ollama pull qwen2.5-coder:7b # for code/payload tasksgit clone https://github.com/0x4m4/hexstrike-ai.git
cd hexstrike-ai && python3 -m venv hexstrike-env && source hexstrike-env/bin/activate
pip install -r requirements.txt
./hexstrike_server.py # Flask API on :8888./run-beast.sh <target> [quick|standard|full]vulcan scan --target example.com --llm claude --mode fullvulcan scan --target example.com --llm claude --hexstrikevulcan recon --target example.com --modules subdomains,ports,tech,dirs,dnsvulcan report --input ./vulcan_output/example.com --format html
# PDF: pip install weasyprint && vulcan report --input ./vulcan_output/example.com --format pdfvulcan scan --help
--target, -t Target domain or IP [required]
--mode, -m quick | standard | full [standard]
--llm claude | openai | smartllm [claude]
--local Shortcut: --llm smartllm --hexstrike
--hexstrike/--no-hexstrike Route tools through HexStrike [off]
--hexstrike-url HexStrike server URL [http://127.0.0.1:8888]
--report html | pdf | json [html]
--output, -o Output directory [./vulcan_output]
--config, -c YAML config path
--verbose, -v Verbose output
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ./run-beast.sh scanme.nmap.org β
ββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββ
β
ββββββββΌβββββββββββ ββββββββββββββββββββββββ
β Preflight βββββββββΊβ curl :8888/health β
β β β if down β start β
ββββββββ¬βββββββββββ ββββββββββββββββββββββββ
β
ββββββββΌβββββββββββ ββββββββββββββββββββββββ
β Warm smart-llm βββββββββΊβ Ollama models β VRAM β
β β β (avoid cold-start) β
ββββββββ¬βββββββββββ ββββββββββββββββββββββββ
β
ββββββββΌβββββββββββ
β vulcan scan βββββ ReAct loop βββΊ smart-llm (qwen3:32b)
β --local β β
β β βΌ
β β JSON action
β β β
β β βββββββββββββββββ
β βΌ βΌ
β ββββββββββββββββββββββββββ
β β HexStrikeExecutor βββPOST /api/tools/nmapβββΊ HexStrike :8888
β β (aiohttp + semaphore) β β
β β βββββJSON resultβββββββββββ β
β ββββββββββββββββββββββββββ [subprocess Β· caching Β· recovery]
β β
β βΌ
β Finding extracted β Reporter
β
ββββΊ xdg-open vulcan_output/*.html
Every component degrades gracefully:
- HexStrike down β
HexStrikeExecutor.fallback_local=Truesilently falls back to subprocess. - smart-llm missing β raises with exact env var to set.
- Model cold β
run-beast.sh --warmupkeeps them hot in VRAM withkeep_alive=24h.
Every Vulcan run includes verification checklists inspired by industry methodology:
| Check | Criteria | How to confirm |
|---|---|---|
| Subdomain coverage | All passive + active sources queried | Compare subfinder/amass/DNS results |
| Port scan completeness | Top 1000+ on all live hosts | Verify nmap params in output |
| Service identification | Versions extracted for all open ports | Check -sV for "unknown" entries |
| Scope compliance | No out-of-scope targets contacted | Cross-reference scope doc |
| Check | Criteria | How to confirm |
|---|---|---|
| Template coverage | Critical + High executed | Verify nuclei template count |
| False-positive review | Each critical/high validated | Request/response pairs saved |
| CVE mapping | Findings mapped to CVE IDs | CVE column populated in report |
| Remediation guidance | Fix rec per finding | Review report remediation section |
| Check | Criteria | How to confirm |
|---|---|---|
| Authorization | Explicit written permission | Scope doc reviewed before exploit |
| Evidence capture | Proof documented | Screenshots / request-response saved |
| Impact assessment | Business impact described | Impact field populated |
| Cleanup | All test artifacts removed | Post-exploitation checklist done |
| Check | Criteria | How to confirm |
|---|---|---|
| Exec summary | Non-technical overview present | Readable by C-suite |
| Finding accuracy | No dupes/contradictions | Peer review or AI cross-check |
| Severity distribution | Aligns with CVSS + business context | No Medium with Critical impact |
| Remediation priority | Ordered by risk, not CVSS alone | Considers exploitability + asset value |
| Platform | Status | Notes |
|---|---|---|
| Debian 12 | β Tested | Primary dev + validation platform |
| Kali / Parrot | π’ Expected | Derivatives of Debian; most tools pre-installed |
| Ubuntu 22.04+ | π’ Expected | Debian-family; should work out of the box |
| Arch / Fedora | π‘ Untested | Python deps portable; tool install paths differ |
| macOS 13+ (Apple Silicon) | π‘ Untested | Homebrew for Nmap/Nuclei; Ollama native |
| Windows 11 (WSL2) | π‘ Untested | Run inside Ubuntu for best results |
| Docker | π’ Expected | docker compose up --build (Dockerfile + compose file shipped, validation pending) |
Current validation status (v2.0): end-to-end pipeline (recon β planning β ReAct β HTML report) validated against
scanme.nmap.orgon Debian 12 in both--local(BESTIA) and--llm claude --hexstrike(hybrid) modes. PDF export usesweasyprint(optional dep, untested this release). Other platforms expected to work but not independently verified yet β PRs confirming are welcome.
| Provider | Models | BESTIA? | Notes |
|---|---|---|---|
| Anthropic | Claude Sonnet 4 / Opus | β (cloud) | Recommended for frontier reasoning |
| OpenAI | GPT-4o / GPT-4 Turbo | β (cloud) | Fully supported |
| smart-llm + Ollama | qwen3:32b / qwen2.5-coder:7b | β | Default in BESTIA mode |
| LiteLLM proxy | 100+ models | Via OpenAI-compatible base URL |
- Core ReAct loop with Claude/GPT-4
- Recon Β· Scanner Β· Exploit Β· Web Β· Network modules
- HTML/PDF/JSON report generation
- Rich CLI + beautiful terminal UI
- Docker support
- v2.0 β HexStrike integration (117 tools)
- v2.0 β smart-llm local-only mode
- v2.0 β Graceful subprocess fallback
- v2.0 β Hybrid mode (cloud LLM + local exec)
- π Plugin system for custom tool integration
- π Multi-target campaign mode
- π API server mode (REST + WebSocket)
- π Collaborative mode (agent swarms)
- π MITRE ATT&CK mapping per finding
- π Evidence chain visualization (graph)
- π OWASP ZAP integration
- π Slack / Discord / Telegram webhooks
- π Cloud deployment templates (AWS/GCP)
- π CTF-specific heuristics (flag sniffing, well-known ports)
- π Replay mode (re-run from cached output, zero tool exec)
PRs are welcome β especially new tool wrappers, additional LLM providers, and report templates.
- Fork β
git checkout -b feat/your-feature pip install -e ".[dev]"python -m pytest tests/- Open a PR with a clear description
- Follow existing code style (Black, 100 char lines)
- Add tests for new features
- Keep PRs focused and atomic
- New tool wrappers must subclass
ToolWrapperintools/wrapper.py - New LLM providers must implement
_call_llm()incore/agent.py
β οΈ AUTHORIZED USE ONLYVulcan is designed exclusively for authorized security testing and educational purposes.
- Always obtain explicit written permission before testing any system.
- Never use this tool against systems you do not own or have authorization to test.
- Unauthorized access to computer systems is illegal in most jurisdictions.
- Users are solely responsible for ensuring compliance with all applicable laws.
- The authors and contributors assume no liability for misuse.
By using Vulcan, you agree to use it responsibly and legally. When in doubt, don't run it.
Legal testing sandboxes to learn on: scanme.nmap.org Β· HackTheBox Β· TryHackMe Β· VulnHub Β· DVWA Β· OWASP Juice Shop.
MIT β see LICENSE.
Built with π by @juliosuas
If Vulcan saves you a weekend, consider dropping a β
- Ghost β AI-powered OSINT platform
- Phantom β LLM red teaming Β· OWASP Top 10 for LLMs
- Sentinel β AI-powered SOC Β· real-time log analysis
- Cerberus β Security-as-a-Service for SMBs
- AI Garden β A pixel-art world built by AI agents. Watch it grow.
- HexStrike AI by @0x4m4 β the 117-tool Flask API that powers BESTIA mode's execution layer.
- Ollama β the local LLM runtime.