01 /hero

v0.10.0 · OpenAPI/Postman/HAR ingest · AD chains · SARIF/H1/Bugcrowd · resume

The pentest

orchestrator

that actually

finds

things .

Read the quickstart → GitHub ↗

aegis run engagements/2026-figma · claude-sonnet-4-6 live

AEGIS · FIGMA-2026-001 · Figma, Inc.

claude-sonnet-4-6

PASSIVE_RECON 2/7 · Running…

$0.0000 0t · no findings

━━━ PASSIVE_RECON ━━━

Subdomains, OSINT, DNS — no direct traffic.

● subfinder -d figma.com -silent

running · 4s

│ [INF] loading 30 sources

│ www.figma.com

│ api.figma.com

│ design.figma.com

▪ MEDIUM GraphQL introspection enabled on /graphql

agent

Reviewing scope, drafting plan

api.figma.com surfaces a GraphQL endpoint — that's the high-value target. Running nuclei with graphql + cve tags next.

type to guide · / commands · ctrl-o toggle outputs · ctrl-c quit

live · scripted demo · 12s loop activity left · agent right · status top

— sees, runs, parses —

nmap nuclei httpx subfinder ffuf gobuster feroxbuster naabu amass dnsx katana dalfox sqlmap sslyze wpscan nikto trivy grype semgrep trufflehog gitleaks masscan hydra arjun gau waybackurls hakrawler gospider tlsx cdncheck wafw00f whatweb jwt_tool graphql-cop cloudfox s3scanner kiterunner bbot theharvester crlfuzz smuggler h2csmuggler commix wapiti xsstrike sstimap nosqlmap cmseek joomscan droopescan subjack subzy nmap nuclei httpx subfinder ffuf gobuster feroxbuster naabu amass dnsx katana dalfox sqlmap sslyze wpscan nikto trivy grype semgrep trufflehog gitleaks masscan hydra arjun gau waybackurls hakrawler gospider tlsx cdncheck wafw00f whatweb jwt_tool graphql-cop cloudfox s3scanner kiterunner bbot theharvester crlfuzz smuggler h2csmuggler commix wapiti xsstrike sstimap nosqlmap cmseek joomscan droopescan subjack subzy

/ what's inside

A real toolkit, not a prompt wrapper.

pentest tools

nmap, nuclei, httpx, subfinder… every tool runs through one rate-limited, scope-checked executor.

nuclei templates

The local nuclei index ships with every checkpoint. AEGIS picks templates by detected tech.

verification probes

Timing oracles, CSRF, SSTI, prototype pollution, race conditions, OAuth flows.

PTES phases

Pre-engagement → passive recon → active recon → fingerprinting → vuln analysis → verification → reporting.

Most "AI pentesters" prompt an LLM to write commands.
AEGIS hands the LLM a real tool surface and a scope guard, then watches it work.

design tenet, src/aegis/orchestrator/loop.py

/ methodology

PTES, end to end.

AEGIS executes the seven PTES phases as a state machine. Each phase has its own budget, prompt template, and exit criteria. Claude picks tools; AEGIS runs them, parses results, updates the engagement DB, and decides when to advance.

How the state machine works →

PRE_ENGAGEMENT

Scope, env profile, tool availability.

→

PASSIVE_RECON

Subdomains, OSINT, DNS, WHOIS — no traffic.

→

ACTIVE_RECON

Port scan, services, crawl, fingerprint.

→

FINGERPRINTING

Pin the technology stack per host.

→

VULN_ANALYSIS

Nuclei + correlated WSTG + CVE lookups.

→

VERIFICATION

33 safe probes confirm before reporting.

→

REPORTING

Executive summary + full audit log.

→

/ cost control

Three tiers. One budget.

AEGIS routes work to the cheapest model that can do it. Parsing tool output goes to Haiku. Planning the next phase goes to Sonnet. Reasoning about an attack chain across services goes to Opus.

nano

in / out · per MTok

claude-haiku-4-5

parsing & classification

$1.00 / $5.00

main

in / out · per MTok

claude-sonnet-4-6

planning & hypothesis

$3.00 / $15.00

deep

in / out · per MTok