---
name: pentest-agent-orchestrator
description: Orchestrate 35 specialized Claude Code subagents for offensive security. Use when planning a pentest, routing tasks to specialist agents, or conducting multi-phase security assessments.
domain: cybersecurity
subdomain: penetration-testing
tags:
- pentest
- multi-agent
- orchestration
- red-team
- claude-code
---

# Pentest Agent Orchestrator

## Overview

35 specialized Claude Code subagents for offensive security, adapted from [0xSteph/pentest-ai-agents](https://github.com/0xSteph/pentest-ai-agents). No servers or dependencies required — copy agents to `~/.claude/agents/` and they are immediately available. Each agent is a standalone prompt file that Claude Code can spawn as a subagent.

**Source:** https://github.com/0xSteph/pentest-ai-agents
**Agent count:** 35 specialized subagents
**Deployment:** Copy `~/.claude/agents/` — zero dependencies
**License:** Open source

## When to Use

- Planning and executing a penetration test
- Need specialist agent routing for specific attack surfaces
- Offensive security research across multiple domains
- Orchestrating multi-phase engagements (recon through post-exploitation)
- CTF challenges requiring diverse tooling and approaches

## Agent Categories

This section covers agent categories for pentest agent orchestrator.

- Ensure all prerequisites are met before proceeding
- Follow the documented workflow steps in sequence
- Record results and any anomalies encountered during this phase
### Reconnaissance / OSINT (3 agents)
| Agent | Purpose |
|-------|---------|
| `recon-advisor` | Strategic recon planning — what to gather, where to look, prioritization |
| `osint-collector` | Passive OSINT — WHOIS, DNS, Shodan, social media, breach databases |
| `attack-surface-mapper` | Active enumeration — subdomains, ports, services, technology fingerprinting |

### Web Application Testing (4 agents)
| Agent | Purpose |
|-------|---------|
| `web-hunter` | OWASP Top 10 discovery — XSS, SQLi, SSRF, IDOR, auth bypass |
| `api-breaker` | API security testing — REST/GraphQL fuzzing, auth flaws, mass assignment |
| `auth-tester` | Authentication/authorization testing — session management, JWT, OAuth |
| `web-fuzzer` | Directory brute-force, parameter fuzzing, input validation testing |

### Active Directory / Credentials (2 agents)
| Agent | Purpose |
|-------|---------|
| `ad-attacker` | AD attack paths — Kerberoasting, AS-REP, DCSync, delegation abuse |
| `credential-hunter` | Credential harvesting — password spraying, hash cracking, vault enumeration |

### Cloud / CI/CD (2 agents)
| Agent | Purpose |
|-------|---------|
| `cloud-security` | AWS/GCP/Azure misconfiguration — IAM, S3, metadata, privilege escalation |
| `cicd-attacker` | CI/CD pipeline exploitation — secret leakage, supply chain, runner escape |

### Containers / C2 (2 agents)
| Agent | Purpose |
|-------|---------|
| `container-escaper` | Container escape and Kubernetes exploitation — RBAC, host mounts, runtime |
| `c2-operator` | Command and control setup — payload delivery, callback management, channels |

### AI / LLM Red Teaming (1 agent)
| Agent | Purpose |
|-------|---------|
| `llm-redteam` | AI/LLM security testing — prompt injection, model manipulation, data exfiltration |

### Operational Security (1 agent)
| Agent | Purpose |
|-------|---------|
| `opsec-guardian` | OPSEC review — traffic analysis resistance, fingerprinting, attribution prevention |

### Mobile / Wireless (2 agents)
| Agent | Purpose |
|-------|---------|
| `mobile-hacker` | iOS/Android testing — app analysis, certificate pinning bypass, API interception |
| `wireless-hunter` | Wi-Fi and RF testing — deauth, Evil Twin, WPA cracking, BLE reconnaissance |

### Social Engineering (2 agents)
| Agent | Purpose |
|-------|---------|
| `phish-crafter` | Phishing campaign design — pretexting, payload delivery, landing pages |
| `social-engineer` | Human-layer attack planning — vishing, physical, OSINT-backed pretexts |

### Payload / Reverse Engineering (2 agents)
| Agent | Purpose |
|-------|---------|
| `payload-smith` | Payload generation — shellcode, obfuscation, AV evasion, staged delivery |
| `reverse-engineer` | Binary analysis — disassembly, decompilation, vulnerability identification |

### Exploit Chaining (3 agents)
| Agent | Purpose |
|-------|---------|
| `exploit-chainer` | Chain multiple low-severity findings into critical impact paths |
| `privilege-escalator` | Local privilege escalation — Linux/Windows kernel, SUID, services, tokens |
| `lateral-mover` | Network lateral movement — pivoting, pass-the-hash, relay attacks |

### Post-Exploitation (2 agents)
| Agent | Purpose |
|-------|---------|
| `privesc-advisor` | Post-exploitation strategy — persistence, loot, cleanup, evidence handling |
| `data-exfiltrator` | Data staging and exfiltration — tunneling, encoding, covert channels |

### Swarm Orchestration (1 agent)
| Agent | Purpose |
|-------|---------|
| `swarm-orchestrator` | Multi-agent coordination — task delegation, parallel execution, result aggregation |

### Reporting (2 agents)
| Agent | Purpose |
|-------|---------|
| `report-generator` | Pentest report generation — findings, CVSS, remediation, executive summary |
| `evidence-manager` | Evidence chain — screenshots, logs, PoCs, timestamps, chain of custody |

### Defense / Analysis (5 agents)
| Agent | Purpose |
|-------|---------|
| `defense-analyst` | Blue team perspective — validate findings, assess detection coverage |
| `threat-modeler` | Threat modeling — STRIDE, attack trees, risk prioritization |
| `compliance-checker` | Compliance mapping — NIST, OWASP, PCI-DSS against findings |
| `risk-assessor` | Risk scoring and prioritization — business impact, exploitability |
| `remediation-advisor` | Fix recommendations — specific, actionable, prioritized by impact |

### CTF (1 agent)
| Agent | Purpose |
|-------|---------|
| `ctf-solver` | CTF challenge solver — crypto, web, pwn, forensics, reversing, misc |

## Tier System

This section covers tier system for pentest agent orchestrator.

- Ensure all prerequisites are met before proceeding
- Follow the documented workflow steps in sequence
- Record results and any anomalies encountered during this phase
### Tier 1 — Advisory
- Provides analysis, recommendations, and attack path planning
- Does not execute commands or modify systems
- Safe to run without explicit approval gates
- Agents: `recon-advisor`, `osint-collector`, `opsec-guardian`, `report-generator`, `evidence-manager`, `threat-modeler`, `compliance-checker`, `risk-assessor`, `remediation-advisor`, `defense-analyst`

### Tier 2 — Execution-Capable
- Can execute commands, run tools, and interact with targets
- Requires explicit approval before execution
- Output includes commands-to-run with justification
- Agents: All remaining agents (web-hunter, ad-attacker, cloud-security, exploit-chainer, c2-operator, etc.)

## Usage Patterns

```bash
# Basic usage example
# Replace with domain-specific commands from the workflow above
```
### Single-Agent Invocation
```
# Ask a specific specialist
Spawn recon-advisor to plan reconnaissance for target.example.com
```

### Multi-Agent Orchestration
```
# Use swarm-orchestrator for coordinated assessment
Spawn swarm-orchestrator to run a full pentest against 10.0.0.0/24
```

### Chained Workflow
```
# Sequential: recon -> hunting -> exploitation -> reporting
1. recon-advisor: map the target
2. web-hunter: identify vulnerabilities
3. exploit-chainer: chain findings into attack path
4. report-generator: produce final deliverable
```

## Installation

```bash
# Clone the repository
git clone https://github.com/0xSteph/pentest-ai-agents.git

# Copy all agents to Claude Code agents directory
cp pentest-ai-agents/agents/*.md ~/.claude/agents/

# Verify installation
ls ~/.claude/agents/
```

## When NOT to Use

- Task is outside your authorization scope
- You need to implement controls (use implementing-* skills)
- Task is about analysis, not action (use analyzing-* skills)
- You don't have access to target systems
- Task requires compliance expertise (consult professionals)
- Task is about defense, not offense (use defensive skills)


## Red Flags

- Never run Tier 2 agents against targets without written authorization
- Verify scope boundaries before executing any exploitation
- Do not exfiltrate real data during testing without explicit permission
- Always follow responsible disclosure for any findings
## Verification

- All steps executed successfully against a test environment before production use
- Output documented with screenshots or logs demonstrating expected behavior
- All exploited vulnerabilities documented with reproduction steps
- Scope boundaries confirmed — only authorized targets were tested
- Remediation recommendations included for every finding
