AI-powered penetration testing via MCP — 21 security tools, PTES methodology, multi-provider

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for francesco_sta from gravatar.com francesco_sta

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Requires: Python >=3.11
  • Provides-Extra: all , dev , mcp , protocols , vault
Classifiers
Report project as malware

Project description

numasec

Your AI Cyber Security companion. Open source. Runs in the terminal.

numasec running a pentest against OWASP Juice Shop

MIT License Python 3.11+ Build Release 

curl -fsSL https://numasec.dev/install | bash
numasec

Type a URL, endpoint, everything. The AI scans it, finds vulnerabilities, and writes the report. You watch, approve, and steer — like pair-programming, but for security.

It follows real pentest methodology (PTES): reconnaissance, attack surface mapping, vulnerability testing, exploitation, reporting. Not a toy scanner that dumps a CSV. An actual AI agent that thinks, adapts, and chains attacks together.

Works with Claude, GPT-4, Gemini, DeepSeek, or any OpenAI-compatible model.

What you see

A live terminal session. Findings pop up in a sidebar as they're discovered — color-coded by severity, grouped into attack chains, with OWASP Top 10 coverage tracking in the header. Everything is scoped: the agent won't touch anything outside your target.

Type /target https://yourapp.com to start. Type /findings to see what it found. Type /report to get the deliverable.

What it finds

SQL injection (blind, time-based, union, error-based), XSS (reflected, stored, DOM), SSRF with cloud metadata detection, authentication flaws (JWT attacks, OAuth misconfig, credential spraying, default passwords), IDOR, CSRF, CORS misconfig, path traversal, LFI, command injection, SSTI, XXE, GraphQL introspection — and it chains them. A leaked API key in JS → SSRF → cloud metadata → account takeover.

What it produces

  • SARIF — drop it into GitHub Code Scanning
  • HTML — share with the team
  • Markdown / JSON — integrate anywhere

Every finding comes with CWE ID, CVSS 3.1 score, OWASP category, MITRE ATT&CK technique, and remediation guidance. Not just "you have a vuln" — actionable output.

How it works

The terminal is a TypeScript TUI (forked from OpenCode, MIT) driving 21 Python security scanners through a JSON-RPC bridge. A knowledge base of 34 templates covers detection patterns, exploitation techniques per DBMS/engine/OS, post-exploitation, payloads, and remediation — so the AI doesn't hallucinate attack methodology, it looks it up.

96% recall on OWASP Juice Shop v17 — 25 of 26 ground-truth vulnerabilities found across all 10 OWASP categories.

Development

pip install -e ".[all]"
pytest tests/ -v
ruff check numasec/

924 tests. Benchmarks against Juice Shop, DVWA, and WebGoat in tests/benchmarks/.

Built by Francesco Stabile.

LinkedIn X

MIT License

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for francesco_sta from gravatar.com francesco_sta

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Requires: Python >=3.11
  • Provides-Extra: all , dev , mcp , protocols , vault
Classifiers

Release history Release notifications | RSS feed

99.0.0

4.1.5

4.1.4

4.1.3

4.1.2

4.1.1

4.1.0

This version

4.0.0

3.2.1

3.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

numasec-4.0.0.tar.gz (550.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

numasec-4.0.0-py3-none-any.whl (434.7 kB view details)

Uploaded Python 3

File details

Details for the file numasec-4.0.0.tar.gz.

File metadata

  • Download URL: numasec-4.0.0.tar.gz
  • Upload date:
  • Size: 550.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for numasec-4.0.0.tar.gz
Algorithm Hash digest
SHA256 5c2a70fc6ea076ffc5f78e35eb0743bd7bb7685d10f6da007dd1c2a31750319e
MD5 379325c415b5fda9317f28bbc6df43e4
BLAKE2b-256 4d53dff9ee1345b4f1bf56aa3baf15ae7b6f9008df63ff981039c560f9f50611

See more details on using hashes here.

Provenance

The following attestation bundles were made for numasec-4.0.0.tar.gz:

Publisher: release.yml on FrancescoStabile/numasec

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file numasec-4.0.0-py3-none-any.whl.

File metadata

  • Download URL: numasec-4.0.0-py3-none-any.whl
  • Upload date:
  • Size: 434.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for numasec-4.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 3a6e8f36da010fe72cfa74869f4b5a012a10c931b8384a1ff19a56e351604b50
MD5 b1392d9e3e76ffd7a4baab1253c4f0ab
BLAKE2b-256 b960a81e9b20954505d0e5527717f1714f4d8876e4c09441a032da82d771621d

See more details on using hashes here.

Provenance

The following attestation bundles were made for numasec-4.0.0-py3-none-any.whl:

Publisher: release.yml on FrancescoStabile/numasec

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page