pwnkit is an open-source agentic AI pentest framework. It uses autonomous AI agents in a research-then-verify pipeline to find and prove vulnerabilities in web apps, AI/LLM apps, npm packages, and source code. It is the leading open-source AI pentest agent on the XBOW benchmark.

How does pwnkit eliminate false positives?

pwnkit's Verify agent independently re-exploits every finding. If it can't reproduce the vulnerability, the finding is killed as a false positive. Only confirmed vulnerabilities with working proof-of-concept code make it into the final report.

How much does pwnkit cost?

pwnkit is free and open source under the Apache 2.0 license. It is an agentic harness — bring your own API key, or run it through Claude Code CLI or Codex CLI on your existing subscription.

What can pwnkit scan?

pwnkit scans AI/LLM apps, traditional web apps, npm packages, and source code repositories. It includes resumable scans, finding triage with deduplication, deterministic replay, a local verification dashboard, diff-aware PR review, and autonomous orchestration workers.

How does pwnkit compare to XBOW?

pwnkit is the open-source AI pentest agent that publishes results on the XBOW benchmark. On the standard XBOW benchmark, pwnkit reaches 87.5% (91/104) in black-box mode and 92.3% (96/104) on the white-box best-of-N aggregate, with both numbers reported separately and no methodology blending.

Let autonomous AI agents hack you
so the real ones can't.

The leading open-source AI pentest agent.

on XBOW · 96 of 104 · best-of-N

npx pwnkit-cli

GitHub

Shell-first. Minimal tools. Real exploits.

Web Apps

SQLi, IDOR, SSTI, XSS, auth bypass, SSRF — 35+ XBOW flags

AI/LLM Apps

Prompt injection, jailbreaks, PII leakage, MCP tool abuse

npm Packages

Supply chain attacks, malware, CVEs, typosquatting

Source Code

White-box mode reads code before attacking

92.3% on standard XBOW.

96 of 104 challenges — best-of-N aggregate across configurations. Black-box mode alone is 91/104 = 87.5%; both numbers reported separately, no methodology blending.

XBOW · 104 challenges

Published best-of-N scores. Only one bar is solid crimson — the only entry that ships its receipts and runs hint-free on the standard benchmark.

comparableasterisked

BoxPwnrbest-of-N
0.0%101 / 104
best-of-N · 10+ configs
Shannon
0.0%100 / 104
modified fork · white-box
pwnkitwhite-box best-of-Nopen source
0.0%96 / 104
open source · receipts
KinoSec
0.0%96 / 104
closed source
XBOWown agent
0.0%88 / 104
built for own benchmark

pwnkit · two honest numbers

Reported separately. Never blended. Pick the methodology you want to compare against.

standard XBOW · 104

black-box single config

0.0%

91 / 104 solved

Single model, single command, standard benchmark. No source access, no best-of-N.

white-box best-of-N

0.0%

96 / 104 solved

--repo source access · aggregate across features=none/experimental/all.

Scroll to compare →

System	XBOW score	Maintained?	Comparable?	Notes
BoxPwnr (best-of-N)	97.1%	Yes	No	Best-of-N across 10+ model+solver configs
Shannon	96.15%	Yes	No	Modified hint-free fork + white-box source access
KinoSec	92.3%	Yes	No	Proprietary, closed source
XBOW (own agent)	85%	Yes	No	Built by XBOW for their own benchmark
pwnkit (white-box best-of-N)	92.3%	Yes	Yes	96/104 · same model + tools · `--repo` source access · aggregate across `features=none`/`experimental`/`all` · open source
pwnkit (black-box)	87.5%	Yes	Yes	91/104 · single model, single command, standard benchmark · open source
Cyber-AutoAgent	85%	Archived Nov 2025	Yes	Repo archived 2025-11-29 — project is dead
BoxPwnr (single config)	~80-82%	Yes	Yes	Apples-to-apples single-config baseline
deadend-cli	~80%	Yes	Yes	Open source agent
MAPTA	76.9%	Yes	Yes	Academic agent (arXiv:2508.20816)

Comparable = standard 104-challenge XBOW with methodology stated explicitly in the row. Source access, best-of-N aggregation, modified forks, and closed-source constraints are called out directly so black-box and white-box results are not silently blended.

Run it yourself: pnpm bench --agentic · Full benchmark writeup · Source

Built for builders.

One model. One command. Every layer open and inspectable.

Real exploits, not pattern matching

Every finding is independently re-exploited by a blind verify agent that never sees the original reasoning. If it can't be proven, it doesn't ship.

11-layer triage

Holding-it-wrong filter, per-class oracles, reachability gate, multi-modal cross-validation, adversarial debate. Every finding survives the gauntlet before you see it.

Apache 2.0

Read every line. Fork it. Vendor it. 188 tests, 25k+ lines of TypeScript, daily releases. No SaaS lock-in, no per-finding billing, no asterisks.

Target → Scan → Triage → Verify → Outputs

The same plan-discover-attack-verify-report loop a real pentester runs.

Target

web / LLM
npm / code

→

Scan

shell-first
agent loop

→

Triage

reject &
downgrade

→

Verify

blind
re-exploit

→

Outputs

SARIF/MD/PDF
JSON/Issues

Architecture

Just give it a target.

pwnkit-cli express

Audit an npm package

pwnkit-cli ./my-repo

Review source code

pwnkit-cli https://api.com/chat

Scan an LLM API

pwnkit-cli https://example.com --mode web

Pentest a web app

pwnkit-cli dashboard

Local mission control

pwnkit-cli findings list --severity critical

Triage across scans

Auto-detects target type. No subcommands needed for most targets.

CLI runs the scans. pwnkit-cli dashboard opens a local web UI for triage, evidence review, and human sign-off. Drop the GitHub Action into CI to push verified findings into GitHub's Security tab as SARIF.

Multiple agents. One target.

pwnkit fans out a swarm of specialized agents — Discover, Attack, Verify, Report — and runs them in parallel against the same target. Each one fires its own probes, owns its own context, and never trusts another agent's output. The Verify pass independently re-exploits every finding from scratch. If it can't reproduce the bug, it's killed before it ever reaches your inbox.

pwnkit-cli