AI Pentesting Copilots
AI pentesting copilots are intelligent assistants that augment human pentesters with real-time analysis, tool orchestration, automated reporting, and contextual vulnerability insights. They don't replace testers — they make them faster, more thorough, and more consistent.
How AI Copilots Work
AI copilots sit between the pentester and their toolchain. They accept natural language queries, translate them into tool invocations, analyze results, and present findings with actionable context.
AI Copilot Workflow — pentester queries flow through the AI to tools, analysis, and reports
graph LR
P["Pentester"] -->|"Query / Context"| C["AI Copilot"]
C -->|"Tool Calls"| T["Security Tools"]
T -->|"Results"| C
C -->|"Analysis"| A["Findings"]
C -->|"Commands"| CMD["Suggested Commands"]
C -->|"Reports"| R["Report Drafts"]
A --> P
CMD --> P
R --> P
Why Copilots Matter in 2025
Speed
Reduce reconnaissance-to-finding time by 60–80% with AI-assisted triage and analysis.
Coverage
AI catches patterns humans miss — subtle IDOR chains, race conditions, logic flaws in complex flows.
Consistency
Standardized finding descriptions, CVSS scoring, and remediation advice across every engagement.
Pentest Copilot (Bugcrowd)
🐛
Bugcrowd Pentest Copilot
bugcrowd.com — Commercial Platform
An AI assistant integrated directly into the Bugcrowd platform, designed to accelerate vulnerability triage, deduplication, and report quality for bug bounty and pentest programs.
Vulnerability Analysis
Automatically analyzes submitted findings, validates severity ratings, and suggests CVSS vector strings based on the vulnerability description and proof of concept.
Finding Deduplication
AI-powered deduplication identifies when new submissions overlap with existing findings, reducing triage time and preventing duplicate payouts.
Report Writing Assist
Generates professional vulnerability write-ups from minimal input — provide a title and PoC, and the AI drafts a complete finding with impact analysis and remediation steps.
Scope Analysis
Parses program scope definitions and helps researchers quickly determine whether a target or vulnerability class is in-scope before investing testing time.
Caido AI
🌐
Caido
caido.io — Modern Web Proxy + AI
A modern, lightweight web security proxy built in Rust — a next-generation alternative to Burp Suite. Caido integrates AI features for intelligent traffic analysis, parameter discovery, and smart replay directly into its core workflow.
Installation & Setup
bash
# Install Caido (Linux/macOS)
curl -sSL https://caido.io/install | bash
# Or download from https://caido.io/download
# Available for Linux, macOS, Windows, Docker
# Start Caido
caido
# Start with AI features enabled
caido --ai-assist
# Docker installation
docker pull caido/caido:latest
docker run -p 8080:8080 caido/caido:latest# Install Caido (Linux/macOS)
curl -sSL https://caido.io/install | bash
# Or download from https://caido.io/download
# Available for Linux, macOS, Windows, Docker
# Start Caido
caido
# Start with AI features enabled
caido --ai-assist
# Docker installation
docker pull caido/caido:latest
docker run -p 8080:8080 caido/caido:latestAI Configuration
yaml
# caido-config.yaml — AI assistant settings
ai:
enabled: true
provider: openai # openai | anthropic | local
model: gpt-4o
api_key: ${OPENAI_API_KEY}
features:
traffic_analysis: true # Auto-analyze proxied traffic
param_discovery: true # AI-powered parameter fuzzing
smart_replay: true # Intelligent request replaying
vuln_detection: true # Passive vulnerability hints
context_window: 128000 # Token context for analysis
temperature: 0.2 # Low temp for precise analysis# caido-config.yaml — AI assistant settings
ai:
enabled: true
provider: openai # openai | anthropic | local
model: gpt-4o
api_key: ${OPENAI_API_KEY}
features:
traffic_analysis: true # Auto-analyze proxied traffic
param_discovery: true # AI-powered parameter fuzzing
smart_replay: true # Intelligent request replaying
vuln_detection: true # Passive vulnerability hints
context_window: 128000 # Token context for analysis
temperature: 0.2 # Low temp for precise analysis🔍
Traffic Analysis
AI flags suspicious responses, auth issues, and data leaks in proxied traffic
🎯
Param Discovery
AI-powered hidden parameter detection beyond traditional wordlists
🔁
Smart Replay
Intelligently mutates requests to test for injection, auth bypass, and IDOR
BurpGPT & ReconAIzer
🔥
Burp Suite AI Extensions
BurpGPT (aress31) + ReconAIzer (hisxo)
Two complementary Burp Suite extensions that bring LLM-powered analysis directly into the most popular web application testing proxy. BurpGPT focuses on passive scanning with custom prompts, while ReconAIzer adds context-menu-driven traffic analysis.
Setup & Configuration
bash
# BurpGPT — Install via BApp Store or manual JAR
# 1. Open Burp Suite → Extensions → BApp Store
# 2. Search "BurpGPT" → Install
# 3. Or download JAR from github.com/aress31/burpgpt
# Configure in Burp → Extensions → BurpGPT → Settings
# Set provider: OpenAI / Azure OpenAI / Local (Ollama)
# Set model: gpt-4o / gpt-4o-mini / local model
# Set API key and save
# ReconAIzer — Install from BApp Store or GitHub
# 1. Burp → Extensions → Add → Select reconaizer.jar
# 2. Set OpenAI API key in extension tab
# 3. Right-click any request → "Send to ReconAIzer"
# Custom prompt template (BurpGPT)
# Analyze the following HTTP request/response pair.
# Identify: SQLi, XSS, SSRF, IDOR, auth bypass, info disclosure.
# Rate severity: Critical / High / Medium / Low / Info.
# Provide proof-of-concept payloads where applicable.# BurpGPT — Install via BApp Store or manual JAR
# 1. Open Burp Suite → Extensions → BApp Store
# 2. Search "BurpGPT" → Install
# 3. Or download JAR from github.com/aress31/burpgpt
# Configure in Burp → Extensions → BurpGPT → Settings
# Set provider: OpenAI / Azure OpenAI / Local (Ollama)
# Set model: gpt-4o / gpt-4o-mini / local model
# Set API key and save
# ReconAIzer — Install from BApp Store or GitHub
# 1. Burp → Extensions → Add → Select reconaizer.jar
# 2. Set OpenAI API key in extension tab
# 3. Right-click any request → "Send to ReconAIzer"
# Custom prompt template (BurpGPT)
# Analyze the following HTTP request/response pair.
# Identify: SQLi, XSS, SSRF, IDOR, auth bypass, info disclosure.
# Rate severity: Critical / High / Medium / Low / Info.
# Provide proof-of-concept payloads where applicable.BurpGPT Features
- • Passive scanning with GPT analysis of every proxied request
- • Custom prompt templates for specific vuln classes
- • Batch analysis of site map or proxy history
- • Export AI findings to Burp issue tracker
- • Support for OpenAI, Azure, and local models
ReconAIzer Features
- • Right-click context menu → "Analyze with AI"
- • Automatic HTTP request/response analysis
- • Payload suggestions based on detected parameters
- • Sensitive data detection in responses
- • Security misconfiguration identification
API Cost Optimization
Both extensions support GPT-4o-mini for cost-effective bulk analysis. Use GPT-4o only for complex
findings that need deeper reasoning. BurpGPT also supports local models via Ollama for zero API costs.
HackerGPT v2
💀
HackerGPT v2
chat.hackerai.co — Specialized Security GPT
A purpose-built security GPT fine-tuned specifically for ethical hacking, bug bounty hunting, and penetration testing. Unlike general-purpose LLMs, HackerGPT's training data is curated for offensive security — it understands tool syntax, vulnerability patterns, and disclosure norms.
bash
# HackerGPT v2 — chat.hackerai.co
# No installation needed — web-based interface
# Free tier: 50 messages/day, GPT-4o-mini
# Pro tier: Unlimited, GPT-4o, tool integrations
# Supported workflows:
# • Bug bounty recon assistance
# • Vulnerability report drafting
# • Payload generation & encoding
# • Tool command reference (nmap, ffuf, sqlmap, etc.)
# • CVE analysis & exploit guidance
# • OWASP Top 10 testing checklists
# Example prompt:
# "Analyze this HTTP response for IDOR vulnerabilities
# and suggest bypass techniques for the UUID-based
# access control on /api/v2/users/{id}/documents"# HackerGPT v2 — chat.hackerai.co
# No installation needed — web-based interface
# Free tier: 50 messages/day, GPT-4o-mini
# Pro tier: Unlimited, GPT-4o, tool integrations
# Supported workflows:
# • Bug bounty recon assistance
# • Vulnerability report drafting
# • Payload generation & encoding
# • Tool command reference (nmap, ffuf, sqlmap, etc.)
# • CVE analysis & exploit guidance
# • OWASP Top 10 testing checklists
# Example prompt:
# "Analyze this HTTP response for IDOR vulnerabilities
# and suggest bypass techniques for the UUID-based
# access control on /api/v2/users/{id}/documents"🎯
Bug Bounty Focus
Trained on bug bounty reports, HackerOne disclosures, and security research
📝
Report Writing
Generates professional vulnerability reports with impact and PoC sections
🆓
Free Tier
50 messages/day free — no API key, credit card, or setup required
PlexTrac AI
📊
PlexTrac
plextrac.com — AI-Assisted Pentest Reporting
A commercial pentest reporting and management platform with deep AI integration. PlexTrac's AI features automate the most time-consuming parts of engagements: writing finding descriptions, scoring risk, and generating executive summaries.
bash
# PlexTrac AI — pentest reporting platform
# Access: app.plextrac.com (commercial license)
# Key AI features:
# • WritingAssist — auto-generates finding descriptions
# • RiskScoring — AI-powered CVSS + business impact
# • Remediation — tailored fix recommendations
# • Deduplication — merges duplicate findings across engagements
# • Executive Summary — auto-generates exec summaries
# API integration for CI/CD pipelines
curl -X POST https://api.plextrac.com/v2/findings \
-H "Authorization: Bearer $PLEXTRAC_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"title": "SQL Injection in Login Form",
"severity": "critical",
"ai_enhance": true,
"auto_remediation": true
}'# PlexTrac AI — pentest reporting platform
# Access: app.plextrac.com (commercial license)
# Key AI features:
# • WritingAssist — auto-generates finding descriptions
# • RiskScoring — AI-powered CVSS + business impact
# • Remediation — tailored fix recommendations
# • Deduplication — merges duplicate findings across engagements
# • Executive Summary — auto-generates exec summaries
# API integration for CI/CD pipelines
curl -X POST https://api.plextrac.com/v2/findings \
-H "Authorization: Bearer $PLEXTRAC_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"title": "SQL Injection in Login Form",
"severity": "critical",
"ai_enhance": true,
"auto_remediation": true
}'WritingAssist
Auto-generates complete finding descriptions from minimal input. Provide a vulnerability title and basic context — AI produces description, impact, steps to reproduce, and remediation.
AI Risk Scoring
Combines CVSS base scores with business context to produce risk ratings that account for asset criticality, data sensitivity, and compensating controls.
AttackForge AI
⚔️
AttackForge
attackforge.com — AI Pentest Management
An AI-powered pentest management platform that handles the operational side of security engagements — vulnerability correlation across projects, automated report generation, intelligent finding triage, and workflow automation.
bash
# AttackForge AI — pentest management platform
# Access: attackforge.com (commercial license)
# AI-powered features:
# • Vulnerability correlation across engagements
# • Automated report generation with customizable templates
# • AI-assisted finding triage and prioritization
# • Smart workflow automation
# • Risk trend analysis across projects
# AttackForge CLI integration
af-cli finding create \
--project "Q1-2025-WebApp" \
--title "Broken Access Control" \
--severity critical \
--ai-enhance \
--auto-correlate# AttackForge AI — pentest management platform
# Access: attackforge.com (commercial license)
# AI-powered features:
# • Vulnerability correlation across engagements
# • Automated report generation with customizable templates
# • AI-assisted finding triage and prioritization
# • Smart workflow automation
# • Risk trend analysis across projects
# AttackForge CLI integration
af-cli finding create \
--project "Q1-2025-WebApp" \
--title "Broken Access Control" \
--severity critical \
--ai-enhance \
--auto-correlate🔗
Vuln Correlation
AI correlates findings across engagements to identify systemic issues
📄
Auto Reports
Generate complete pentest reports from findings with one click
🔄
Workflow AI
Smart task assignment and progress tracking across team members
Building Custom AI Copilots
Commercial copilots are powerful, but building your own gives you full control over tool integration, prompt engineering, and data privacy. Below are three approaches ranging from cloud to fully local.
Authorization Required
Custom AI copilots that execute security tools must only be used against targets you have explicit
written authorization to test. Always verify scope before running automated scans.
Approach 1: Claude with MCP Tools
The Model Context Protocol (MCP) lets Claude Desktop or VS Code Copilot directly invoke security tools. See the HexStrike AI guide for a full MCP server with 150+ tools.
json
# Claude with MCP Tools — leveraging HexStrike or custom MCP servers
# See: /offensive-ai/02-hexstrike/ for full MCP setup
# claude_desktop_config.json
{
"mcpServers": {
"security-copilot": {
"command": "python3",
"args": ["./mcp_security_server.py"],
"env": {
"NMAP_PATH": "/usr/bin/nmap",
"NUCLEI_PATH": "/usr/bin/nuclei",
"WORDLISTS": "/usr/share/seclists"
}
}
}
}
# With MCP, Claude can directly:
# • Run nmap/nuclei/ffuf scans
# • Parse and correlate results
# • Generate findings with CVSS scores
# • Write complete pentest reports
# • Chain tools in multi-step workflows# Claude with MCP Tools — leveraging HexStrike or custom MCP servers
# See: /offensive-ai/02-hexstrike/ for full MCP setup
# claude_desktop_config.json
{
"mcpServers": {
"security-copilot": {
"command": "python3",
"args": ["./mcp_security_server.py"],
"env": {
"NMAP_PATH": "/usr/bin/nmap",
"NUCLEI_PATH": "/usr/bin/nuclei",
"WORDLISTS": "/usr/share/seclists"
}
}
}
}
# With MCP, Claude can directly:
# • Run nmap/nuclei/ffuf scans
# • Parse and correlate results
# • Generate findings with CVSS scores
# • Write complete pentest reports
# • Chain tools in multi-step workflowsApproach 2: GPT-4o with Function Calling
OpenAI's function calling API lets you define security tools as typed functions that the model can invoke in a loop — building an autonomous pentest pipeline with human oversight.
python
#!/usr/bin/env python3
"""AI Security Copilot — Custom implementation using OpenAI function calling."""
import json
import subprocess
import openai
client = openai.OpenAI() # Uses OPENAI_API_KEY env var
# Define security tools the AI can invoke
TOOLS = [
{
"type": "function",
"function": {
"name": "nmap_scan",
"description": "Run an Nmap scan against a target host or network",
"parameters": {
"type": "object",
"properties": {
"target": {"type": "string", "description": "Target IP or hostname"},
"scan_type": {
"type": "string",
"enum": ["-sV", "-sC", "-sS", "-A", "-O"],
"description": "Nmap scan type flag"
},
"ports": {"type": "string", "description": "Port range, e.g. 1-1000"}
},
"required": ["target"]
}
}
},
{
"type": "function",
"function": {
"name": "nuclei_scan",
"description": "Run Nuclei vulnerability scanner with templates",
"parameters": {
"type": "object",
"properties": {
"target": {"type": "string", "description": "Target URL"},
"templates": {
"type": "string",
"description": "Template tags: cves,misconfig,exposures,takeovers"
},
"severity": {
"type": "string",
"enum": ["info", "low", "medium", "high", "critical"],
"description": "Minimum severity filter"
}
},
"required": ["target"]
}
}
},
{
"type": "function",
"function": {
"name": "ffuf_fuzz",
"description": "Run ffuf directory/parameter fuzzing",
"parameters": {
"type": "object",
"properties": {
"url": {"type": "string", "description": "Target URL with FUZZ keyword"},
"wordlist": {"type": "string", "description": "Path to wordlist"},
"method": {"type": "string", "enum": ["GET", "POST"], "default": "GET"}
},
"required": ["url"]
}
}
},
{
"type": "function",
"function": {
"name": "analyze_response",
"description": "Analyze an HTTP response for security issues",
"parameters": {
"type": "object",
"properties": {
"url": {"type": "string", "description": "URL to fetch and analyze"},
"check_headers": {"type": "boolean", "default": True},
"check_cookies": {"type": "boolean", "default": True}
},
"required": ["url"]
}
}
}
]
def execute_tool(name: str, args: dict) -> str:
"""Execute a security tool and return output."""
if name == "nmap_scan":
cmd = ["nmap", args.get("scan_type", "-sV")]
if "ports" in args:
cmd += ["-p", args["ports"]]
cmd.append(args["target"])
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
return result.stdout
elif name == "nuclei_scan":
cmd = ["nuclei", "-u", args["target"], "-silent"]
if "templates" in args:
cmd += ["-tags", args["templates"]]
if "severity" in args:
cmd += ["-severity", args["severity"]]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
return result.stdout
elif name == "ffuf_fuzz":
wordlist = args.get("wordlist", "/usr/share/seclists/Discovery/Web-Content/common.txt")
cmd = ["ffuf", "-u", args["url"], "-w", wordlist, "-mc", "200,301,302,403"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
return result.stdout
elif name == "analyze_response":
import requests
resp = requests.get(args["url"], verify=False, timeout=10)
analysis = f"Status: {resp.status_code}\nHeaders:\n"
security_headers = [
"Content-Security-Policy", "X-Frame-Options",
"X-Content-Type-Options", "Strict-Transport-Security",
"X-XSS-Protection", "Referrer-Policy"
]
for h in security_headers:
val = resp.headers.get(h, "MISSING")
analysis += f" {h}: {val}\n"
return analysis
return f"Unknown tool: {name}"
def run_copilot(user_message: str, target_context: str = "") -> None:
"""Run the AI security copilot with tool-calling loop."""
system_prompt = """You are an expert penetration tester AI copilot.
You have access to security tools: nmap, nuclei, ffuf, and HTTP analysis.
Plan your approach methodically:
1. Enumerate the attack surface
2. Identify potential vulnerabilities
3. Validate findings with targeted scans
4. Provide actionable findings with severity ratings
Always explain your reasoning before executing tools."""
messages = [
{"role": "system", "content": system_prompt},
{"role": "user", "content": f"Target context: {target_context}\n\n{user_message}"}
]
while True:
response = client.chat.completions.create(
model="gpt-4o",
messages=messages,
tools=TOOLS,
tool_choice="auto"
)
msg = response.choices[0].message
messages.append(msg)
if msg.tool_calls:
for tc in msg.tool_calls:
args = json.loads(tc.function.arguments)
print(f"[*] Executing: {tc.function.name}({args})")
result = execute_tool(tc.function.name, args)
messages.append({
"role": "tool",
"tool_call_id": tc.id,
"content": result[:8000] # Truncate large outputs
})
else:
print(msg.content)
break
if __name__ == "__main__":
run_copilot(
"Perform a security assessment of the target web application.",
target_context="Target: 10.10.10.50, Scope: *.target.htb, Auth: unauthenticated"
)#!/usr/bin/env python3
"""AI Security Copilot — Custom implementation using OpenAI function calling."""
import json
import subprocess
import openai
client = openai.OpenAI() # Uses OPENAI_API_KEY env var
# Define security tools the AI can invoke
TOOLS = [
{
"type": "function",
"function": {
"name": "nmap_scan",
"description": "Run an Nmap scan against a target host or network",
"parameters": {
"type": "object",
"properties": {
"target": {"type": "string", "description": "Target IP or hostname"},
"scan_type": {
"type": "string",
"enum": ["-sV", "-sC", "-sS", "-A", "-O"],
"description": "Nmap scan type flag"
},
"ports": {"type": "string", "description": "Port range, e.g. 1-1000"}
},
"required": ["target"]
}
}
},
{
"type": "function",
"function": {
"name": "nuclei_scan",
"description": "Run Nuclei vulnerability scanner with templates",
"parameters": {
"type": "object",
"properties": {
"target": {"type": "string", "description": "Target URL"},
"templates": {
"type": "string",
"description": "Template tags: cves,misconfig,exposures,takeovers"
},
"severity": {
"type": "string",
"enum": ["info", "low", "medium", "high", "critical"],
"description": "Minimum severity filter"
}
},
"required": ["target"]
}
}
},
{
"type": "function",
"function": {
"name": "ffuf_fuzz",
"description": "Run ffuf directory/parameter fuzzing",
"parameters": {
"type": "object",
"properties": {
"url": {"type": "string", "description": "Target URL with FUZZ keyword"},
"wordlist": {"type": "string", "description": "Path to wordlist"},
"method": {"type": "string", "enum": ["GET", "POST"], "default": "GET"}
},
"required": ["url"]
}
}
},
{
"type": "function",
"function": {
"name": "analyze_response",
"description": "Analyze an HTTP response for security issues",
"parameters": {
"type": "object",
"properties": {
"url": {"type": "string", "description": "URL to fetch and analyze"},
"check_headers": {"type": "boolean", "default": True},
"check_cookies": {"type": "boolean", "default": True}
},
"required": ["url"]
}
}
}
]
def execute_tool(name: str, args: dict) -> str:
"""Execute a security tool and return output."""
if name == "nmap_scan":
cmd = ["nmap", args.get("scan_type", "-sV")]
if "ports" in args:
cmd += ["-p", args["ports"]]
cmd.append(args["target"])
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
return result.stdout
elif name == "nuclei_scan":
cmd = ["nuclei", "-u", args["target"], "-silent"]
if "templates" in args:
cmd += ["-tags", args["templates"]]
if "severity" in args:
cmd += ["-severity", args["severity"]]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
return result.stdout
elif name == "ffuf_fuzz":
wordlist = args.get("wordlist", "/usr/share/seclists/Discovery/Web-Content/common.txt")
cmd = ["ffuf", "-u", args["url"], "-w", wordlist, "-mc", "200,301,302,403"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
return result.stdout
elif name == "analyze_response":
import requests
resp = requests.get(args["url"], verify=False, timeout=10)
analysis = f"Status: {resp.status_code}\nHeaders:\n"
security_headers = [
"Content-Security-Policy", "X-Frame-Options",
"X-Content-Type-Options", "Strict-Transport-Security",
"X-XSS-Protection", "Referrer-Policy"
]
for h in security_headers:
val = resp.headers.get(h, "MISSING")
analysis += f" {h}: {val}\n"
return analysis
return f"Unknown tool: {name}"
def run_copilot(user_message: str, target_context: str = "") -> None:
"""Run the AI security copilot with tool-calling loop."""
system_prompt = """You are an expert penetration tester AI copilot.
You have access to security tools: nmap, nuclei, ffuf, and HTTP analysis.
Plan your approach methodically:
1. Enumerate the attack surface
2. Identify potential vulnerabilities
3. Validate findings with targeted scans
4. Provide actionable findings with severity ratings
Always explain your reasoning before executing tools."""
messages = [
{"role": "system", "content": system_prompt},
{"role": "user", "content": f"Target context: {target_context}\n\n{user_message}"}
]
while True:
response = client.chat.completions.create(
model="gpt-4o",
messages=messages,
tools=TOOLS,
tool_choice="auto"
)
msg = response.choices[0].message
messages.append(msg)
if msg.tool_calls:
for tc in msg.tool_calls:
args = json.loads(tc.function.arguments)
print(f"[*] Executing: {tc.function.name}({args})")
result = execute_tool(tc.function.name, args)
messages.append({
"role": "tool",
"tool_call_id": tc.id,
"content": result[:8000] # Truncate large outputs
})
else:
print(msg.content)
break
if __name__ == "__main__":
run_copilot(
"Perform a security assessment of the target web application.",
target_context="Target: 10.10.10.50, Scope: *.target.htb, Auth: unauthenticated"
)Approach 3: Local Models with Ollama
For air-gapped environments or data-sensitive engagements, run a fully local copilot using Ollama. No API keys, no data exfiltration risk, no cloud dependency.
python
#!/usr/bin/env python3
"""Local AI Security Copilot using Ollama — no API keys needed."""
import json
import subprocess
import requests
OLLAMA_URL = "http://localhost:11434/api/chat"
MODEL = "llama3.1:70b" # Or mixtral, codestral, etc.
def chat_with_tools(messages: list) -> dict:
"""Send messages to local Ollama model."""
resp = requests.post(OLLAMA_URL, json={
"model": MODEL,
"messages": messages,
"stream": False,
"options": {"temperature": 0.1, "num_ctx": 32768}
})
return resp.json()["message"]
def security_copilot(query: str) -> None:
"""Offline security copilot — runs entirely on local hardware."""
system = """You are a penetration testing assistant running locally.
Analyze security findings, suggest next steps, and help write reports.
You have no internet access — focus on analysis and methodology."""
messages = [
{"role": "system", "content": system},
{"role": "user", "content": query}
]
response = chat_with_tools(messages)
print(response["content"])
# Usage:
# security_copilot("Analyze these nmap results and suggest attack vectors: ...")#!/usr/bin/env python3
"""Local AI Security Copilot using Ollama — no API keys needed."""
import json
import subprocess
import requests
OLLAMA_URL = "http://localhost:11434/api/chat"
MODEL = "llama3.1:70b" # Or mixtral, codestral, etc.
def chat_with_tools(messages: list) -> dict:
"""Send messages to local Ollama model."""
resp = requests.post(OLLAMA_URL, json={
"model": MODEL,
"messages": messages,
"stream": False,
"options": {"temperature": 0.1, "num_ctx": 32768}
})
return resp.json()["message"]
def security_copilot(query: str) -> None:
"""Offline security copilot — runs entirely on local hardware."""
system = """You are a penetration testing assistant running locally.
Analyze security findings, suggest next steps, and help write reports.
You have no internet access — focus on analysis and methodology."""
messages = [
{"role": "system", "content": system},
{"role": "user", "content": query}
]
response = chat_with_tools(messages)
print(response["content"])
# Usage:
# security_copilot("Analyze these nmap results and suggest attack vectors: ...")Copilot Comparison
| Tool | Type | Best For | AI Model | Cost | Open Source? |
|---|---|---|---|---|---|
| Pentest Copilot | Platform | Bug bounty triage | Proprietary | Bugcrowd subscription | No |
| Caido AI | Web Proxy | Web app testing | OpenAI / Anthropic | Free + Pro tiers | Partial (core) |
| BurpGPT | Burp Extension | Passive scanning | GPT-4o / Local | API costs | Yes |
| ReconAIzer | Burp Extension | Traffic analysis | GPT-4o | API costs | Yes |
| HackerGPT v2 | Web App | Bug bounty, learning | Fine-tuned GPT | Free + Pro | No |
| PlexTrac AI | Reporting Platform | Report automation | Proprietary | Commercial license | No |
| AttackForge AI | Management Platform | Pentest ops | Proprietary | Commercial license | No |
| Custom (GPT-4o) | DIY Script | Full control | Any (OpenAI, Claude) | API costs | Your code |
| Custom (Ollama) | DIY Local | Air-gapped / private | Llama 3.1, Mixtral | Free (hardware) | Yes |
Best Practices
✅ Do
- • Verify AI findings manually — false positives are common
- • Use low temperature (0.1–0.3) for tool-calling copilots
- • Truncate large tool outputs to stay within context limits
- • Log all AI-initiated tool executions for audit trails
- • Start with read-only analysis before enabling active scanning
❌ Don't
- • Blindly trust AI severity ratings without validation
- • Send client data to cloud AI without contract approval
- • Let AI copilots run unattended against production systems
- • Use AI-generated PoCs without understanding them first
- • Skip scope verification because "the AI said it was fine"
Data Privacy
When using cloud-based AI copilots (OpenAI, Anthropic, Bugcrowd), be aware that HTTP traffic,
scan results, and finding details are sent to third-party APIs. For sensitive engagements, use
local models (Ollama) or ensure your AI provider has a BAA / DPA in place.
Lab Exercises
🎯
Practice Labs
Related Topics
HexStrike AI
MCP-powered cybersecurity automation with 150+ tools.
Autonomous Agent Frameworks
Self-directed AI agents for offensive security operations.
Prompt Engineering for Hackers
Crafting effective prompts for security AI tools.
AI-Powered Code Review
Using AI to find vulnerabilities in source code.