PentestGPT
by
GreyDGL

Description: Automated Penetration Testing Agentic Framework Powered by Large Language Models

View on GitHub ↗

Summary Information

Updated 30 minutes ago
Added to GitGenius on December 19th, 2025
Created on February 27th, 2023
Open Issues & Pull Requests: 70 (+0)
Number of forks: 2,466
Total Stargazers: 14,176 (+0)
Total Subscribers: 345 (+0)

Issue Activity (beta)

Open issues: 52
New in 7 days: 2
Closed in 7 days: 0
Avg open age: 174 days
Stale 30+ days: 39
Stale 90+ days: 32

Recent activity

Opened in 7 days: 2
Closed in 7 days: 0
Comments in 7 days: 1
Events in 7 days: 3

Top labels

  • enhancement (5)
  • bug (4)

Most active issues this week

Repository Insights (GitGenius)

Median issue/PR response: 16.9 hours
Mean response time: 72.2 days
90th percentile: 323.4 days
Tracked items: 176

Most active contributors

Detailed Description

PentestGPT is an AI-powered autonomous penetration testing agent built in Python that leverages large language models to automate security testing and capture-the-flag challenges. The project was published at USENIX Security 2024 and represents a significant evolution in applying LLM reasoning to cybersecurity tasks. The repository is maintained primarily by GreyDGL, who accounts for 160 tracked events, with secondary contributions from Genudza and K4ZUM4KIRYU. The codebase has attracted interest from developers across major technology projects, as evidenced by GitGenius linking this repository to microsoft/vscode, microsoft/typescript, and rust-lang/rust through overlapping contributor networks.

The core functionality centers on an agentic framework that runs in an iteration loop, maintaining a context file with progress and restarting with prior context when hitting computational limits. The agent terminates either upon flag capture or after reaching a maximum iteration count, defaulting to ten iterations. This autonomous approach differs fundamentally from earlier interactive modes, as the agent operates continuously without requiring human intervention between steps. The framework supports multiple challenge categories including web exploitation, cryptography, reverse engineering, forensics, privilege escalation, and binary exploitation.

Version 1.0 introduced the agentic upgrade, which added the iteration loop mechanism, autonomous agent capabilities, and session persistence functionality. Users can save and resume penetration testing sessions, allowing long-running assessments to be paused and continued. The modernized legacy mode, accessible via pentestgpt-legacy, preserves the original USENIX 2024 implementation as a human-in-the-loop system. This mode runs three cooperating LLM sessions for reasoning, generation, and parsing while maintaining a Pentesting Task Tree that users drive interactively through commands like next, more, todo, and discuss.

The legacy mode supports extensive multi-model functionality across eight LLM providers. OpenAI models include gpt-5.5, gpt-5.5-pro, gpt-5.4-mini, and others. Anthropic provides claude-opus-4-8, claude-sonnet-4-6, and claude-haiku-4-5-20251001. Google Gemini, DeepSeek, xAI Grok, Alibaba Qwen, Moonshot Kimi, and local Ollama instances are all supported through their official SDKs. The model registry lives in pentestgpt_legacy/llm/registry.py and can be extended by adding single ModelSpec entries.

Benchmark results demonstrate strong performance on the XBOW validation suite with an 86.5% success rate across 104 benchmarks. Successful runs averaged $1.11 in cost with a median of $0.42, and averaged 6.1 minutes with a median of 3.3 minutes. Success rates varied by difficulty level: 91.1% for Level 1, 74.5% for Level 2, and 62.5% for Level 3 challenges.

The project implements anonymous telemetry collection through Langfuse to track session metadata, tool execution patterns, and flag detection events, explicitly excluding sensitive data like command outputs, credentials, or actual flag values. Users can opt out of telemetry collection. The repository uses Python 3.12 or higher, the uv package manager, and Claude Code CLI for its primary agent implementation. Development commands include make install, make test, make check, and make build. Issue and PR response latency shows a median of 18.1 hours across 175 tracked items, with enhancement and bug labels being the most active issue categories. The project is distributed under the MIT License with support from Quantstamp and NTU Singapore.

PentestGPT
by
GreyDGLGreyDGL/PentestGPT

Repository Details

Fetching additional details & charts...