penbot 2.3.1

AI Chatbot Penetration Testing Framework

██████╗ ███████╗███╗   ██╗██████╗  ██████╗ ████████╗
██╔══██╗██╔════╝████╗  ██║██╔══██╗██╔═══██╗╚══██╔══╝
██████╔╝█████╗  ██╔██╗ ██║██████╔╝██║   ██║   ██║   
██╔═══╝ ██╔══╝  ██║╚██╗██║██╔══██╗██║   ██║   ██║   
██║     ███████╗██║ ╚████║██████╔╝╚██████╔╝   ██║   
╚═╝     ╚══════╝╚═╝  ╚═══╝╚═════╝  ╚═════╝    ╚═╝   

Multi-agent adversarial testing framework for AI chatbots and agentic systems. Orchestrates specialized security agents to find vulnerabilities in conversational AI through prompt injection, social engineering, encoding attacks, RAG poisoning, tool exploitation, and MCP protocol abuse.

---

Install

pip install penbot              # Core: CLI + REST API testing
pip install penbot[full]        # Adds dashboard, Playwright, PDF/DOCX reports
pip install penbot[ml]          # Adds embedding-based attack memory

From source:

git clone https://gitlab.com/yan-ban/penbot.git
cd penbot
pip install -e .

Docker:

docker pull registry.gitlab.com/yan-ban/penbot:latest

---

Run

penbot onboard                                  # First-run setup
penbot wizard                                   # Configure a target
penbot test --config configs/clients/target.yaml
penbot doctor                                   # Verify environment

Dashboard:

penbot dashboard   # http://localhost:8000/dashboard

---

CLI

penbot onboard     First-run setup
penbot doctor      Environment health check
penbot wizard      Configure new target
penbot test        Run security test
penbot dashboard   Start Mission Control
penbot sessions    Manage past sessions
penbot agents      Browse agents
penbot patterns    Search attack library
penbot report      Generate report
penbot benchmark   Score detection against mock chatbots
penbot watch       Continuous testing

See CLI Reference.

---

Features

• 14 specialized agents — jailbreak, encoding, social engineering, RAG, tool exploitation, MCP exploit, exfiltration, indirect injection, action safety, compliance, and more
• 1,398+ attack patterns across 27 curated libraries (including 20 MCP protocol-attack patterns)
• 22 vulnerability detectors — two-layer detection (pattern + LLM) with finding chaining and guardrail fingerprinting
• OWASP LLM Top 10 (2025) + Agentic Top 10 (2026) coverage, including ASI02 and ASI04
• Model Context Protocol (MCP) testing — tool-description poisoning, resource URI traversal, list_changed bait-and-switch, cross-server pivots, sampling API abuse
• Multi-agent coordination — voting, hybrid attack composition, domain-aware campaign planning
• Persistence verification — post-test replay confirms findings are reproducible
• Endpoint reconnaissance — two-phase API surface mapping with framework detection
• Evolutionary generation — novel attacks via genetic algorithms with semantic retrieval (sentence-transformers + FAISS)
• Web dashboard — live Mission Control, session replay, OWASP report, real-time WebSocket streaming
• Regression testing and purple-team mode for CI-friendly defense validation

---

Technology

• LangGraph — multi-agent workflow orchestration
• Claude Sonnet 4.5 — attack generation
• FastAPI — API + WebSocket server (requires penbot[full])
• Playwright — browser automation (requires penbot[full])
• SQLite — session persistence

Install Extras

Extra	Command	What it adds
Core	pip install penbot	CLI, REST API testing, security agents, attack pattern libraries
Full	pip install penbot[full]	Dashboard, Playwright, PDF/DOCX reports, OpenAI provider, Tavily recon
Recon	pip install penbot[recon]	Tavily web search for target reconnaissance
Think	pip install penbot[think]	MCP-based enhanced reasoning
ML	pip install penbot[ml]	Embedding-based attack memory (sentence-transformers, FAISS)
ML-Viz	pip install penbot[ml-viz]	ML + scikit-learn & matplotlib for notebooks

---

Documentation

Document	Description
Developer Guide	How PenBot works under the hood
Architecture	System design and diagrams
Methodology	Attack strategies
Configuration	YAML and environment setup
CLI Reference	Command-line usage
API Reference	REST and WebSocket
Agents	Agent system details
Detection	Vulnerability detectors
Advanced	RAG, tools, evolutionary
OWASP Coverage	Compliance mapping
Test Example	Test walkthrough

---

Responsible Use

This tool is for authorized security testing only.

Permitted: testing your own systems, security research with written permission, contracted red team engagements, pre-deployment validation.

Prohibited: testing without authorization, attacking production systems maliciously, extracting proprietary data.

Built-in safeguards include authorization verification, a blocklist for public AI services, rate limiting, and audit logging.

---

Project Status

Aspect	Status
Development	Under active development
Tests	1,517 passing
Skipped	11 (optional deps)
Docker	Multi-stage build

---

References

• OWASP Top 10 for LLM Applications (2025)
• OWASP Top 10 for Agentic Applications (2026)
• Kumar et al. (2024). AmpleGCG-Plus. arXiv:2410.22143
• Zhang et al. (2025). Verbalized Sampling. arXiv:2510.01171
• Hiding in the AI Traffic: Abusing MCP for LLM-Powered Agentic Red Teaming. arXiv:2511.15998

---

Acknowledgments

• Elder Plinius / L1B3RT4S — jailbreak pattern research
• Manus AI — context engineering principles
• LangChain — LangGraph framework
• Anthropic
• OWASP — LLM Top 10 framework

---

License

MIT — see LICENSE.