Designing and Deploying an AI‑Driven Autonomous Penetration Testing Bot

The article details the design of an expert‑driven AI penetration‑testing agent called Zero, built on Cairn with Claude code, and walks through a real‑world attack where the bot discovers a Django site, brute‑forces SSH, writes a webshell, while discussing efficiency, cost, and current limitations.

Black & White Path
Black & White Path
Black & White Path
Designing and Deploying an AI‑Driven Autonomous Penetration Testing Bot

Design Philosophy and Core Principles

The author, after competing in two Tencent security hackathons, studied open‑source agents such as LuaN1aoAgent, CyberStrikeAI, CAI, and Cairn, ultimately extending Cairn with Claude code to create a custom AI penetration‑testing agent named Zero.

Zero follows an "expert‑driven" architecture that splits the LLM’s role into two cooperating agents to keep the autonomous process controllable.

1.1 Cognitive Collaboration Framework

A closed‑loop two‑person framework is built:

Expert Agent acts as the strategic brain. It does not operate tools directly; instead it observes the global state (discovered hosts, ports) and dynamically generates or updates a directed acyclic graph (DAG) representing the attack plan. Its output consists of structured "graph edit commands" (add, update, retire nodes) and a graded failure attribution (L1‑L4). It also produces reusable "attack intelligence" and decides whether the mission is complete or stalled.

Penetration Agent acts as the tactical executor. It carries out the sub‑tasks assigned by the planner, invoking security tools via the MCP protocol, such as fscan and sqlmap . It maintains a shared bulletin board for real‑time exchange of high‑value findings among parallel sub‑tasks. A Dispatcher schedules containerised executions, sends reconnaissance or exploitation commands, and retrieves live status and results.

1.2 Logical Graph Reasoning

To enforce rigorous decision‑making, the system requires every action to follow a strict evidence → hypothesis → vulnerability → exploit chain. Each causal edge carries a confidence score, which helps suppress LLM hallucinations and makes decisions traceable. The planner’s DAG evolves dynamically: new ports trigger sub‑graph creation, WAF detections insert bypass nodes, and topological dependencies automatically expose independent tasks for parallel execution.

1.3 MCP Tool Integration

The MCP protocol standardises tool invocation and enables extensibility. Zero also provides a web‑based visual interface and a human‑machine collaboration mode, allowing experts to monitor the task graph, approve or modify plans in real time.

Practical Penetration Test Observation

The author presents a full‑run screenshot of the attack flow (see image below).

Attack flow diagram
Attack flow diagram

Step‑by‑step breakdown:

After entering the target address, the reconnaissance sub‑agent performs fingerprinting and path brute‑forcing to expand the attack surface.

The target is identified as a Django application; the agent attempts an N‑day exploit (CVE‑2025‑64459) by automatically downloading a PoC from GitHub. Multiple attempts fail, and the path is abandoned.

The agent falls back to a conventional TCP port scan, discovers a Tomcat service on port 8080, enumerates API endpoints, and tries common credential pairs (e.g., tomcat:tomcat, admin:admin). All attempts fail.

Observing the failure, the agent gathers target‑specific username/password dictionaries, detects an SSH service, and successfully brute‑forces SSH using the collected credentials (not generic weak passwords). It gains a low‑privilege database account.

With database access, the agent locates a writable directory and writes a shell to the web root via an SQL file‑write technique, ultimately obtaining a webshell.

SSH brute‑force and webshell
SSH brute‑force and webshell

The entire operation took 2 hours 35 minutes and cost about US$23 in OpenRouter API usage.

Practice Summary: Efficiency, Limitations, and Cost

Zero dramatically outperforms the author’s manual testing speed—allowing multitasking such as playing games while the bot runs—but the monetary cost of API calls is non‑trivial. In complex environments, the agent reaches only the third subnet in multi‑layer internal networks; domain‑level lateral movement and C2 evasion remain weak.

The most noticeable shortcoming is the inability to interact with graphical user interfaces; the bot cannot navigate web pages or click buttons, resorting to browser‑plugin form‑filling as a workaround. The author suggests multimodal models as the next direction.

Another critical challenge is hallucination and mis‑judgment. Because the agent lacks visual verification, it may treat an HTTP 200 redirect after a failed login as a successful authentication. During exploitation, LLM hallucinations can propagate errors, especially when specialized knowledge (e.g., Samba credentials, JBoss toolchains) or file‑upload interactions are required.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LLMMCP protocolgraph reasoningAI penetration testingautonomous security agentCairnZero bot
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.