Offensive AI

🌱 Beginner

T1592 | Gather Victim Host Information T1588.005 | Obtain Capabilities: Exploits

Introduction to Offensive AI

Offensive AI combines the reasoning power of Large Language Models with traditional security tooling through standardized protocols like MCP. In 2026, AI agents don't just assist pentesting — they orchestrate multi-tool workflows, correlate findings across attack surfaces, and generate human-quality reports in minutes.

Foundation Page

This is the starting point for the Offensive AI section. Every subsequent module builds on the concepts, tooling, and threat models introduced here.

What is Offensive AI?

Offensive AI refers to the application of artificial intelligence and machine learning to penetration testing, vulnerability research, exploit development, and security assessments. Unlike traditional automated scanners that follow rigid rule sets, AI agents can:

Understand context — adapt testing strategies based on target architecture and observed responses
Correlate findings — link results across nmap, nuclei, Burp, and custom scripts into unified attack narratives
Generate custom payloads — craft exploits tailored to specific software versions and configurations
Explain and report — produce human-readable executive summaries and technical remediation guidance
Chain actions autonomously — plan multi-step attack paths and execute them with human-in-the-loop approval
Learn from engagements — improve subsequent tests using contextual memory and retrieval-augmented generation (RAG)

The Model Context Protocol (MCP)

The Model Context Protocol (MCP) is an open standard that defines how AI models interact with external tools and data sources. Originally developed by Anthropic and now widely adopted, MCP gives LLMs a structured interface to invoke security tools, read scan results, and trigger workflows — all without bespoke integrations.

graph LR subgraph AI Client A[Claude / Copilot / Cursor] end subgraph MCP Layer B[MCP Server] C[Tool Registry] D[Resource Provider] E[Prompt Templates] end subgraph Security Tools F[nmap] G[nuclei] H[sqlmap] I[Burp Suite] J[Custom Scripts] end A -- "JSON-RPC" --> B B --> C B --> D B --> E C --> F C --> G C --> H C --> I C --> J

Key MCP Concepts

Tools

Functions the AI can invoke to perform actions — run nmap scans, execute sqlmap, generate nuclei templates, or call custom scripts.

Resources

Data sources the AI can read — scan results, configuration files, vulnerability databases, and engagement notes.

Prompts

Pre-defined templates for common security workflows — recon checklists, exploit chains, and report generation pipelines.

Sampling

Server-initiated requests for AI decision-making — the server asks the model to classify a finding or choose a next action.

Example MCP configuration for Claude Desktop with a security toolkit and local Ollama bridge:

claude_desktop_config.json

json

// claude_desktop_config.json — MCP server configuration
// Location: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS)
//           %APPDATA%\Claude\claude_desktop_config.json (Windows)
{
  "mcpServers": {
    "security-toolkit": {
      "command": "npx",
      "args": ["-y", "@anthropic/mcp-server-security"],
      "env": {
        "NMAP_PATH": "/usr/bin/nmap",
        "NUCLEI_PATH": "/usr/bin/nuclei"
      }
    },
    "ollama-bridge": {
      "command": "python3",
      "args": ["-m", "mcp_ollama_bridge"],
      "env": {
        "OLLAMA_HOST": "http://localhost:11434",
        "MODEL": "llama3.3:70b"
      }
    }
  }
}
// claude_desktop_config.json — MCP server configuration
// Location: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS)
//           %APPDATA%\Claude\claude_desktop_config.json (Windows)
{
  "mcpServers": {
    "security-toolkit": {
      "command": "npx",
      "args": ["-y", "@anthropic/mcp-server-security"],
      "env": {
        "NMAP_PATH": "/usr/bin/nmap",
        "NUCLEI_PATH": "/usr/bin/nuclei"
      }
    },
    "ollama-bridge": {
      "command": "python3",
      "args": ["-m", "mcp_ollama_bridge"],
      "env": {
        "OLLAMA_HOST": "http://localhost:11434",
        "MODEL": "llama3.3:70b"
      }
    }
  }
}

Types of AI Security Tools

The 2026 AI security ecosystem falls into four primary categories, each with distinct strengths and integration patterns.

1. MCP Platforms

Full-stack platforms that expose security tools via MCP servers, letting any compatible AI client orchestrate complex engagements.

HexStrike AI — 200+ tools, 15+ specialized agents, full MCP server
Claude MCP Toolkit — Native MCP server ecosystem with security extensions
SecureAgent — Open-source MCP platform for offensive security automation

2. AI Copilots

IDE and tool extensions that add AI-powered analysis, code generation, and vulnerability detection to existing workflows.

GitHub Copilot — Code-aware security analysis within VS Code
ReconAIzer — Burp Suite AI-powered traffic analysis
Nuclei AI — Automatic vulnerability template generation
BurpGPT — LLM-driven HTTP request/response analysis

3. Agent Frameworks

Autonomous and semi-autonomous systems that plan, execute, and iterate on multi-step security tasks.

LangChain Agents — Composable tool-calling agents with memory and planning
CrewAI — Multi-agent orchestration for complex engagements
AutoGen — Microsoft's multi-agent conversation framework
PentestGPT — Interactive penetration testing assistant

4. Security LLMs

Language models fine-tuned or optimized for security tasks — vulnerability analysis, exploit generation, and threat intelligence.

WhiteRabbitNeo — Uncensored security-focused LLM for offensive research
HackerGPT — Bug bounty and vulnerability research assistant
DeepSeek-R1 — Reasoning model with strong code/security capabilities
Llama 3.3 (70B) — Open-weight model suitable for local security tasks

Supported AI Clients

MCP-based security tools integrate with a growing ecosystem of AI clients. Choose based on your workflow — desktop app for interactive sessions, IDE for code-centric testing, or API for pipeline automation.

🤖

Claude Desktop

Native MCP support, best-in-class tool calling

💻

VS Code Copilot

MCP agent mode, inline security analysis

🖱️

Cursor

MCP integration with codebase-aware context

🌊

Windsurf

Cascade AI with MCP tool orchestration

🔌

Cline

VS Code extension with autonomous MCP agent

🦘

Roo Code

Multi-model MCP client with custom modes

Use Cases: AI vs. Traditional

Real-world benchmarks from 2025–2026 engagements comparing AI-assisted workflows against manual approaches at comparable depth.

Use Case	Traditional	With AI (2026)	Speedup	Quality Note
Subdomain Enumeration	2–4 hours	3–8 minutes	~30x	AI cross-references passive + active sources
Vulnerability Scanning + Triage	4–8 hours	10–20 minutes	~20x	Auto-deduplicates and ranks by exploitability
Web Application Testing	1–3 days	2–6 hours	~8x	Covers auth, logic, and injection classes
Report Generation	4–12 hours	5–15 minutes	~50x	Draft quality; human review still required
Exploit Development	1–5 days	1–8 hours	~10x	Works best for known CVE patterns
Attack Surface Mapping	1–2 days	15–45 minutes	~40x	Aggregates DNS, certs, ports, cloud metadata

AI Limitations

AI agents are powerful force-multipliers but not replacements for human expertise. Always verify AI-generated findings, review exploit code before execution, validate business logic flaws manually, and maintain proper oversight of autonomous agents. False positives and hallucinated CVEs remain common failure modes.

MITRE ATLAS Framework

ATLAS (Adversarial Threat Landscape for AI Systems) is MITRE's threat framework specifically designed for adversarial attacks on machine learning systems. While ATT&CK covers traditional infrastructure, ATLAS maps tactics and techniques for attacking, evading, and exploiting AI/ML models — directly relevant to both offensive AI usage and defending against it.

Offensive Relevance

ATLAS techniques you'll encounter when attacking AI-integrated targets:

• AML.T0003 — Craft Adversarial Data (prompt injection, evasion samples)
• AML.T0004 — Data Poisoning (training data manipulation)
• AML.T0006 — Model Evasion (bypassing ML-based detections)
• AML.T0008 — Model Theft (extracting model weights or architecture)
• AML.T0005 — Exfiltration via ML API (data leakage through model outputs)

Defensive Mapping

Understanding ATLAS also helps you assess AI defenses in target environments:

• Map ML model deployment surfaces during reconnaissance
• Identify prompt injection vectors in AI-powered applications
• Test robustness of AI-based WAFs and anomaly detectors
• Evaluate data pipeline integrity for poisoning opportunities
• Assess API rate limits and model access controls

Query the ATLAS matrix programmatically to map adversarial ML techniques:

atlas_navigator.py

python

# MITRE ATLAS Navigator — export adversarial ML threat matrix
# Prerequisites: pip install mitreattack-python requests
# Docs: https://atlas.mitre.org/
import requests, json

# Fetch the ATLAS matrix (adversarial ML techniques)
ATLAS_URL = "https://raw.githubusercontent.com/mitre-atlas/atlas-data/main/dist/schemas/atlas-attack-enterprise.json"
resp = requests.get(ATLAS_URL)
atlas = resp.json()

# List technique categories
for technique in atlas.get("techniques", [])[:10]:
    tid = technique.get("id", "N/A")
    name = technique.get("name", "N/A")
    print(f"  {tid}: {name}")

# --- Expected Output ---
# AML.T0000: ML Model Access
# AML.T0001: ML Attack Staging
# AML.T0002: Active Scanning
# AML.T0003: Craft Adversarial Data
# AML.T0004: Data Poisoning
# AML.T0005: Exfiltration via ML API
# AML.T0006: Model Evasion
# AML.T0007: Model Inference
# AML.T0008: Model Theft
# AML.T0009: Supply Chain Compromise
# MITRE ATLAS Navigator — export adversarial ML threat matrix
# Prerequisites: pip install mitreattack-python requests
# Docs: https://atlas.mitre.org/
import requests, json

# Fetch the ATLAS matrix (adversarial ML techniques)
ATLAS_URL = "https://raw.githubusercontent.com/mitre-atlas/atlas-data/main/dist/schemas/atlas-attack-enterprise.json"
resp = requests.get(ATLAS_URL)
atlas = resp.json()

# List technique categories
for technique in atlas.get("techniques", [])[:10]:
    tid = technique.get("id", "N/A")
    name = technique.get("name", "N/A")
    print(f"  {tid}: {name}")

# --- Expected Output ---
# AML.T0000: ML Model Access
# AML.T0001: ML Attack Staging
# AML.T0002: Active Scanning
# AML.T0003: Craft Adversarial Data
# AML.T0004: Data Poisoning
# AML.T0005: Exfiltration via ML API
# AML.T0006: Model Evasion
# AML.T0007: Model Inference
# AML.T0008: Model Theft
# AML.T0009: Supply Chain Compromise

ATLAS vs ATT&CK

ATLAS complements ATT&CK — it doesn't replace it. When pentesting AI-integrated targets, use ATT&CK for infrastructure and network technique mapping, and ATLAS for ML model-specific attack vectors. Many engagements in 2026 require both.

Getting Started Checklist

AI Client — Install Claude Desktop, VS Code with Copilot, Cursor, or Windsurf
Local LLM — Install Ollama and pull llama3.3:70b or deepseek-r1:32b
Python 3.11+ — Required for MCP SDK, LangChain, and agent frameworks
Isolated lab — VM or container network for safe testing (Kali, ParrotOS)
Security tools — nmap, nuclei, gobuster, sqlmap, ffuf, Burp Suite Community
MCP server — Clone and configure an MCP security platform (e.g., HexStrike)
Authorization — Obtain written permission before testing any target

Set up a local Ollama instance as your offline security LLM:

ollama-setup.sh

bash

# Prerequisites: curl, Docker (optional)
# Install Ollama (macOS/Linux)
curl -fsSL https://ollama.com/install.sh | sh

# Pull a security-focused model
ollama pull llama3.3:70b
ollama pull deepseek-r1:32b

# Verify the model is running
ollama list
# NAME                  ID            SIZE    MODIFIED
# llama3.3:70b          a]6b4c8df...  39 GB   2 minutes ago
# deepseek-r1:32b       f1e2d3c4...   18 GB   5 minutes ago

# Run an interactive security query
ollama run llama3.3:70b "Explain the OWASP Top 10 2025 changes"

# Start the Ollama API server (default: http://localhost:11434)
ollama serve

# Test API connectivity
curl http://localhost:11434/api/tags | jq '.models[].name'
# Prerequisites: curl, Docker (optional)
# Install Ollama (macOS/Linux)
curl -fsSL https://ollama.com/install.sh | sh

# Pull a security-focused model
ollama pull llama3.3:70b
ollama pull deepseek-r1:32b

# Verify the model is running
ollama list
# NAME                  ID            SIZE    MODIFIED
# llama3.3:70b          a]6b4c8df...  39 GB   2 minutes ago
# deepseek-r1:32b       f1e2d3c4...   18 GB   5 minutes ago

# Run an interactive security query
ollama run llama3.3:70b "Explain the OWASP Top 10 2025 changes"

# Start the Ollama API server (default: http://localhost:11434)
ollama serve

# Test API connectivity
curl http://localhost:11434/api/tags | jq '.models[].name'

Minimal MCP-aware agent using the Python SDK:

mcp_agent_example.py

python

# Prerequisites: pip install langchain openai mcp-sdk
# Example: minimal MCP-aware agent using LangChain + MCP
import asyncio
from mcp import ClientSession, StdioServerParameters
from mcp.client.stdio import stdio_client

async def run_security_agent():
    """Connect to an MCP security server and invoke a scan tool."""
    server_params = StdioServerParameters(
        command="npx",
        args=["-y", "@anthropic/mcp-server-security"]
    )

    async with stdio_client(server_params) as (read, write):
        async with ClientSession(read, write) as session:
            await session.initialize()

            # List available security tools
            tools = await session.list_tools()
            for tool in tools.tools:
                print(f"  Tool: {tool.name} — {tool.description}")

            # Call a reconnaissance tool
            result = await session.call_tool(
                "nmap_scan",
                arguments={"target": "192.168.1.0/24", "flags": "-sV --top-ports 100"}
            )
            print(result.content[0].text)

asyncio.run(run_security_agent())
# Prerequisites: pip install langchain openai mcp-sdk
# Example: minimal MCP-aware agent using LangChain + MCP
import asyncio
from mcp import ClientSession, StdioServerParameters
from mcp.client.stdio import stdio_client

async def run_security_agent():
    """Connect to an MCP security server and invoke a scan tool."""
    server_params = StdioServerParameters(
        command="npx",
        args=["-y", "@anthropic/mcp-server-security"]
    )

    async with stdio_client(server_params) as (read, write):
        async with ClientSession(read, write) as session:
            await session.initialize()

            # List available security tools
            tools = await session.list_tools()
            for tool in tools.tools:
                print(f"  Tool: {tool.name} — {tool.description}")

            # Call a reconnaissance tool
            result = await session.call_tool(
                "nmap_scan",
                arguments={"target": "192.168.1.0/24", "flags": "-sV --top-ports 100"}
            )
            print(result.content[0].text)

asyncio.run(run_security_agent())

🎯

Offensive AI Introduction Labs

Hands-on exercises to build your AI-assisted pentesting foundation.

🏠

AI Red Teaming TryHackMe easy

Prompt injection fundamentalsLLM jailbreak techniquesAI-assisted reconnaissanceEvaluating AI-generated exploits

Open Lab

📦

AI Challenge Series Hack The Box medium

ML model exploitationAI API abuseAdversarial input craftingAI-powered CTF problem solving

Open Lab

🔧

Local Ollama + MCP Lab Setup Custom Lab easy

Install Ollama and pull security-focused modelsConfigure MCP server with nmap and nuclei toolsConnect Claude Desktop to local MCP serverRun first AI-assisted scan against a lab target

Need help setting up? Check our Lab Setup Guide →

Overview HexStrike AI

Related Guides

HexStrike AI Platform

Deep dive into the HexStrike AI platform and its MCP-based toolkit.

AI Agent Workflows

Building multi-step autonomous security assessment workflows.

OSINT Techniques

Open-source intelligence collection paired with AI analysis.

Counter-Surveillance

Adversarial ML and evasion techniques against AI-powered surveillance.