🔓 unclaimed — this page was auto-generated from GitHub. Are you the creator?
Claim this page →
pentagi
Fully autonomous AI Agents system capable of performing complex penetration testing tasks
git clone https://github.com/vxcontrol/pentagi
PentAGI
Join the Community! Connect with security researchers, AI enthusiasts, and fellow ethical hackers. Get support, share insights, and stay updated with the latest PentAGI developments.
⠀
Overview
PentAGI is an innovative tool for automated security testing that leverages cutting-edge artificial intelligence technologies. The project is designed for information security professionals, researchers, and enthusiasts who need a powerful and flexible solution for conducting penetration tests.
You can watch the video PentAGI overview:
Features
- Secure & Isolated. All operations are performed in a sandboxed Docker environment with complete isolation.
- Fully Autonomous. AI-powered agent that automatically determines and executes penetration testing steps with optional execution monitoring and intelligent task planning for enhanced reliability.
- Professional Pentesting Tools. Built-in suite of 20+ professional security tools including nmap, metasploit, sqlmap, and more.
- Smart Memory System. Long-term storage of research results and successful approaches for future use.
- Knowledge Graph Integration. Graphiti-powered knowledge graph using Neo4j for semantic relationship tracking and advanced context understanding.
- Web Intelligence. Built-in browser via scraper for gathering latest information from web sources.
- External Search Systems. Integration with advanced search APIs including Tavily, Traversaal, Perplexity, DuckDuckGo, Google Custom Search, Sploitus Search and Searxng for comprehensive information gathering.
- Team of Specialists. Delegation system with specialized AI agents for research, development, and infrastructure tasks, enhanced with optional execution monitoring and intelligent task planning for optimal performance with smaller models.
- Comprehensive Monitoring. Detailed logging and integration with Grafana/Prometheus for real-time system observation.
- Detailed Reporting. Generation of thorough vulnerability reports with exploitation guides.
- Smart Container Management. Automatic Docker image selection based on specific task requirements.
- Modern Interface. Clean and intuitive web UI for system management and monitoring.
- Comprehensive APIs. Full-featured REST and GraphQL APIs with Bearer token authentication for automation and integration.
- Persistent Storage. All commands and outputs are stored in PostgreSQL with pgvector extension.
- Scalable Architecture. Microservices-based design supporting horizontal scaling.
- Self-Hosted Solution. Complete control over your deployment and data.
- Flexible Authentication. Support for 10+ LLM providers (OpenAI, Anthropic, Google AI/Gemini, AWS Bedrock, Ollama, DeepSeek, GLM, Kimi, Qwen, Custom) plus aggregators (OpenRouter, DeepInfra). For production local deployments, see our vLLM + Qwen3.5-27B-FP8 guide.
- API Token Authentication. Secure Bearer token system for programmatic access to REST and GraphQL APIs.
- Quick Deployment. Easy setup through Docker Compose with comprehensive environment configuration.
Current Capability Boundaries
- PentAGI today is an autonomous and assistant-guided penetration testing platform, not a CALDERA-style Breach and Attack Simulation (BAS) or adversary emulation product with predefined campaigns or attack plans.
- BAS-like agent-authored attack scripts should be treated as conceptual or future work, not as a feature that is implemented today.
- The current flow report UI supports web view, copy to clipboard, Markdown download, and PDF download. JSON flow-report export is not documented as a supported output format today.
- Provider flexibility is available today through built-in providers and custom/OpenAI-compatible endpoints. See Custom LLM Provider Configuration and the vLLM + Qwen3.5-27B-FP8 guide.
Architecture
System Context
flowchart TB
classDef person fill:#08427B,stroke:#073B6F,color:#fff
classDef system fill:#1168BD,stroke:#0B4884,color:#fff
classDef external fill:#666666,stroke:#0B4884,color:#fff
pentester["👤 Security Engineer
(User of the system)"]
pentagi["✨ PentAGI
(Autonomous penetration testing system)"]
target["🎯 target-system
(System under test)"]
llm["🧠 llm-provider
(OpenAI/Anthropic/Ollama/Bedrock/Gemini/Custom)"]
search["🔍 search-systems
(Google/DuckDuckGo/Tavily/Traversaal/Perplexity/Sploitus/Searxng)"]
langfuse["📊 langfuse-ui
(LLM Observability Dashboard)"]
grafana["📈 grafana
(System Monitoring Dashboard)"]
pentester --> |Uses HTTPS| pentagi
pentester --> |Monitors AI HTTPS| langfuse
pentester --> |Monitors System HTTPS| grafana
pentagi --> |Tests Various protocols| target
pentagi --> |Queries HTTPS| llm
pentagi --> |Searches HTTPS| search
pentagi --> |Reports HTTPS| langfuse
pentagi --> |Reports HTTPS| grafana
class pentester person
class pentagi system
class target,llm,search,langfuse,grafana external
linkStyle default stroke:#ffffff,color:#ffffff
Container Architecture (click to expand)
graph TB
subgraph Core Services
UI[Frontend UI<br/>React + TypeScript]
API[Backend API<br/>Go + GraphQL]
DB[(Vector Store<br/>PostgreSQL + pgvector)]
MQ[Task Queue<br/>Async Processing]
Agent[AI Agents<br/>Multi-Agent System]
end
subgraph Knowledge Graph
Graphiti[Graphiti<br/>Knowledge Graph API]
Neo4j[(Neo4j<br/>Graph Database)]
end
subgraph Monitoring
Grafana[Grafana<br/>Dashboards]
VictoriaMetrics[VictoriaMetrics<br/>Time-series DB]
Jaeger[Jaeger<br/>Distributed Tracing]
Loki[Loki<br/>Log Aggregation]
OTEL[OpenTelemetry<br/>Data Collection]
end
subgraph Analytics
Langfuse[Langfuse<br/>LLM Analytics]
ClickHouse[ClickHouse<br/>Analytics DB]
Redis[Redis<br/>Cache + Rate Limiter]
MinIO[MinIO<br/>S3 Storage]
end
subgraph Security Tools
Scraper[Web Scraper<br/>Isolated Browser]
PenTest[Security Tools<br/>20+ Pro Tools<br/>Sandboxed Execution]
end
UI --> |HTTP/WS| API
API --> |SQL| DB
API --> |Events| MQ
MQ --> |Tasks| Agent
Agent --> |Commands| PenTest
Agent --> |Queries| DB
Agent --> |Knowledge| Graphiti
Graphiti --> |Graph| Neo4j
API --> |Telemetry| OTEL
OTEL --> |Metrics| VictoriaMetrics
OTEL --> |Traces| Jaeger
OTEL --> |Logs| Loki
Grafana --> |Query| VictoriaMetrics
Grafana --> |Query| Jaeger
Grafana --> |Query| Loki
API --> |Analytics| Langfuse
Langfuse --> |Store| ClickHouse
Langfuse --> |Cache| Redis
Langfuse --> |Files| MinIO
classDef core fill:#f9f,stroke:#333,stroke-width:2px,color:#000
classDef knowledge fill:#ffa,stroke:#333,stroke-width:2px,color:#000
classDef monitoring fill:#bbf,stroke:#333,stroke-width:2px,color:#000
classDef analytics fill:#bfb,stroke:#333,stroke-width:2px,color:#000
classDef tools fill:#fbb,stroke:#333,stroke-width:2px,color:#000
class UI,API,DB,MQ,Agent core
class Graphiti,Neo4j knowledge
class Grafana,VictoriaMetrics,Jaeger,Loki,OTEL monitoring
class Langfuse,ClickHouse,Redis,MinIO analytics
class Scraper,PenTest tools
Entity Relationship (click to expand)
erDiagram
Flow ||--o{ Task : contains
Task ||--o{ SubTask : contains
SubTask ||--o{ Action : contains
Action ||--o{ Artifact : produces
Action ||--o{ Memory : stores
Flow {
string id PK
string name "Flow name"
string description "Flow description"
string status "active/completed/failed"
json parameters "Flow parameters"
timestamp created_at
timestamp updated_at
}
Task {
string id PK
string flow_id FK
string name "Task name"
string description "Task description"
string status "pending/running/done/failed"
json result "Task results"
timestamp created_at
timestamp updated_at
}
SubTask {
string id PK
string task_id FK
string name "Subtask name"
string description "Subtask description"
string status "queued/running/completed/failed"
string agent_type "researcher/developer/executor"
json context "Agent context"
timestamp created_at
timestamp updated_at
}
Action {
string id PK
string subtask_id FK
string type "command/search/analyze/etc"
string status "success/failure"
json parameters "Action parameters"
json result "Action results"
timestamp created_at
}
Artifact {
string id PK
string action_id FK
string type "file/report/log"
string path "Storage path"
json metadata "Additional info"
timestamp created_at
}
Memory {
string id PK
string action_id FK
string type "observation/conclusion"
vector embedding "Vector representation"
text content "Memory content"
timestamp created_at
}
Agent Interaction (click to expand)
sequenceDiagram
participant O as Orchestrator
participant R as Researcher
participant D as Developer
participant E as Executor
participant VS as Vector Store
participant KB as Knowledge Base
Note over O,KB: Flow Initialization
O->>VS: Query similar tasks
VS-->>O: Return experiences
O->>KB: Load relevant knowledge
KB-->>O: Return context
Note over O,R: Research Phase
O->>R: Analyze target
R->>VS: Search similar cases
VS-->>R: Return patterns
R->>KB: Query vulnerabilities
KB-->>R: Return known issues
R->>VS: Store findings
R-->>O: Research results
Note over O,D: Planning Phase
O->>D: Plan attack
D->>VS: Query exploits
VS-->>D: Return techniques
D->>KB: Load tools info
KB-->>D: Return capabilities
D-->>O: Attack plan
Note over O,E: Execution Phase
O->>E: Execute plan
E->>KB: Load tool guides
KB-->>E: Return procedures
E->>VS: Store results
E-->>O: Execution status
Memory System (click to expand)
graph TB
subgraph "Long-term Memory"
VS[(Vector Store<br/>Embeddings DB)]
KB[Knowledge Base<br/>Domain Expertise]
Tools[Tools Knowledge<br/>Usage Patterns]
end
subgraph "Working Memory"
Context[Current Context<br/>Task State]
Goals[Active Goals<br/>Objectives]
State[System State<br/>Resources]
end
subgraph "Episodic Memory"
Actions[Past Actions<br/>Commands History]
Results[Action Results<br/>Outcomes]
Patterns[Success Patterns<br/>Best Practices]
end
Context --> |Query| VS
VS --> |Retrieve| Context
Goals --> |Consult| KB
KB --> |Guide| Goals
State --> |Record| Actions
Actions --> |Learn| Patterns
Patterns --> |Store| VS
Tools --> |Inform| State
Results --> |Update| Tools
VS --> |Enhance| KB
KB --> |Index| VS
classDef ltm fill:#f9f,stroke:#333,stroke-width:2px,color:#000
classDef wm fill:#bbf,stroke:#333,stroke-width:2px,color:#000
classDef em fill:#bfb,stroke:#333,stroke-width:2px,color:#000
class VS,KB,Tools ltm
class Context,Goals,State wm
class Actions,Results,Patterns em
Chain Summarization (click to expand)
The chain summarization system manages conversation context growth by selectively summarizing older messages. This is critical for preventing token limits from being exceeded while maintaining conversation coherence.
flowchart TD
A[Input Chain] --> B{Needs Summarization?}
B -->|No| C[Return Original Chain]
B -->|Yes| D[Convert to ChainAST]
D --> E[Apply Section Summarization]
E --> F[Process Oversized Pairs]
F --> G[Manage Last Section Size]
G --> H[Apply QA Summarization]
H --> I[Rebuild Chain with Summaries]
I --> J{Is New Chain Smaller?}
J -->|Yes| K[Return Optimized Chain]
J -->|No| C
classDef process fill:#bbf,stroke:#333,stroke-width:2px,color:#000
classDef decision fill:#bfb,stroke:#333,stroke-width:2px,color:#000
classDef output fill:#fbb,stroke:#333,stroke-width:2px,color:#000
class A,D,E,F,G,H,I process
class B,J decision
class C,K output
The algorithm operates on a structured representation of conversation chains (ChainAST) that preserves message types including tool calls and their responses. All summarization operations maintain critical conversation flow while reducing context size.
Global Summarizer Configuration Options
| Parameter | Environment Variable | Default | Description |
|---|---|---|---|
| Preserve Last | SUMMARIZER_PRESERVE_LAST | true | Whether to keep all messages in the last section intact |
| Use QA Pairs | SUMMARIZER_USE_QA | true | Whether to use QA pair summarization strategy |
| Summarize Human in QA | SUMMARIZER_SUM_MSG_HUMAN_IN_QA | false | Whether to summarize human messages in QA pairs |
| Last Section Size | SUMMARIZER_LAST_SEC_BYTES | 51200 | Maximum byte size for last section (50KB) |
| Max Body Pair Size | SUMMARIZER_MAX_BP_BYTES | 16384 | Maximum byte size for a single body pair (16KB) |
| Max QA Sections | SUMMARIZER_MAX_QA_SECTIONS | 10 | Maximum QA pair sections to preserve |
| Max QA Size | SUMMARIZER_MAX_QA_BYTES | 65536 | Maximum byte size for QA pair sections (64KB) |
| Keep QA Sections | SUMMARIZER_KEEP_QA_SECTIONS | 1 | Number of recent QA sections to keep without summarization |
Assistant Summarizer Configuration Options
Assistant instances can use customized summarization settings to fine-tune context management behavior:
| Parameter | Environment Variable | Default | Description |
|---|---|---|---|
| Preserve Last | ASSISTANT_SUMMARIZER_PRESERVE_LAST | true | Whether to preserve all messages in the assistant's last section |
| Last Section Size | ASSISTANT_SUMMARIZER_LAST_SEC_BYTES | 76800 | Maximum byte size for assistant's last section (75KB) |
| Max Body Pair Size | ASSISTANT_SUMMARIZER_MAX_BP_BYTES | 16384 | Maximum byte size for a single body pair in assistant context (16KB) |
| Max QA Sections | ASSISTANT_SUMMARIZER_MAX_QA_SECTIONS | 7 | Maximum QA sections to preserve in assistant context |
| Max QA Size | ASSISTANT_SUMMARIZER_MAX_QA_BYTES | 76800 | Maximum byte size for assistant's QA sections (75KB) |
| Keep QA Sections | ASSISTANT_SUMMARIZER_KEEP_QA_SECTIONS | 3 | Number of recent QA sections to preserve without summarization |
The assistant summarizer configuration provides more memory for context retention compared to the global settings, preserving more recent conversation history while still ensuring efficient token usage.
Summarizer Environment Configuration
# Default values for global summarizer logic
SUMMARIZER_PRESERVE_LAST=true
SUMMARIZER_USE_QA=true
SUMMARIZER_SUM_MSG_HUMAN_IN_QA=false
SUMMARIZER_LAST_SEC_BYTES=51200
SUMMARIZER_MAX_BP_BYTES=16384
SUMMARIZER_MAX_QA_SECTIONS=10
SUMMARIZER_MAX_QA_BYTES=65536
SUMMARIZER_KEEP_QA_SECTIONS=1
# Default values for assistant summarizer logic
ASSISTANT_SUMMARIZER_PRESERVE_LAST=true
ASSISTANT_SUMMARIZER_LAST_SEC_BYTES=76800
ASSISTANT_SUMMARIZER_MAX_BP_BYTES=16384
ASSISTANT_SUMMARIZER_MAX_QA_SECTIONS=7
ASSISTANT_SUMMARIZER_MAX_QA_BYTES=76800
ASSISTANT_SUMMARIZER_KEEP_QA_SECTIONS=3
Advanced Agent Supervision (click to expand)
PentAGI includes sophisticated multi-layered agent supervision mechanisms to ensure efficient task execution, prevent infinite loops, and provide intelligent recovery from stuck states:
Execution Monitoring (Beta)
- Automatic Mentor Intervention: Adviser agent (mentor) is automatically invoked when execution patterns indicate potential issues
- Pattern Detection: Monitors identical tool calls (threshold: 5, configurable) and total tool calls (threshold: 10, configurable)
- Progress Analysis: Evaluates whether agent advances toward subtask objective, detects loops and inefficiencies
- Alternative Strategies: Recommends different approaches when current strategy fails
- Information Retrieval Guidance: Suggests searching for established solutions instead of reinventing
- Enhanced Response Format: Tool responses include both
<original_result>and<mentor_analysis>sections - Configurable: Enable via
EXECUTION_MONITOR_ENABLED(default: false), customize thresholds withEXECUTION_MONITOR_SAME_TOOL_LIMITandEXECUTION_MONITOR_TOTAL_TOOL_LIMIT
Best for: Smaller models (< 32B parameters), complex attack scenarios requiring continuous guidance, preventing agents from getting stuck on single approach
Performance Impact: 2-3x increase in execution time and token usage, but delivers 2x improvement in result quality based on testing with Qwen3.5-27B-FP8
Intelligent Task Planning (Beta)
- Automated Decomposition: Planner (adviser in planning mode) generates 3-7 specific, actionable steps before specialist agents begin work
- Context-Aware Plans: Analyzes full execution context via enricher agent to create informed plans
- Structured Assignment: Original request wrapped in
<task_assignment>structure with execution plan and instructions - Scope Management: Prevents scope creep by keeping agents focused on current subtask only
- Enriched Instructions: Plans highlight critical actions, potential pitfalls, and verification points
- Configurable: Enable via
AGENT_PLANNING_STEP_ENABLED(default: false)
Best for: Models < 32B parameters, complex penetration testing workflows, improving success rates on sophisticated tasks
Enhanced Adviser Configuration: Works exceptionally well when adviser agent uses stronger model or enhanced settings. Example: using same base model with maximum reasoning mode for adviser (see vllm-qwen3.5-27b-fp8.provider.yml) enables comprehensive task analysis and strategic planning from identical model architecture.
Performance Impact: Adds planning overhead but significantly improves completion rates and reduces redundant work
Tool Call Limits (Always Active)
- Hard Limits: Prevent runaway executions regardless of supervision mode status
- Differentiated by Agent Type:
- General agents (Assistant, Primary Agent, Pentester, Coder, Installer):
MAX_GENERAL_AGENT_TOOL_CALLS(default: 100) - Limited agents (Searcher, Enricher, Memorist, Generator, Reporter, Adviser, Reflector, Planner):
MAX_LIMITED_AGENT_TOOL_CALLS(default: 20)
- General agents (Assistant, Primary Agent, Pentester, Coder, Installer):
- Graceful Termination: Reflector guides agents to proper completion when approaching limits
- Resource Protection: Ensures system stability and prevents resource exhaustion
Reflector Integration (Always Active)
- Automatic Correction: Invoked when LLM fails to generate tool calls after 3 attempts
- Strategic Guidance: Analyzes failures and guides agents toward proper tool usage or barrier tools (
done,ask) - Recovery Mechanism: Provides contextual guidance based on specific failure patterns
- Limit Enforcement: Coordinates graceful termination when tool call limits are reached
Recommendations for Open Source Models
Must-Have for Models < 32B Parameters: Testing with Qwen3.5-27B-FP8 demonstrates that enabling both Execution Monitoring and Task Planning is essential for smaller open source models:
- Quality Improvement: 2x better results compared to baseline execution without supervision
- Loop Prevention: Significantly reduces infinite loops and redundant work
- Attack Diversity: Encourages exploration of multiple attack vectors instead of fixating on single approach
- Air-Gapped Deployments: Enables production-grade autonomous pentesting in closed network environments with local LLM inference
Trade-offs:
- Token consumption: 2-3x increase due to mentor/planner invocations
- Execution time: 2-3x longer due to analysis and planning steps
- Result quality: 2x improvement in completeness, accuracy, and attack coverage
- Model requirements: Works best when adviser uses enhanced configuration (higher reasoning parameters, stronger model variant, or different model)
Configuration Strategy: For optimal performance with smaller models, configure adviser agent with enhanced settings:
- Use same model with maximum reasoning mode (example:
vllm-qwen3.5-27b-fp8.provider.yml) - Or use stronger model for adviser while keeping base model for other agents
- Adjust monitoring thresholds based on task complexity and model capabilities
The architecture of PentAGI is designed to be modular, scalable, and secure. Here are the key components:
-
Core Services
- Frontend UI: React-based web interface with TypeScript for type safety
- Backend API: Go-based REST and GraphQL APIs with Bearer token authentication for programmatic access
- Vector Store: PostgreSQL with pgvector for semantic search and memory storage
- Task Queue: Async task processing system for reliable operation
- AI Agent: Multi-agent system with specialized roles for efficient testing
-
Knowledge Graph
- Graphiti: Knowledge graph API for semantic relationship tracking and contextual understanding
- Neo4j: Graph database for storing and querying relationships between entities, actions, and outcomes
- Automatic capturing of agent responses and tool executions for building comprehensive knowledge base
-
Monitoring Stack
- OpenTelemetry: Unified observability data collection and correlation
- Grafana: Real-time visualization and alerting dashboards
- VictoriaMetrics: High-performance time-series metrics storage
- Jaeger: End-to-end distributed tracing for debugging
- Loki: Scalable log aggregation and analysis
-
Analytics Platform
- Langfuse: Advanced LLM observability and performance analytics
- ClickHouse: Column-oriented analytics data warehouse
- Redis: High-speed caching and rate limiting
- MinIO: S3-compatible object storage for artifacts
-
Security Tools
- Web Scraper: Isolated browser environment for safe web interaction
- Pentesting Tools: Comprehensive suite of 20+ professional security tools
- Sandboxed Execution: All operations run in isolated containers
-
Memory Systems
- Long-term Memory: Persistent storage of knowledge and experiences
- Working Memory: Active context and goals for current operations
- Episodic Memory: Historical actions and success patterns
- Knowledge Base: Structured domain expertise and tool capabilities
- Context Management: Intelligently manages growing LLM context windows using chain summarization
The system uses Docker containers for isolation and easy deployment, with separate networks for core services, monitoring, and analytics to ensure proper security boundaries. Each component is designed to scale horizontally and can be configured for high availability in production environments.
Quick Start
System Requirements
- Docker and Docker Compose (or Podman - see Podman configuration)
- Minimum 2 vCPU
- Minimum 4GB RAM
- 20GB free disk space
- Internet access for downloading images and updates
Using Installer (Recommended)
PentAGI provides an interactive installer with a terminal-based UI for streamlined configuration and deployment. The installer guides you through system checks, LLM provider setup, search engine configuration, and security hardening.
Supported Platforms:
- Linux: amd64 download | arm64 download
- Windows: amd64 download
- macOS: amd64 (Intel) download | arm64 (M-series) download
Quick Installation (Linux amd64):
# Create installation directory
mkdir -p pentagi && cd pentagi
# Download installer
wget -O installer.zip https://pentagi.com/downloads/linux/amd64/installer-latest.zip
# Extract
unzip installer.zip
# Run interactive installer
./installer
Prerequisites & Permissions:
The installer requires appropriate privileges to interact with the Docker API for proper operation. By default, it uses the Docker socket (/var/run/docker.sock) which requires either:
-
Option 1 (Recommended for production): Run the installer as root:
sudo ./installer -
Option 2 (Development environments): Grant your user access to the Docker socket by adding them to the
dockergroup:# Add your user to the docker group sudo usermod -aG docker $USER # Log out and log back in, or activate the group immediately newgrp docker # Verify Docker access (should run without sudo) docker ps⚠️ Security Note: Adding a user to the
dockergroup grants root-equivalent privileges. Only do this for trusted users in controlled environments. For production deployments, consider using rootless Docker mode or running the installer with sudo.
The installer will:
- System Checks: Verify Docker, network connectivity, and system requirements
- Environment Setup: Create and configure
.envfile with optimal defaults - Provider Configuration: Set up LLM providers (OpenAI, Anthropic, Gemini, Bedrock, Ollama, Custom)
- Search Engines: Configure DuckDuckGo, Google, Tavily, Traversaal, Perplexity, Sploitus, Searxng
- Security Hardening: Generate secure credentials and configure SSL certificates
- Deployment: Start PentAGI with docker-compose
Current Web Settings Coverage
The PentAGI web console already manages several settings areas after the server is up and running:
- Settings -> Providers: Create, edit, delete, and test user-defined provider profiles for supported provider types. These profiles control per-agent model selection, runtime parameters, reasoning options, and pricing metadata.
- Settings -> Prompts: Manage system, human, and tool prompt templates.
- Settings -> PentAGI API: Create and manage PentAGI Bearer tokens for REST and GraphQL access.
- Other UI-managed preferences: Favorite flows are stored as user preferences, and theme selection is handled from the main sidebar/profile controls rather than the Settings pages.
Still Server-Managed
The following configuration areas still need to be set on the server through environment variables, compose files, or mounted config files:
- LLM credentials and connection details: API keys, endpoints, auth modes, and provider-specific connection settings for OpenAI, Anthropic, Bedrock, Ollama, custom providers, and similar backends; config-path settings apply only where supported, such as
OLLAMA_SERVER_CONFIG_PATHandLLM_SERVER_CONFIG_PATH. - Search provider credentials and options: Settings such as
DUCKDUCKGO_*,GOOGLE_*,TAVILY_API_KEY,TRAVERSAAL_API_KEY,PERPLEXITY_*,SEARXNG_*, andSPLOITUS_ENABLED. - Third-party integrations: Langfuse, Graphiti, and similar external services remain server-side configuration.
- MCP server management: MCP settings pages are not currently exposed as a live web-console feature.
For Production & Enhanced Security:
For production deployments or security-sensitive environments, we strongly recommend using a distributed two-node architecture where worker operations are isolated on a separate server. This prevents untrusted code execution and network access issues on your main system.
See detailed guide: Worker Node Setup
The two-node setup provides:
- Isolated Execution: Worker containers run on dedicated hardware
- Network Isolation: Separate network boundaries for penetration testing
- Security Boundaries: Docker-in-Docker with TLS authentication
- OOB Attack Support: Dedicated port ranges for out-of-band techniques
Manual Installation
- Create a working directory or clone the repository:
mkdir pentagi && cd pentagi
- Copy
.env.exampleto.envor download it:
curl -o .env https://raw.githubusercontent.com/vxcontrol/pentagi/master/.env.example
- Touch examples files (
example.custom.provider.yml,example.ollama.provider.yml) or download it:
curl -o example.custom.provider.yml https://raw.githubusercontent.com/vxcontrol/pentagi/master/examples/configs/custom-openai.provider.yml
curl -o example.ollama.provider.yml https://raw.githubusercontent.com/vxcontrol/pentagi/master/examples/configs/ollama-llama318b.provider.yml
- Fill in the required API keys in
.envfile.
# Required: At least one of these LLM providers
OPEN_AI_KEY=your_openai_key
ANTHROPIC_API_KEY=your_anthropic_key
GEMINI_API_KEY=your_gemini_key
# Optional: AWS Bedrock provider (enterprise-grade models)
BEDROCK_REGION=us-east-1
# Choose one authentication method:
BEDROCK_DEFAULT_AUTH=true # Option 1: Use AWS SDK default credential chain (recommended for EC2/ECS)
# BEDROCK_BEARER_TOKEN=your_bearer_token # Option 2: Bearer token authentication
# BEDROCK_ACCESS_KEY_ID=your_aws_access_key # Option 3: Static credentials
# BEDROCK_SECRET_ACCESS_KEY=your_aws_secret_key
# Optional: Ollama provider (local or cloud)
# OLLAMA_SERVER_URL=http://ollama-server:11434 # Local server
# OLLAMA_SERVER_URL=https://ollama.com # Cloud service
# OLLAMA_SERVER_API_KEY=your_ollama_cloud_key # Required for cloud, empty for local
# Optional: Chinese AI providers
# DEEPSEEK_API_KEY=your_deepseek_key # DeepSeek (strong reasoning)
# GLM_API_KEY=your_glm_key # GLM (Zhipu AI)
# KIMI_API_KEY=your_kimi_key # Kimi (Moonshot AI, ultra-long context)
# QWEN_API_KEY=your_qwen_key # Qwen (Alibaba Cloud, multimodal)
# Optional: Local LLM provider (zero-cost inference)
OLLAMA_SERVER_URL=http://localhost:11434
OLLAMA_SERVER_MODEL=your_model_name
# Optional: Additional search capabilities
DUCKDUCKGO_ENABLED=true
DUCKDUCKGO_REGION=us-en
DUCKDUCKGO_SAFESEARCH=
DUCKDUCKGO_TIME_RANGE=
SPLOITUS_ENABLED=true
GOOGLE_API_KEY=your_google_key
GOOGLE_CX_KEY=your_google_cx
TAVILY_API_KEY=your_tavily_key
TRAVERSAAL_API_KEY=your_traversaal_key
PERPLEXITY_API_KEY=your_perplexity_key
PERPLEXITY_MODEL=sonar-pro
PERPLEXITY_CONTEXT_SIZE=medium
# Searxng meta search engine (aggregates results from multiple sources)
SEARXNG_URL=http://your-searxng-instance:8080
SEARXNG_CATEGORIES=general
SEARXNG_LANGUAGE=
SEARXNG_SAFESEARCH=0
SEARXNG_TIME_RANGE=
SEARXNG_TIMEOUT=
## Graphiti knowledge graph settings
GRAPHITI_ENABLED=true
GRAPHITI_TIMEOUT=30
GRAPHITI_URL=http://graphiti:8000
GRAPHITI_MODEL_NAME=gpt-5-mini
# Neo4j settings (used by Graphiti stack)
NEO4J_USER=neo4j
NEO4J_DATABASE=neo4j
NEO4J_PASSWORD=devpassword
NEO4J_URI=bolt://neo4j:7687
# Assistant configuration
ASSISTANT_USE_AGENTS=false # Default value for agent usage when creating new assistants
- Change all security related environment variables in
.envfile to improve security.
Security related environment variables
Main Security Settings
COOKIE_SIGNING_SALT- Salt for cookie signing, change to random valuePUBLIC_URL- Public URL of your server (eg.https://pentagi.example.com)SERVER_SSL_CRTandSERVER_SSL_KEY- Custom paths to your existing SSL certificate and key for HTTPS (these paths should be used in the docker-compose.yml file to mount as volumes)
Scraper Access
SCRAPER_PUBLIC_URL- Public URL for scraper if you want to use different scraper server for public URLsSCRAPER_PRIVATE_URL- Private URL for scraper (local scraper server in docker-compose.yml file to access it to local URLs)
Access Credentials
PENTAGI_POSTGRES_USERandPENTAGI_POSTGRES_PASSWORD- PostgreSQL credentialsNEO4J_USERandNEO4J_PASSWORD- Neo4j credentials (for Graphiti knowledge graph)
- Remove all inline comments from
.envfile if you want to use it in VSCode or other IDEs as a envFile option:
perl -i -pe 's/\s+#.*$//' .env
- Run the PentAGI stack:
curl -O https://raw.githubusercontent.com/vxcontrol/pentagi/master/docker-compose.yml
docker compose up -d
Visit localhost:8443 to access PentAGI Web UI (default is [email protected] / admin)
Web UI Accounts
PentAGI does not expose public self-service sign-up from the login page. A fresh installation creates the default local administrator account:
- Email:
[email protected] - Password:
admin
On first login, change the default password before using the instance for real work. If the administrator password is lost later, use the installer maintenance menu to reset the default [email protected] account password.
For multi-user setups, an authenticated administrator can manage local users through the Users REST API (/api/v1/users/). The OpenAPI UI is available at https://localhost:8443/api/v1/swagger/index.html after the instance is running.
[!NOTE] If you caught an error about
pentagi-networkorobservability-networkorlangfuse-networkyou need to rundocker-compose.ymlfirstly to create these networks and after that rundocker-compose-langfuse.yml,docker-compose-graphiti.yml, anddocker-compose-observability.ymlto use Langfuse, Graphiti, and Observability services.You have to set at least one Language Model provider (OpenAI, Anthropic, Gemini, AWS Bedrock, or Ollama) to use PentAGI. AWS Bedrock provides enterprise-grade access to multiple foundation models from leading AI companies, while Ollama provides zero-cost local inference if you have sufficient computational resources. Additional API keys for search engines are optional but recommended for better results.
For fully local deployment with advanced models: See our comprehensive guide on Running PentAGI with vLLM and Qwen3.5-27B-FP8 for a production-grade local LLM setup. This configuration achieves ~13,000 TPS for prompt processing and ~650 TPS for completion on 4× RTX 5090 GPUs, supporting 12+ concurrent flows with complete independence from cloud providers.
LLM_SERVER_*environment variables are experimental feature and will be changed in the future. Right now you can use them to specify custom LLM server URL and one model for all agent types.
PROXY_URLis a global proxy URL for all LLM providers and external search systems. You can use it for isolation from external networks.The
docker-compose.ymlfile runs the PentAGI service as root user because it needs access to docker.sock for container management. If you're using TCP/IP network connection to Docker instead of socket file, you can remove root privileges and use the defaultpentagiuser for better security.
Accessing PentAGI from External Networks
By default, PentAGI binds to 127.0.0.1 (localhost only) for security. To access PentAGI from other machines on your network, you need to configure external access.
Configuration Steps
- Update
.envfile with your server's IP address:
# Network binding - allow external connections
PENTAGI_LISTEN_IP=0.0.0.0
PENTAGI_LISTEN_PORT=8443
# Public URL - use your actual server IP or hostname
# Replace 192.168.1.100 with your server's IP address
PUBLIC_URL=https://192.168.1.100:8443
# CORS origins - list all URLs that will access PentAGI
# Include localhost for local access AND your server IP for external access
CORS_ORIGINS=https://localhost:8443,https://192.168.1.100:8443
[!IMPORTANT]
- Replace
192.168.1.100with your actual server's IP address- Do NOT use
0.0.0.0inPUBLIC_URLorCORS_ORIGINS- use the actual IP address- Include both localhost and your server IP in
CORS_ORIGINSfor flexibility
- Recreate containers to apply the changes:
docker compose down
docker compose up -d --force-recreate
- Verify port binding:
docker ps | grep pentagi
You should see 0.0.0.0:8443->8443/tcp or :::8443->8443/tcp.
If you see 127.0.0.1:8443->8443/tcp, the environment variable wasn't picked up. In this case, directly edit docker-compose.yml line 31:
ports:
- "0.0.0.0:8443:8443"
Then recreate containers again.
- Configure firewall to allow incoming connections on port 8443:
# Ubuntu/Debian with UFW
sudo ufw allow 8443/tcp
sudo ufw reload
# CentOS/RHEL with firewalld
sudo firewall-cmd --permanent --add-port=8443/tcp
sudo firewall-cmd --reload
- Access PentAGI:
- Local access:
https://localhost:8443 - Network access:
https://your-server-ip:8443
[!NOTE] You'll need to accept the self-signed SSL certificate warning in your browser when accessing via IP address.
Running PentAGI with Podman
PentAGI fully supports Podman as a Docker alternative. However, when using Podman in rootless mode, the scraper service requires special configuration because rootless containers cannot bind privileged ports (ports below 1024).
Podman Rootless Configuration
The default scraper configuration uses port 443 (HTTPS), which is a privileged port. For Podman rootless, reconfigure the scraper to use a non-privileged port:
1. Edit docker-compose.yml - modify the scraper service (around line 199):
scraper:
image: vxcontrol/scraper:latest
restart: unless-stopped
container_name: scraper
hostname: scraper
expose:
- 3000/tcp # Changed from 443 to 3000
ports:
- "${SCRAPER_LISTEN_IP:-127.0.0.1}:${SCRAPER_LISTEN_PORT:-9443}:3000" # Map to port 3000
environment:
- MAX_CONCURRENT_SESSIONS=${LOCAL_SCRAPER_MAX_CONCURRENT_SESSIONS:-10}
- USERNAME=${LOCAL_SCRAPER_USERNAME:-someuser}
- PASSWORD=${LOCAL_SCRAPER_PASSWORD:-somepass}
logging:
options:
max-size: 50m
max-file: "7"
volumes:
- scraper-ssl:/usr/src/app/ssl
networks:
- pentagi-network
shm_size: 2g
2. Update .env file - change the scraper URL to use HTTP and port 3000:
# Scraper configuration for Podman rootless
SCRAPER_PRIVATE_URL=http://someuser:somepass@scraper:3000/
LOCAL_SCRAPER_USERNAME=someuser
LOCAL_SCRAPER_PASSWORD=somepass
[!IMPORTANT] Key changes for Podman:
- Use HTTP instead of HTTPS for
SCRAPER_PRIVATE_URL- Use port 3000 instead of 443
- Change internal
exposeto3000/tcp- Update port mapping to target
3000instead of443
3. Recreate containers:
podman-compose down
podman-compose up -d --force-recreate
4. Test scraper connectivity:
# Test from within the pentagi container
podman exec -it pentagi wget -O- "http://someuser:somepass@scraper:3000/html?url=http://example.com"
If you see HTML output, the scraper is working correctly.
Podman Rootful Mode
If you're running Podman in rootful mode (with sudo), you can use the default configuration without modifications. The scraper will work on port 443 as intended.
Docker Compatibility
All Podman configurations remain fully compatible with Docker. The non-privileged port approach works identically on both container runtimes.
Assistant Configuration
PentAGI allows you to configure default behavior for assistants:
| Variable | Default | Description |
|---|---|---|
ASSISTANT_USE_AGENTS | false | Controls the default value for agent usage when creating new assistants |
The ASSISTANT_USE_AGENTS setting affects the initial state of the "Use Agents" toggle when creating a new assistant in the UI:
false(default): New assistants are created with agent delegation disabled by defaulttrue: New assistants are created with agent delegation enabled by default
Note that users can always override this setting by toggling the "Use Agents" button in the UI when creating or editing an assistant. This environment variable only controls the initial default state.
How to Use PentAGI After Login
Once the stack is running and you can sign in to the web UI, the fastest way to start is through the Flows workflow.
1. Create your first flow
- Open Flows in the sidebar.
- Click New Flow.
- Choose the mode that fits your goal:
- Automation: fully autonomous execution for a testing goal you want PentAGI to carry out end-to-end
- Assistant: interactive back-and-forth help when you want to steer the investigation step by step. In this mode you can also enable the Use Agents toggle to let PentAGI delegate subtasks to specialized sub-agents for more complex investigations.
- Select the LLM provider you want to use for this flow.
- Describe the target and the objective in natural language in the message box.
Good first prompts usually include:
- the target system or URL
- the type of assessment you want
- any scope limitations or rules of engagement
- the result you expect, such as a vulnerability report or validation of a hypothesis
Example:
Assess https://target.example for common web application vulnerabilities. Focus on authentication, file handling, and injection issues. Stay within the provided target only and summarize confirmed findings with reproduction steps.
Only test systems you own or are explicitly authorized to assess. See EULA.md for the acceptable use requirements.
2. Use templates for repeatable workflows
The new flow form includes a template picker, which can prefill the message box with a saved flow template. This is useful when you run similar assessments repeatedly.
- Use an existing template if you already have one saved in Templates
- Start from the example prompt in
examples/prompts/base_web_pentest.mdif you need a practical baseline for web testing - Adjust the target, scope, and constraints before starting the flow
Templates are starting points. You do not need special syntax to use PentAGI: plain natural-language instructions work well as long as the target and goal are clear.
3. Monitor execution and review output
After submitting the flow, PentAGI opens the flow page automatically.
- Use the main flow view to follow messages, agent activity, and task progress
- Inspect tool activity and terminal output as the flow runs
- Review generated tasks and subtasks to understand what PentAGI is doing
Once the flow has enough results, use the Report menu on the flow page to:
- open the report in a web view
- copy the generated report to the clipboard
- download the report as Markdown
- download the report as PDF
4. Use the Assistant view to steer an active flow
Each flow also includes an Assistant view for interactive guidance. This is useful when the autonomous run uncovers something that needs human direction instead of a hard restart.
- Open the Assistant view for the same flow when you want to inspect the current state before changing anything.
- Use the assistant to check flow status, stop the current task, submit follow-up instructions, or patch the remaining planned subtasks before the next step runs.
- Treat this as an explicit control path for the current flow, not as an invisible background queue. If you want to change direction, say so clearly and keep the new instruction tied to the current engagement scope.
- This works best for clarifying scope, redirecting priorities after intermediate findings, or answering an automation checkpoint without losing the rest of the flow context.
5. Manage flow-scoped files
Each flow has its own Files tab in the flow page. Files are scoped to the parent flow: they live in {dataDir}/flow-{id}-data/ on the host and never leak into other flows.
The tab exposes three sources of files:
- Uploads (
uploads/): files you provide from the web UI. Use the Upload files action, or drag and drop directly onto the Files tab. While the agent container is running, uploaded files are also pushed into it at/work/uploads/so the agent can read them with normal shell tools. - Resources (
resources/): files attached from your saved user resources library via Attach resources from library. Attached resources are copied into the flow and pushed into the running container at/work/resources/. - Container (
container/): snapshots pulled from the running agent container via Pull file or directory from container. These are read-only on the flow side and are never sent back to the container.
Per-file actions in the Files tab include Download, Copy path, Save as resource (promote a flow file into your reusable resources library), and Delete. The Pull action is disabled when the container is not running, with the tooltip "Container is not running".
Uploaded files and attached resources are listed automatically in the agent's system prompts via the {{.UserFiles}} template variable, which renders a compact <task_files> XML block (with nested <uploads> and <resources> sections), so the assistant and automation agents can reference them by path without you pasting the contents into chat. Container snapshots are visible in the UI only and are not auto-injected back into the prompt.
Current limits and limitations to be aware of:
- Maximum upload file size is 300 MB; per upload request up to 1000 files and 2 GB total. File names are capped at 255 bytes (roughly 255 ASCII characters; non-ASCII names use multiple bytes per character).
- Uploads and resources are mirrored into the running container at the fixed paths
/work/uploads/and/work/resources/; files written to other container paths are not auto-mirrored back into the flow file model. Container snapshots can originate from any container path you pull (for example/etc/...) and are cached on the flow side undercontainer/; they are not pushed back into the container. - Container snapshots are point-in-time pulls. Editing a snapshot in the UI does not write back into the running container.
- Deleting a flow today removes the flow record and its long-term memory entries, but does not yet archive or remove the flow's
flow-{id}-data/directory on disk. Operators are still expected to clean up the data directory manually if they want to reclaim the space.
// compatibility
| Platforms | cli, api, desktop, web, mobile |
|---|---|
| Operating systems | — |
| AI compatibility | claude |
| License | MIT |
| Pricing | open-source |
| Language | Go |
// faq
What is pentagi?
Fully autonomous AI Agents system capable of performing complex penetration testing tasks. It is open-source on GitHub.
Is pentagi free to use?
pentagi is open-source under the MIT license, so it is free to use.
What category does pentagi belong to?
pentagi is listed under automation in the Claudeers registry of Claude-compatible tools.
// embed badge
[](https://claudeers.com/pentagi)
// retro hit counter
[](https://claudeers.com/pentagi)
// reviews
// guestbook
// related in Automation & Workflows
The API to search, scrape, and interact with the web at scale. 🔥
An open-source long-horizon SuperAgent harness that researches, codes, and creates. With the help of sandboxes, memories, tools, skill, subagents and message…
🗂 The essential checklist for modern web development, for humans and AI agents