Releases: JoasASantos/NeuroSploit
Release list
NeuroSploit v3.5.5 — Cloud Testing & REPL polish
NeuroSploit v3.5.5 — Release Notes
Release Date: July 2026
Codename: Cloud Testing, REPL Navigation & Deeper Recon
License: MIT
Credits: Joas A Santos & Red Team Leaders
TL;DR
v3.5.5 adds cloud infrastructure testing (AWS / GCP / Azure) with first-class
credential connection, 27 new agents (17 cloud + 10 misconfig/CVE/PoC/rate-
limit → library 375), a much more capable and navigable REPL (idle
guardrail, multi-target, results browser), deeper recon (downloads & analyzes
JS, request/response differentials, smart nuclei), Burp/ZAP proxy support, a
PoC workspace, a strict data-safety/PII guardrail, and a fix for garbled
interactive line-editing.
Cloud testing
- +17 cloud agents. AWS, GCP and Azure specialists in
agents_md/infra/: IAM/RBAC privilege escalation, storage exposure
(S3 / GCS / Blob), compute & network exposure + IMDS, secrets (Secrets Manager /
Secret Manager / Key Vault), service-account & service-principal abuse, and
Entra ID enumeration — plus a multi-cloud footprint/identity recon agent.
Read-only-first, non-destructive. - Connect cloud credentials via
creds.yaml(aws:,gcp:,azure:
blocks). The harness exports the right env vars soaws/gcloud/azpick
them up automatically, and tells the agents how to authenticate & what to
enumerate:- AWS —
access_key_id/secret_access_key[/session_token]/region, or aprofile. - GCP — a service-account JSON (
service_account_json, path recommended) →
GOOGLE_APPLICATION_CREDENTIALS+ project. - Azure — a service principal (
tenant_id/client_id/client_secret/
subscription_id) →az login --service-principal. - Secrets are never written to disk beyond your
creds.yaml; inline GCP JSON is
materialized to a temp file only to satisfy the SDK/CLI.
- AWS —
REPL — navigation & control
- Idle guardrail —
/timeout <min>. If no NEW finding lands within the
window, the run soft-stops and validates what was found (/timeout 1= 1 min,
10= 10 min,60= 1 hour,0= off). Default 5 min. - Multiple targets —
/target url1,url2,url3. A comma-separated list;/run
tests them sequentially (a queue auto-advances to the next when the current
finishes) — one report per URL. /resultsnavigation browser (interactive): pick a target/run → pick a
vulnerability → see full detail; Esc steps back a level (vuln → target →
back to the live session)./reportselection: with multiple runs, choose which report to open from a
menu./chain <n>(attack-chain depth),/agents list(library category
counts incl. infra/cloud);/shownow shows chain-depth, idle-stop and
enabled integrations.- Fix: the interactive prompt no longer embeds ANSI/newline, so line editing
(typing, backspace, history, cursor, multiline) is no longer garbled in a real
terminal (the readline prompt is plain; color is applied via the highlighter).
Deeper recon & analysis (agent prompts)
- Deterministic HTTP probe (native,
harness::probe). Before the model
recon, the harness performs a real request/response analysis of the target
and injects the observed facts into recon so agent-selection and exploitation
decisions are grounded in evidence (more robust — works even when the model's
recon is weak): status & redirect,Server/X-Powered-By/content-type, the 6
security headers (present/missing), cookie flags (HttpOnly/Secure/SameSite),
CORS reflection test (arbitrary Origin + credentials), tech fingerprint,
linked scripts, form count, a 404 baseline for soft-404 differentials, and
a few high-signal paths (/robots.txt,/.git/config,/.env, …). Best-effort
(never fatal), honors the identifying User-Agent and the Burp/ZAP proxy. - RECON_SYS now crawls pages/params/headers/cookies, downloads the linked
JavaScript and analyzes it (API endpoints, hidden params, GraphQL, secrets /
keys / tokens,sourceMappingURL→ recover original source), fingerprints
exact stack versions, and does response-differential analysis; richer JSON
schema (js_findings,secrets,hosts, …). - tool_doctrine adds JS-analysis (linkfinder / gau / katana + grep for
endpoints/secrets/source-maps) and request/response-analysis guidance (status,
all headers, Set-Cookie flags, timing/length differentials, auth-vs-anon and
valid-vs-invalid comparisons) — applied to both recon and exploitation.
Exploitation depth, safety & Burp
- +10 exploitation agents. Absurd-misconfig hunters (exposed
.git/.env/
backups, debug/actuator endpoints, default creds, directory listing, exposed
ops dashboards, permissive CORS, verbose errors), a CVE Hunter (fingerprint
→ correlate → safe PoC), a PoC Developer (writes runnable exploit scripts),
and a Rate-Limit / Anti-Automation tester. - Data-safety / PII guardrail injected into every exploit/chain/host prompt:
no modifying, deleting, exfiltrating data or changing state without explicit
permission; on PII, prove with a single masked sample + a count — never
dump. When unsure an action is safe, don't do it. - Smart nuclei in recon — fingerprint first, then run nuclei on targeted
templates/tags/CVE ids with rate/timeouts (fast, never a blind full scan). - Burp/ZAP proxy —
/proxy <url>(or/burp, default:8080) in the REPL,
or theNEUROSPLOIT_PROXYenv var. Agents route curl through it (--proxy … -k)
so you can inspect/replay traffic in Burp Suite while the test runs. - PoC workspace — each run gets a
pocs/directory ($NEUROSPLOIT_POCS);
agents save custom, reproducible exploit scripts there and cite them as evidence. - Tool download (authorized) — agents may
git clonea specific public PoC/
exploit repo or download a scanner when needed (reputable/pinned, reviewed). - Rate-limit testing is a first-class control check (small non-disruptive
burst → look for 429/lockout/Retry-After), never a DoS.
Multi-role auth & access-control testing
- Named identities in
creds.yamlfor IDOR / BOLA / BFLA / privilege-escalation
testing. Define two or more roles and the agent authenticates as each and tests
cross-role access (control vs unauthorized request):Supported per role:admin: jwt: eyJ... # or header:/cookie:/apikey:/login+username+password user: apikey: abc123 # → X-Api-Key: abc123 victim: cookie: "session=..."
jwt,header(raw),cookie,apikey, or a
login/username/passwordself-login. With ≥2 roles the harness injects an
access-control directive (capture one role's object IDs/functions, attempt them
as another role, prove authorized-vs-denied) under the data-safety guardrail.
Attribution & identification (anti-plagiarism)
- Identifying User-Agent on every request — default
NeuroSploit/<ver> (authorized security assessment; +github…), plus an
X-NeuroSploit-Scanheader. Change it with/ua <string>(REPL) or the
NEUROSPLOIT_UAenv var; the run banner shows it. - Attribution stamped into every finding ("Identified and validated by
NeuroSploit — multi-model adversarial validation …") so provenance travels with
the finding across the report,findings.jsonand any copy — in the traffic,
the finding text, and the report footer, so the work can't be silently re-badged.
Notes
- Additive/back-compatible. Provider count is 14 (Azure OpenAI added in v3.5.2).
See the README "Cloud credentials" section for a fullcreds.yamlexample.
NeuroSploit v3.5.4 — Robust Attack Chaining & False-Positive Reduction
NeuroSploit v3.5.4 — Release Notes
Release Date: July 2026
Codename: Robust Attack Chaining & False-Positive Reduction
License: MIT
Credits: Joas A Santos & Red Team Leaders
TL;DR
v3.5.4 makes NeuroSploit both deeper and more precise: a real multi-round
post-exploitation attack-chaining engine that expands each foothold in new
directions, plus stronger false-positive controls so what it reports is
trustworthy.
Attack chaining (robust, decision-driven)
Replaces the old single-shot chainer with attack_chain() — an iterative,
per-foothold pivot engine:
- Per-foothold decisions. Each round takes the newest confirmed footholds
(best-first, capped per round) and, for each one, an agent decides which
directions to expand and proves new impact: post-exploitation (loot
creds/keys/config/source), credential reuse, privilege escalation
(horizontal & vertical), lateral movement to adjacent services/hosts,
data exfiltration, and new attack surface the foothold exposes. - Loot carried forward. Credentials/tokens/hosts/endpoints discovered in one
round are passed to later rounds and reused (agent returns
{"findings":[...],"loot":[...]}), so the engine genuinely pivots in new
directions instead of re-testing the same spot. - No pivoting off false positives. Each round's new findings are validated
before they become the next round's footholds. - Convergence. Runs up to
chain_depthrounds or stops when a round finds
nothing new (loop-until-dry). - Control. New
RunConfig.chain_depth(default 2) and a--chain-depth
flag on every engagement command (0disables).
False-positive reduction
- Robust verdict parsing (
pool::parse_verdict) — whitespace-insensitive,
checks explicit rejection first, counts only explicit confirmations; ambiguous
replies are not counted as confirmed. Replaces the fragile exact-JSON /
loose-yesmatching. - Severity-aware quorum (
pool::quorum_confirmed) — High/Critical now need
≥2 validators AND ≥2/3 agreement (a single vote can no longer confirm a
Critical); lower severities need a strict majority. Single-model panels fall
back to majority so they aren't nuked. - Adversarial refute pass — every confirmed High/Critical is re-examined by a
skeptical panel that assumes false-positive; findings that can't withstand a
majority of skeptics are dropped. - Stronger validator prompt with an explicit false-positive checklist
(reflected-not-executed, version/banner guesses, self-XSS, error-as-injection,
thin evidence, inflated severity).
Notes
- Additive and back-compatible; defaults keep behavior sensible if you change
nothing. Unit tests cover verdict parsing, quorum, and report-hygiene logic.
NeuroSploit v3.5.3 — Integrations (GitHub · GitLab · Jira)
NeuroSploit v3.5.3 — Release Notes
Release Date: June 2026
Codename: Integrations (GitHub · GitLab · Jira)
License: MIT
Credits: Joas A Santos & Red Team Leaders
TL;DR
v3.5.3 plugs NeuroSploit into your SDLC: review private GitHub/GitLab repos
and Pull Requests, watch a branch and re-review on every commit, and open
a Jira card per finding — all toggleable via a new /integrations command.
Highlights
- GitHub integration
- Private repos: when enabled,
whitebox/greybox --repo/tui --repo
inject yourGITHUB_TOKENinto the clone URL (token never printed/stored). neurosploit pr <owner/repo> <number>— clones the PR head
(refs/pull/N/head), runs a white-box review, optionally posts a summary
comment back on the PR (--comment) and/or opens Jira cards (--jira).neurosploit watch <owner/repo> --branch <b> --interval <s>— polls the
branch and runs a white-box review each time a new commit lands.
- Private repos: when enabled,
- GitLab integration — private clone (token-injected) for
whitebox/greybox
againstgitlab.comor a self-hosted base. - Jira integration —
--jiraon any engagement (orpr/watch) opens one
card per finding (summary, severity, CVSS, CWE, location, PoC, evidence,
remediation) in your project via the Jira REST API. /integrations(REPL) +neurosploit integrations(CLI) —show,
enable/disable <github|gitlab|jira>, andsetup <jira|gitlab|github>
(interactive). Config persists to<project>/.neurosploit/integrations.json.
Secrets are never stored — only the env-var name is saved; values come
from the environment at use time.- New harness module
integrations+ app commandspr/watch/
integrations, plus a--jiraflag onrun/whitebox.
Setup
Step-by-step for tokens, scopes and configuration is in
TUTORIAL-INTEGRATION.md and summarized in the README.
Notes
- Additive and back-compatible: all existing modes/flags are unchanged; if no
integration is enabled the behavior is identical to v3.5.2. - Tokens use env vars:
GITHUB_TOKEN,GITLAB_TOKEN,JIRA_EMAIL+
JIRA_API_TOKEN(names configurable per integration).
NeuroSploit v3.5.2 — Exploitation Depth & Report Hygiene
NeuroSploit v3.5.2 — Release Notes
Release Date: June 2026
Codename: Exploitation Depth & Report Hygiene
License: MIT
Credits: Joas A Santos & Red Team Leaders
TL;DR
v3.5.2 hard-codes the discipline that separates a great pentest from a noisy
one — distilled from reviewing real AI-pentest output that kept stopping at
"exposed" instead of "exploited". The engine now pushes every exposure to
demonstrated impact, chains findings, decodes/fingerprints artifacts and
correlates CVEs, audits tokens, and keeps the final report honest (deduplicated
and severity-calibrated).
Highlights
- DEPTH doctrine (exploit, don't just expose). A new doctrine is injected
into every exploitation prompt (black/grey/chain): any info-disclosure,
exposed service/catalog/WSDL, leaked credential/token, or reachable dev host
must be USED before it can be a finding — call it, decode it, log in, hit
the dev host. If it was only observed, it's reported as a lead, not a
confirmed High/Critical. - Finding chaining. Reuse any session/JWT/cookie/credential obtained in one
step across all other modules; pivot access into IDOR/privesc/exfil and report
the chain, not isolated parts (e.g. captcha-bypass→admin JWT→authenticated
surface; enum + no-rate-limit→password spraying). - Decode & fingerprint → CVE. Decode opaque tokens/paths (base64/JSON/marshal)
and pin exact library/gem/plugin/CMS versions, then correlate to known CVEs and
attempt a safe PoC. - Token auditor. JWT alg-confusion (RS→HS),
alg:none, kid/jku injection,
real signature verification, weak HS256 secret cracking, and token
lifecycle (logout/expiry/refresh). - Report-hygiene & depth pass (deterministic, in the harness). After
validation the run now:- calibrates severity to proven impact — an unproven High/Critical
(hedged language, no payload, thin evidence) is capped to Medium and
re-titled "(potential)"; - flags "exposed → exploited" gaps — exposures on a host with no actual
exploit get an advisory to go use them; - advises consolidating hygiene classes (headers/cookies/TLS/HSTS/
clickjacking/disclosure) repeated across many assets into ONE finding with
an affected-asset table, instead of inflating the count one-per-host.
- calibrates severity to proven impact — an unproven High/Critical
- 5 new doctrine meta-agents (
agents_md/meta/):exploit_depth_doctrine,
finding_chainer,artifact_decoder,token_auditor,report_calibrator
(meta agents 17 → 22; total library 343 → 348). - Source from a GitHub URL.
whitebox/greybox --repo(and the REPL
/repo) now accept a git URL (https://github.com/owner/repo[.git]) or an
owner/reposhorthand — the repo is cloned (shallow) into<base>/repos/and
reviewed automatically, no manualgit cloneneeded:neurosploit whitebox https://github.com/digininja/DVWA \ --subscription --model anthropic:claude-opus-4-8 -v
- Azure OpenAI provider (resolves #21). OpenAI-compatible: set
AZURE_OPENAI_ENDPOINT(+ optionalAZURE_OPENAI_API_VERSION, default
2024-10-21) andAZURE_OPENAI_API_KEY, then--model azure:<deployment>
(the model name is your Azure deployment name; auth via theapi-key
header). GOOGLE_API_KEYalias for Gemini (resolves #25 confusion). Gemini's API
path readsGEMINI_API_KEY, and now also acceptsGOOGLE_API_KEY(Google's
standard env var) when the former is unset. Local providers (ollama/litellm)
still need no key at all.
Notes
- Pure-additive and back-compatible: existing modes, REPL, TUI, pause/continue,
crash-recovery and reports are unchanged. The hygiene pass only annotates and
down-calibrates unproven severities — it never invents or drops findings. - New unit tests cover the calibration and depth-audit logic
(harness::hygiene).
NeuroSploit v3.5.1
NeuroSploit v3.5.1 — Release Notes
Release Date: June 2026
Codename: Interactive POMDP Harness
License: MIT
Credits: Joas A Santos & Red Team Leaders
TL;DR
The 3.5.x line turns the Rust harness into a full interactive REPL (Claude
Code / Codex / Cursor-CLI style) on top of the multi-model engine: pick models
with arrow-keys, configure API keys per provider, set target/repo/auth/creds and
free-text instructions that steer the agents, then /run engagements in the
background while you keep typing. v3.5.1 adds a POMDP belief spine with
anti-hallucination grounding ("no claim without a tool receipt"), infra/host
testing (IP + SSH + Windows/AD) with Linux/Windows/AD agents, attack-chain
agents, a Mission-Control TUI, structured Typst reports, and resilient
run control (live checkpointing, pause-on-quota, instant stop).
Highlights
- Interactive REPL (
neurosploitwith no subcommand): real line editing
(history ↑/↓, Ctrl-A/E/K, multiline), Tab-completion of/commandsand
@filesystem-paths(Claude-Code-style file menu), arrow-key model multi-select,
per-provider API-key config, and a live context bar (model · cwd · mode▸target). - Engagement modes: black-box (
run), white-box SAST (whitebox,
set/repo), grey-box (greybox,/repo+/target), host/infra
(/target <ip>+/credsfor SSH / Windows / AD), plus the TUI dashboard. - POMDP belief state (
belief.rs,pomdp.rs): a property-graph with
probabilities + Bayesian update + Shannon-entropy uncertainty, a
value-of-information planner, and a grounding gate (grounding.rs,
may_assert) — findings must carry an empirical/symbolic tool receipt. - Infra / credentials (
creds.rs): multi-block YAML (jwt/header/cookie,
HTTP login, SSH, Windows/AD); real automated login; Linux/Windows/AD agents. - Attack-chain agents: sqli→rce→lpe, ssrf→aws, upload→lfi→rce, and more —
injected as chain recipes during exploitation. - App-stack & CVE hunting: IIS/.NET (tilde shortname, WebDAV, ViewState),
CMS (WordPress/Joomla/Drupal), app-server consoles, known-CVE exploitation. - 13 providers incl. LiteLLM proxy and Gemini/xAI alongside the existing
OpenAI-compatible set; subscription mode drives local agentic CLIs
(claude/codex/gemini/grok) via stream-json. - Mission-Control TUI (
ratatui): concurrent activity/findings/targets panels
with a non-blocking composer active during the run. - Structured Typst report: executive summary, vulnerability-summary table,
and per-finding sections (criticality, CVSS, OWASP/CWE, PoC, evidence,
remediation) + an attack-graph / kill-chain mapping (OWASP/CWE/MITRE). - Per-project persistence (
.neurosploit/, no database):session.json,
runs.json,history.txt— resumes automatically on reopen.
Run control (new in 3.5.1)
- Background
/runwith a live progress bar, severity-colored findings, and
the fullfile://report URL on completion/stop. - 3-way
/stop: [1] validate findings so far → report · [2] raw
report now without validating · [3] discard. Raw/discard abort
in-flight agents immediately (running CLI children are killed via
kill_on_drop); validate soft-stops so the validator still runs. - Crash/quit recovery: every finding is checkpointed live to
.neurosploit/active_run.json; an interrupted run is recovered into/runs
on the next launch, so/results,/findingand/reportkeep working. - Pause-on-exhaustion: when all models are rate-limited / out of quota the
run parks (state kept) and prints⏸ token/quota exhausted … PAUSED.
Resume with/continuewhen your quota renews, or switch with
/model <provider:model>(or the/modelselector) then/continue. - Inspection:
/results(live findings),/finding(pick one → full
command + PoC + evidence),/expand/ Ctrl-O (full untruncated commands),
/status,/diff,/retest.
Usage
cd neurosploit-rs && cargo build --release
./target/release/neurosploit # interactive REPL
./target/release/neurosploit run http://target -v --model anthropic:claude-opus-4-8
./target/release/neurosploit whitebox --repo /path/to/code # white-box SAST
./target/release/neurosploit greybox --repo /path --target http://target # grey-box
./target/release/neurosploit run <ip> --creds creds.yaml # host / infra
./target/release/neurosploit tui http://target --subscription --mcpCross-platform install (Linux / macOS / Windows, x64 + arm64) via setup.sh and
install.ps1. See README.md and TUTORIAL.md for the full walkthrough.
NeuroSploit v3.2.2 - Full LLM Pentest Mode
Full LLM Pentest Mode
New feature where the LLM drives the entire penetration test cycle autonomously — like a human pentester using Burp Suite / curl.
How it works
- User enters target URL in the Full LLM Pentest page
- The LLM receives the full methodology prompt + target
- LLM plans HTTP requests (up to 10 per round)
- System executes those requests and returns real responses
- LLM analyzes responses, identifies vulnerabilities, adapts strategy
- Repeat for up to 30 rounds across 4 phases
Phases
- AI Recon (0-25%) — Technology fingerprinting, endpoint discovery, attack surface mapping
- AI Testing (25-70%) — SQLi, XSS, LFI, Command Injection, SSRF, CSRF, IDOR, and more
- Post-Exploitation (70-85%) — Vulnerability chaining, data extraction, privilege escalation
- Report (85-100%) — Professional pentest report generation
Key Features
- Anti-hallucination: Findings without real response evidence are automatically rejected
- Full validation pipeline: All findings go through ValidationJudge (negative controls + proof of execution + confidence scoring)
- Methodology injection: 118KB comprehensive pentest methodology (OWASP WSTG, PTES) injected into AI context
- No Kali sandbox required: Uses system HTTP client directly
- Any LLM provider: Works with Claude, GPT, Gemini, Ollama, LMStudio via SmartRouter
Files Changed
backend/core/autonomous_agent.py— New_run_full_llm_pentest()+ helpers (+454 lines)backend/core/vuln_engine/ai_prompts.py— 3 new prompt functions (+219 lines)backend/api/v1/agent.py— NewFULL_LLM_PENTESTmodefrontend/src/pages/FullIATestingPage.tsx— Updated UI for LLM-driven phases
NeuroSploit v3.2.1 - AI-Everywhere Auto Pentest
NeuroSploit v3.2.1
🤖 AI-Everywhere Auto Pentest
- Pre-stream AI Master Plan: Strategic AI planning runs before parallel streams, producing target profile, priority vulns, recon guidance, and tool recommendations shared across all 3 streams
- Stream 1 AI Recon Analysis: AI analyzes discovered endpoints for hidden surfaces, priority routing, and attack chain identification
- Stream 2 AI Payload Generation: Context-aware AI-generated payloads replace hardcoded 3-payload approach, using master plan context, WAF info, and tech stack
- Stream 3 AI Tool Analysis: AI classifies raw tool stdout/stderr into real findings vs noise, queues follow-up test endpoints
🧠 LLM-as-VulnEngine: AI Deep Testing
- New
_ai_deep_test()iterative loop: OBSERVE → PLAN → EXECUTE → ANALYZE → ADAPT (3 iterations max) - AI-first for top 15 injection types with hardcoded fallback
- Per-endpoint AI testing with rich context (baseline, WAF, playbook, RAG, memory)
- Anti-hallucination: all findings through ValidationJudge pipeline
- Token budget adaptive: 15 calls normal, 5 when <50k tokens remain
🐛 Critical Container Fix
- Root cause:
ENTRYPOINT ["/bin/bash", "-c"]in Dockerfile conflicted withcommand="sleep infinity"→ container exited immediately → all tools showed exit -1, 0.0s, 0 findings - Fix: Changed to
CMD ["bash"]— all Kali sandbox tools (nuclei, naabu, etc.) now work correctly
🔍 Deep Recon Overhaul
- JS analysis: 10→30 files, 11 regex patterns, source map (.map) parsing, parameter extraction
- Sitemaps: recursive index following (depth 3), 8 candidates, 500 URL cap
- API discovery: 7→20 Swagger/OpenAPI paths, 1→6 GraphQL paths, request body schema extraction
- 9 framework detectors: WordPress (16 paths), Laravel, Django, Spring Boot, Express, ASP.NET, Rails, Next.js, Flask
- 40+ hidden/sensitive paths checked (.env, .git, /actuator, /debug, /metrics, etc.)
- API pattern fuzzing: infers endpoints from discovered patterns (37 common resources × CRUD variants)
- HTTP method discovery via OPTIONS probing
- URL normalization and deduplication
🎨 Frontend Improvements
- Elapsed time now works for completed scans (computed from started_at → completed_at)
- Container telemetry: exit -1 shows "ERR" (yellow), duration shows "N/A" on container failure
- Professional HTML report: cover page, risk gauge, severity breakdown, table of contents, per-finding cards with evidence/PoC/confidence, print-friendly CSS
📊 Stats
- +4,290 lines across 12 files
- 4 new AI prompt builders: master_plan, junior_ai_test, tool_analysis, recon_analysis
- 3 new deep recon methods: framework discovery, API fuzzing, method probing
- Bug bounty training datasets included
Installation
git clone https://github.com/CyberSecurityUP/NeuroSploit.git
cd NeuroSploit
pip install -r requirements.txt
# Rebuild Kali sandbox image (IMPORTANT for container fix):
docker build -f docker/Dockerfile.kali -t neurosploit-kali:latest docker/Full Changelog: v3.2...v3.2.1
NeuroSploit v3.0.0
NeuroSploit v3.0.0 — Release Notes
Release Date: February 2026
Codename: Autonomous Pentester
License: MIT
Overview
NeuroSploit v3 is a ground-up overhaul of the AI-powered penetration testing platform. This release transforms the tool from a scanner into an autonomous pentesting agent — capable of reasoning, adapting strategy in real-time, chaining exploits, validating findings with anti-hallucination safeguards, and executing tools inside isolated Kali Linux containers.
By the Numbers
| Metric | Count |
|---|---|
| Vulnerability types supported | 100 |
| Payload libraries | 107 |
| Total payloads | 477+ |
| Kali sandbox tools | 55 |
| Backend core modules | 63 Python files |
| Backend core code | 37,546 lines |
| Autonomous agent | 7,592 lines |
| AI decision prompts | 100 (per-vuln-type) |
| Anti-hallucination prompts | 12 composable templates |
| Proof-of-execution rules | 100 (per-vuln-type) |
| Known CVE signatures | 400 |
| EOL version checks | 19 |
| WAF signatures | 16 |
| WAF bypass techniques | 12 |
| Exploit chain rules | 10+ |
| Frontend pages | 14 |
| API endpoints | 111+ |
| LLM providers supported | 6 |
Architecture
+---------------------+
| React/TypeScript |
| Frontend (14p) |
+----------+----------+
|
WebSocket + REST
|
+----------v----------+
| FastAPI Backend |
| 14 API routers |
+----------+----------+
|
+---------+--------+--------+---------+
| | | | |
+----v---+ +---v----+ +v------+ +v------+ +v--------+
| LLM | | Vuln | | Agent | | Kali | | Report |
| Manager| | Engine | | Core | |Sandbox| | Engine |
| 6 provs| | 100typ | |7592 ln| | 55 tl | | 2 fmts |
+--------+ +--------+ +-------+ +-------+ +---------+
Stack: Python 3.10+ / FastAPI / SQLAlchemy (async) / React 18 / TypeScript / Tailwind CSS / Vite / Docker
Core Engine: 100 Vulnerability Types
The vulnerability engine covers 100 distinct vulnerability types organized in 10 categories with dedicated testers, payloads, AI prompts, and proof-of-execution rules for each.
Categories & Types
| Category | Types | Examples |
|---|---|---|
| Injection | 12 | SQLi (error, union, blind, time-based), Command Injection, SSTI, NoSQL, LDAP, XPath, Expression Language, HTTP Parameter Pollution |
| XSS | 3 | Reflected, Stored (two-phase form+display), DOM-based |
| Authentication | 7 | Auth Bypass, JWT Manipulation, Session Fixation, Weak Password, Default Credentials, 2FA Bypass, OAuth Misconfig |
| Authorization | 5 | IDOR, BOLA, BFLA, Privilege Escalation, Mass Assignment, Forced Browsing |
| Client-Side | 9 | CORS, Clickjacking, Open Redirect, DOM Clobbering, PostMessage, WebSocket Hijack, Prototype Pollution, CSS Injection, Tabnabbing |
| File Access | 5 | LFI, RFI, Path Traversal, XXE, File Upload |
| Request Forgery | 3 | SSRF, SSRF Cloud (AWS/GCP/Azure metadata), CSRF |
| Infrastructure | 7 | Security Headers, SSL/TLS, HTTP Methods, Directory Listing, Debug Mode, Exposed Admin, Exposed API Docs, Insecure Cookies |
| Advanced | 9 | Race Condition, Business Logic, Rate Limit Bypass, Type Juggling, Timing Attack, Host Header Injection, HTTP Smuggling, Cache Poisoning, CRLF |
| Data Exposure | 6 | Sensitive Data, Information Disclosure, API Key Exposure, Source Code Disclosure, Backup Files, Version Disclosure |
| Cloud & Supply Chain | 6 | S3 Misconfig, Cloud Metadata, Subdomain Takeover, Vulnerable Dependency, Container Escape, Serverless Misconfig |
Injection Routing
Every vulnerability type is routed to the correct injection point:
- Parameter injection (default): SQLi, XSS, IDOR, SSRF, etc.
- Header injection: CRLF, Host Header, HTTP Smuggling
- Body injection: XXE
- Path injection: Path Traversal, LFI
- Both (param + path): LFI, directory traversal variants
XSS Pipeline (Reflected)
The reflected XSS engine is a multi-stage pipeline:
- Canary probe — unique marker per endpoint+param to detect reflection
- Context analysis — 8 contexts: html_body, attribute_value, script_string, script_block, html_comment, url_context, style_context, event_handler
- Filter detection — batch probe to map allowed/blocked chars, tags, events
- AI payload generation — LLM generates context-aware bypass payloads
- Escalation payloads — WAF/encoding bypass variants
- Testing — up to 30 payloads per param with per-payload dedup
- Browser validation — Playwright popup/cookie/DOM/event verification (optional)
POST Form Support
- HTML forms detected during recon with method, action, all input fields (including
<select>,<textarea>, hidden fields) - POST form testing includes all form fields (CSRF tokens, hidden inputs) — not just the parameter under test
- Redirect following for POST responses (search forms that redirect to results)
- Full HTTP method support: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
Autonomous Agent Architecture
3-Stream Parallel Auto-Pentest
The agent runs 3 concurrent streams via asyncio.gather():
Stream 1: Recon Stream 2: Junior Tester Stream 3: Tool Runner
- Crawl target - Immediate target test - Nuclei + Naabu
- Extract forms - Consume endpoint queue - AI-selected tools
- JS analysis - 3 payloads/endpoint - Dynamic install
- Deep fingerprint - AI-prioritized types - Process findings
- Push to queue - Skip tested types - Feed back to recon
| | |
+----------+--------------+-----------------------------+
|
Deep Analysis (50-75%)
Researcher AI (75%) ← NEW
Finalization (75-100%)
Reasoning Engine (ReACT)
AI reasoning at strategic checkpoints (50%, 75%):
- Think: analyze situation, available data, findings so far
- Plan: recommend next actions, prioritize vuln types
- Reflect: evaluate results, adjust strategy
Token budget tracking with graceful degradation:
- 0-60% budget: full AI (reasoning + verification + enhancement)
- 60-80%: reduced (skip enhancement)
- 80-95%: minimal (verification only)
- 95%+: technical only (no AI calls)
Strategy Adaptation
- Dead endpoint detection: skip after 5+ consecutive errors
- Diminishing returns: reduce testing on low-yield endpoints
- Priority recomputation: re-rank vuln types based on results
- Pattern propagation: IDOR on
/users/1automatically queues/orders/1,/accounts/1 - Checkpoint refinement: at 30%/60%/90% refine attack strategy
Exploit Chaining
10+ chain rules for multi-step attack paths:
- SSRF -> Internal service access -> Data extraction
- SQLi -> Database-specific escalation (MySQL, PostgreSQL, MSSQL)
- XSS -> Session hijacking -> Account takeover
- LFI -> Source code disclosure -> Credential extraction
- Auth bypass -> Privilege escalation -> Admin access
AI-driven chain discovery during finalization phase.
Validation & Anti-Hallucination Pipeline
4-Layer Verification
Every finding passes through 4 independent verification layers before confirmation:
Finding Signal
|
v
[1] Negative Controls — Send benign/empty probes. Same response = false positive (-60 penalty)
|
v
[2] Proof of Execution — Per-vuln-type proof checks (25+ methods). XSS: context analyzer.
| SSRF: metadata markers. SQLi: DB error patterns. Score 0-60.
v
[3] AI Interpretation — LLM analyzes with anti-hallucination system prompt + per-type
| proof requirements. Speculative language rejected.
v
[4] Confidence Scorer — Numeric 0-100 score. >=90 confirmed, >=60 likely, <60 rejected.
|
v
ValidationJudge (sole authority for finding approval)
Anti-Hallucination System Prompts
12 composable anti-hallucination prompt templates injected into all 17 LLM call sites:
| Prompt | Purpose |
|---|---|
anti_hallucination |
Core: never claim vuln without concrete proof |
anti_scanner |
Don't behave like a scanner — reason like a pentester |
negative_controls |
Explain control test methodology |
think_like_pentester |
Manual testing mindset |
proof_of_execution |
What constitutes real proof per vuln type |
frontend_backend_correlation |
Don't confuse client-side vs server-side |
multi_phase_tests |
Two-phase testing (submit + verify) |
final_judgment |
Conservative final decision framework |
confidence_score |
Numeric scoring calibration |
anti_severity_inflation |
Don't inflate severity |
operational_humility |
Acknowledge uncertainty |
access_control_intelligence |
Data comparison, not status code diff |
100 per-vuln-type proof requirements (e.g., SSRF requires metadata content, not just status diff).
Cross-Validation
_cross_validate_ai_claim()— independent check for XSS, SQLi, SSRF, IDOR, open redirect, CRLF, XXE, NoSQL_evidence_in_response()— verify AI claim matches actual HTTP response- Speculative language rejection ("might be", "could be", "possibly")
- Default
False— findings rejected unless positively proven
Access Control Intelligence
- BOLA/BFLA/IDOR use ...
NeuroSploitv2 - v1.2.0
📘 Summary of Changes
The README has been updated with the following improvements and additions compared to the previous version (v2.2):
🆕 New or Expanded Sections
- Adaptive AI Mode described with more detail in workflow and features.
- 3 Execution Modes (CLI, Interactive, Experience/Wizard) clearly outlined with examples.
- Consolidated Recon & Context-Based Analysis sections expanded, explaining how reconnaissance outputs are merged and reused without redundant tool runs.
- LLM Providers & Profiles documentation expanded — listing support for multiple providers and how profiles are configured.
- Agent Roles section expanded with examples of built-in roles and custom agent creation steps.
🛠 Improvements in Documentation
- Installation instructions added clarity, including prerequisites, environment setup, and example commands.
- Quick Start examples now include recommended workflows (Wizard, Two-Step Workflow, Interactive).
- Detailed CLI Reference section was refined, showing flags, options, and usage patterns.
- Reconnaissance & Tool Usage details improved with descriptions of included tools and execution.
- Output Files & Reporting explained with output types (JSON, context, HTML), including report features like charts and summaries.
📜 Structural & Content Enhancements
- Expanded Workflow Diagrams and Examples to guide users through typical recon → AI analysis → reporting flows.
- Added Security Notice and responsible usage guidance in README to emphasize authorized testing only.
- More comprehensive Architecture Overview listing directory structure and key components.
✨ Key Improvements
Improved adaptive intelligence descriptions to clarify how NeuroSploit decides when to run tools vs. AI analysis.
Documentation now includes more agent examples and explains how to customize capabilities via prompts.
Overall documentation flow has been made more user-friendly for both beginners and advanced users.
🐛 Bug & Docs Fixes
Fixed typos and improved consistency in command examples across sections.
Resolved ambiguities in installation steps and environment variable guidance.
NeuroSploitv2 - v1.1.0
🚀 NeuroSploitv2 - v1.1.0
This release introduces NeuroSploitv2, an AI-powered penetration testing framework designed to automate and enhance offensive security operations using specialized agent roles and flexible large language model integration. The project focuses on combining structured automation, AI-assisted reasoning, and real-world security tooling while maintaining strong ethical guardrails and operational safety principles
✨ Key Features
Modular AI agent roles for Red Team, Blue Team, Bug Bounty, Malware Analysis, and more
Support for multiple LLM providers (Gemini, Claude, GPT, Ollama, LM Studio) with per-agent profiles
Markdown-based prompt system enabling contextual and role-specific AI behavior
Hallucination mitigation strategies, guardrails, and safety checks
Tool chaining for complex reconnaissance and attack workflows
🧠 AI & Automation Capabilities
Granular LLM profiles with control over model, temperature, token limits, caching, and context
Agent-based permission system defining allowed tools per role
Interactive CLI mode and direct command-line execution
AI-assisted planning, analysis, and reporting
🛠️ Built-in Tooling
Reconnaissance modules (OSINT collection, subdomain discovery, DNS enumeration)
Lateral movement helpers (SMB and SSH)
Persistence modules for Linux (cron) and Windows (registry)
Secure execution of external tools such as Nmap, Metasploit, Subfinder, Nuclei, SQLMap, and others
📊 Output & Reporting
Structured JSON campaign results
Automatically generated, human-readable HTML reports
Detailed logging and error handling