If you search GitHub for “AI pentesting” right now, youll find dozens of projects promising autonomous hacking. Impressive READMEs, cool architecture diagrams, benchmark tables. I went through the code of every major one. Theyre all the same thing wearing different clothes.
To actually compare them fairly, Im defining a couple of “components” each one claims to have and judging based on whats expected vs what was delivered (I will also refernce them in P2):
- “AI Pentester”: System prompt(s) analysis
- “Tools”: what is exposed, how they are handled
- “Methodology”: How the LLM is being guided / approach to the pentesting
- “Safeguards”: Are there any?
I will be referring to all of these projects as “SPaaP” (System Prompt as a Pentester) because thats, at the end of the day, what they all are.
T3MP3ST
This one is partially the reason why I am writing this blogpost right now. Because its really good? No. Because its a big marketing move with same general approach as other SPaaPs, in some places even funnier.
AI Pentester
Lets look at prompts/index.ts where all juice is stored. And, to be honest, this whole file is so theatrically-edgy written, that its hard not to laugh/cringe at it, just look at:
| |
or:
| |
Lets start from the beginning. T3MP3ST defines PLINIAN_OPERATOR_DOCTRINE (index.ts:L16) which is the “main” system prompt that gets prepended to every operator. Humongous prompt, but really just a lot of abstract nothingburger. The only good part in it is “Plinian Authority Model”, which defines scope receipts, evidence requirements and other real stuff. A bit vague and not a MUST, but still good. Other stuff is pure vibes (excluding prompt injection mitigations, but Im not sure how effective it is). HACKER MINDSET is a joke.
| |
And it gets better. Theres a GENERAL_SYSTEM_PROMPT (index.ts:L915) that goes full military LARP:
| |
“Supreme commander”. “Zero-day hunting organism”. This is what the LLM reads before deciding which nmap flags to use.
I mean, why? For whom? I thought the era of philosophical token-wasting metaprompting is something we left in 2022, but alas. And this is the core problem with T3MP3ST - wasteful cringy metaprompts spanning ~10k characters that do absolutely nothing to help the LLM find a single XSS.
Real prompts are stored in OPERATOR_SYSTEM_PROMPTS (index.ts:L182). They are better, but far from perfect. Main problem with all of them - overall vagueness. Like with all SPaaPs, it relies on LLM actually listening to the prompt and executing it word-for-word. But in reality - can we trust it? All operators are 3-4 phased system prompts with Tool Strategy for tool execution.
For example exfiltrator:
| |
Can AI just avoid using those? Of course it can, since there are no real ties between phases/strategy and toolset. The Tool Strategy prompt is always just “yeah use those three, maybe try some SQL chains”. Its a suggestion, not a contract. But even worse I find the Critical Rules sections.
For example exploiter:
| |
Again, I wont trust just saying “please be nice” to AI, and phrasing with “prefer non-destructive proof”? Thats the kind of soft language LLM will happily ignore when it decides a destructive path is more “helpful”.
The real recon/execution hangs on scanner actually finding ALL the stuff and testing all endpoints - guided by what amounts to an OWASP Top 10 checklist pasted into a system prompt. Yeah.
Tools
Now, the toolset is actually bigger than the Tool Strategy sections suggest - T3MP3ST has 30+ tools in its Arsenal, and each operator gets a curated allowlist via defaultTools in their archetype profile (operators/index.ts:L75). The exfiltrator alone gets 15 tools. The prompt only highlights 3 of them as suggestions.
But heres the real problem - the tools that ARE there are toy-grade implementations. This is the entire XSS scanner (arsenal/index.ts:L1125):
| |
Thats it. 6 payloads. A real XSS scanner uses thousands. The SQLi scanner is the same story - 7 payloads with naive error pattern matching. hash_crack ships with a 60-word dictionary (rockyou has 14 million). subdomain_enum has a 21-52 word wordlist (real tools use 100K+). dir_bruteforce tries 17 paths (vs 200K+). port_scan defaults to 4 ports.
These are demo implementations. They technically work, but would miss the vast majority of real vulnerabilities. You are literally better off just shelling out to the real tools (nmap, ffuf, sqlmap) - which T3MP3ST can do via execFile wrappers, but only if those are installed on the host. The built-in tools exist so T3MP3ST can “work” without external dependencies, and boy do they barely work.
And before someone says “>well just give the AI shell access and let it figure out which tools to use” - Ive tried that. A lot. The other approach (which Strix does - just drop LLM into a Kali container and let it run whatever) sounds great in theory but in practice leads to mostly nothing. The LLM will run nmap with wrong flags, misread the output, forget what it already scanned, loop on the same target three times, and then confidently tell you it found a critical RCE that doesnt exist. Without structured tool wrappers that parse output and feed it back in a sane format, you are just burning tokens on an LLM typing random commands into a terminal. I know because Ive spent weeks on exactly this.
The Stub Graveyard
This is where T3MP3STs marketing becomes really obvious. The project exposes modules for the entire kill chain: ExploitEngine, SwarmController, PersistenceController, BrowserController, CognitionEngine, CloudController, LearningEngine, KnowledgeBase, ProtocolAnalyzer, EvasionController, ReportingEngine, WorkflowEngine - sounds impressive, right?
Well, every single one of them is a stub. Heres what the ExploitEngine actually does (stubs/index.ts):
| |
And the PersistenceController:
| |
Thats over 15 modules, all returning the equivalent of return false. The interface sells a sophisticated kill-chain engine; the code delivers a ReAct loop with toy tools.
Safeguards
Credit where its due - this is the one area where T3MP3ST actually wrote code instead of just prompts.
Egress scope gate (scopeViolation() in arsenal/index.ts) checks every tool call against an authorized host allowlist before the handler runs. Not a prompt directive - actual code that blocks execution:
| |
It even handles CIDR bypass attempts, scheme-relative escapes (//evil.com), and fails closed on unparseable network-target-shaped values. Good stuff.
Approval controller makes intrusive tools inert until explicitly approved. Two modes: pre-authorized allowlist or interactive approval. The fail-safe default is DENIED, with a full audit trail. Well-engineered.
Evidence gate (gateLiveFinding() in evidence/gate.ts) is the most interesting piece. Findings must have real tool output to be marked “verified”:
| |
When the LLM produces findings in its final debrief JSON block, they get tagged provenance: 'model' and downgraded. Only findings backed by actual tool output get provenance: 'tool' and pass the gate. So when LLM hallucinates a “critical SQLi” in its summary - the gate catches it.
But look closer - the gate is provenance-strict, accuracy-blind. It checks that tool output exists, not that it supports the claim. A tool could return "no vulnerabilities found" and if the LLM wraps that output into a finding claiming critical SQLi, the gate passes - because there IS tool output attached, even though it contradicts the finding. It prevents fabrication out of thin air, but not misinterpretation. Which, from my experience, is the way more common failure mode.
So the safeguards are legit, but not as bulletproof as they look. The irony? The team spent more engineering effort on preventing the LLM from lying about findings than on making the LLM actually find things.
The DecompositionOrchestrator
This one deserves its own section because its the most interesting (and most concerning) piece of T3MP3STs architecture.
In orchestration/prompts.ts theres a dual-model system. An “orchestrator” model (e.g. Opus) receives an offensive objective - say, “find a buffer overflow in this codebase”. It then decomposes that objective into innocuous-looking code analysis questions and sends them to a “worker” model (e.g. Fable 5) that has strict safety guardrails. The worker sees a completely benign system prompt - just a “software analysis assistant specializing in C/C++ and systems programming”. No mention of security, hacking, or T3MP3ST.
The orchestrator prompt is explicit about what this is:
| |
It even has a banned-words list for the questions sent to the worker: exploit, payload, vulnerability, CVE, attacker, malicious, overflow, out-of-bounds. The orchestrator extracts benign scaffolding facts (struct sizes, wire formats, what helper functions return), then does all the security reasoning itself by combining those facts with the full source it holds.
Theres a “round posture” system too - Round 1 is pure benign scaffolding, later rounds fill gaps while staying neutral. The orchestrator collects answers, synthesizes them back into exploit intelligence via ORCHESTRATOR_SYNTHESIZE_PROMPT, and decides if another round is needed.
This is guardrail-bypass-as-architecture. Whether you think its clever engineering or a jailbreak dressed in a trench coat - I dont know. But its the most technically interesting thing in the entire codebase, and ironically, it has nothing to do with pentesting a target. Its about pentesting the worker models safety filters.
Benchmarks
T3MP3ST ships benchmark results that look impressive at first glance. 90.1% pass@1 on XBOWs 104-challenge suite. 58% on Cybench (40 academic tasks, hint-free). 8/10 on CVE-Zero with exact file/line/CWE matches.
Lets sit with that for a second. We just walked through 6 XSS payloads, 7 SQLi payloads, a 60-word hash dictionary, 15+ stub modules that literally return false, and a methodology that lives entirely in vibes-based system prompts. And this gets 90%? With what?
My friend Claude analysed the benchmark artifacts in the repo. Heres what he found.
XBEN (the 90.1% headline)
First - all runs are gpt-5.5. Their own docs had a claim of “gpt-5.5 ∪ opus-4.8” that was removed as false. So its one frontier model doing all the work. T3MP3STs contribution is a system prompt and a ReAct loop.
Second - that 90.1% is actually a Wilson CI mean across multiple sweeps. The actual floor (worst single run) is 91/104 = 87.5%. The best-ball (union of 3 sweeps, pass@3) is 98/104. These are very different numbers being presented interchangeably depending on which sounds better.
Third - verify-claims.mjs has this comment at the top:
| |
So npm run verify-claims checks that T3MP3STs JSON files are internally consistent. Thats it. Its not verification - its JSON.parse() with a checkmark emoji.
Fourth - raw transcripts are stripped. Their own code comments say “shipped export strips raw transcripts for operator privacy”. So the evidence that the agent actually solved each challenge? Gone. You get a verdict JSON that says "detected": true and youre supposed to trust it.
And the best part - their INTEGRITY_LEDGER reveals they discovered XBEN flags are just sha256(UPPERCASE(challenge_name)). An agent could “solve” any challenge by running echo -n "XBEN-001-24" | tr a-z A-Z | sha256sum instead of actually exploiting anything. They say 0/104 exploited this shortcut. But the hole existed in every run they published, and with transcripts stripped, theres no way to independently verify that claim either.
Oh, and their own XBOW_BASELINE.md has a “DO NOT CLAIM” section that literally says:
| |
Yet the headline comparison invites exactly that reading.
Cybench (the 58% headline)
The headline says 23/40 (58%) hint-free. But their own CYBENCH.md reveals only 13 of 40 challenges are even runnable - the other 18 need Docker services that arent implemented yet. And their A/B test on those 13 is devastating:
| Mode | Solve rate |
|---|---|
direct-claude (raw LLM, no T3MP3ST) | 3/13 = 23.1% |
live (T3MP3ST prompt scaffolding) | 3/13 = 23.1% |
Same three challenges. T3MP3STs prompt scaffolding added literally zero. The prompts, the doctrine, the HACKER MINDSET - all of it contributed nothing over a raw model call. Their own data proves T3MP3ST is a passenger, not a driver.
They also explicitly state: “we are not the raw-score record — published pass@10 SOTA (76.5%, Sonnet 4.5) is higher.”
CVE-Zero (the 8/10 headline)
This is actually the most honest benchmark - real post-2026 CVEs, real source trees, no hints. But n=10. Ten samples. And the scoring is generous: finding the right file and being within 15 lines of the vuln counts as a hit. The CWE doesnt even need to match exactly - “same family” passes. And the “held-out” split? Its committed right there in cve-zero-split.mjs in the public repo. Held out from prompt tuning, not from anyone who can read the source.
The bottom line
T3MP3ST is taking credit for the models intelligence the same way a taxi driver takes credit for the engines horsepower. Their own A/B test proves it - the framework adds zero over a raw model call. The benchmarks are measuring how good GPT-5.5 is at hacking, not how good T3MP3ST is at anything.
And The Rest?
T3MP3ST is the most engineered SPaaP Ive found. The rest are the same idea with less effort. Quick tour.
Strix
OpenAI Agents SDK + Kali Linux Docker container. Zero pentesting logic in Python code - its pure orchestration plumbing. The entire product is a 458-line Jinja system prompt. And what a prompt it is:
| |
Thats a jailbreak baked into the system prompt. And:
| |
2000+ steps. At ~1k tokens per step thats millions of tokens burned. The “methodology” is literally “try harder” as a system prompt directive.
Tools? Strix has none of its own. Nmap, sqlmap, ffuf - theyre just binaries in the Docker image. The LLM accesses them through raw shell via exec_command. No output parsing, no error handling, no retry logic. Its the “just give AI shell access” approach I described above. Safeguards? A prompt saying “stay in scope” and Docker container isolation. Thats it.
PentestGPT
The OG. 15k+ stars. Had a 3-session architecture (reasoning, generation, parsing) that was genuinely novel back in 2024 - even got a USENIX paper. But the current version? Its Claude Code + Docker with 104 tool wrappers. The academic eval showed ~13% success rate on real CVEs and near-zero on hard HTB boxes.
The Pattern
Every single one follows the same template. PentAGI? Go backend with 13 agent types and a vector memory store - sounds sophisticated until you realize each “agent” is just a different system prompt passed to the same LLM. Pentest-Swarm-AI? Five Claude API agents with stigmergy-based coordination - which their own README admits “hits rate limits in minutes” on real scans. HackBot? LLM + shell loop with 10 provider options.
Strip away the marketing and every one of these is:
- “AI Pentester” = LLM with a system prompt saying “you are a pentester”
- “Tools” = shell access to pre-installed binaries, or toy reimplementations
- “Methodology” = markdown checklist in the system prompt
- “Multi-agent” = same LLM, different system prompt per role
- “Safeguards” = “please dont hack out-of-scope” in the prompt
- “Autonomous” = ReAct loop until budget or turns run out
And the fundamental problem with all of them - theres zero methodology enforcement. Giving an LLM shell access doesnt mean it will actually use it properly. Theres no code ensuring it tests every endpoint, no checklist it must complete, no coverage tracking. The LLM can poke one endpoint, run two nmap scans, decide “looks clean” and call it a day. And it will. Ive watched it happen dozens of times. A real pentester has a process - enumerate everything, test each endpoint against each vulnerability class, document as you go. These tools have a suggestion in a prompt. The LLM is free to ignore it, skip steps, repeat itself, or just give up after the first thing that doesnt immediately pop.
None of them have deterministic baseline coverage. None parse tool output in a structured way. None have real pentesting logic in code. None are reproducible - same target, different run, different results.
So thats the state of AI pentesting on GitHub in 2026. System prompts all the way down. But it doesnt have to be this way. In P2 Ill walk through how to actually build something that works - proof-first evidence gathering instead of vibes, structured methodology enforcement instead of “please try harder”, and prompting that makes the LLM a useful tool instead of a cosplaying pentester.
comments