One command, zero config
Run npx pwnkit-cli scan --target <url> and get a verified security report in minutes.
pwnkit
Fully autonomous agentic pentesting framework. Attacks LLM endpoints, web apps, npm packages, and source code. Blind PoC verification to minimize false positives.
Blind verification
Every finding is independently re-exploited by a second agent that never sees the original reasoning. False positives are killed automatically.
Bring your own AI
Use your API key (OpenRouter, Anthropic, OpenAI) or spawn Claude Code, Codex, or Gemini CLI with your existing subscription.
Full-spectrum pentesting
LLM endpoints, web applications, npm packages, and source code repositories. Not just AI security — pwnkit covers traditional web vulnerabilities too. 100% on AI/LLM benchmarks (10/10), XBOW traditional web vuln testing in progress.