Skip to main content

AI-powered autonomous web security scanner with real-time streaming — enterprise DAST platform

Project description

Contributors Forks Stargazers Issues MIT License [![Discord][discord-shield]][discord-url]


ShadowCat

AI-Powered Autonomous Penetration Testing Agent
National Software Contest 2026 (NSC2026) Entry

Official Website: shadowcat.com »

Report Bug · Request Feature


🇹🇭 NSC2026 Competition Entry — SecureThai

National Software Contest 2026 (NSC2026) submission. An enterprise-grade, AI-driven DAST platform that autonomously tests web applications for OWASP Top 10 vulnerabilities and proves every finding with deterministic, evidence-grounded verification — the agent gathers HTTP evidence; a separate oracle renders the verdict. No hallucinated findings.

What makes it competitive

Capability Where
Autonomous ReAct agent (mode-agnostic, safety-gated tool dispatch) backend/core/orchestrator.py
Evidence-grounded verification (agent collects, oracle judges) backend/verification/
Concurrent authenticated spider + JS API & subdomain discovery backend/crawler/
WAF fingerprinting + payload evasion backend/waf/
Real-time scan streaming (SSE) to the SecureThai dashboard backend/api/routes_scan.py
Self-contained HTML/PDF report generation backend/reporting/
Thai PDPA compliance mapping backend/compliance/
Multi-gateway LLM (PSU Blue sk-user-… / OpenRouter sk-or-…, auto-routed) backend/core/llm_client.py

Run the competition entry

# 1. Backend (FastAPI + SSE) — from the repo root
cp .env.example .env          # set OPENROUTER_API_KEY (PSU Blue sk-user-… or OpenRouter sk-or-…)
uv sync
uv run uvicorn backend.api.routes_scan:app --port 8000

# 2. Frontend (SecureThai dashboard) — separate Next.js repo
#    npm install && npm run dev   →   http://localhost:3000

Documentation

Repository map

backend/      NSC2026 entry — enterprise AI DAST (FastAPI + SSE)
agent/        Agentic TUI package (CTF/HTB) — `shadowcat-agent` CLI
docs/         Architecture, progress notes, demo media
tests/        Test suite
scripts/      Container + helper scripts
archive/      Superseded code (old api/ DAG-RAG attempt, legacy v0.15)
benchmark/    XBOW validation benchmarks (submodule)

Demo

Installation

Installation Demo

Watch on YouTube

ShadowCat in Action

ShadowCat Demo

Watch on YouTube


What's New in v1.0 (Agentic Upgrade)

  • Autonomous Agent - Agentic pipeline for intelligent, autonomous penetration testing
  • Session Persistence - Save and resume penetration testing sessions
  • Docker-First - Isolated, reproducible environment with security tools pre-installed

In Progress: Multi-model support for OpenAI, Gemini, and other LLM providers


Features

  • AI-Powered Challenge Solver - Leverages LLM advanced reasoning to perform penetration testing and CTFs
  • Live Walkthrough - Tracks steps in real-time as the agent works through challenges
  • Multi-Category Support - Web, Crypto, Reversing, Forensics, PWN, Privilege Escalation
  • Real-Time Feedback - Watch the AI work with live activity updates
  • Extensible Architecture - Clean, modular design ready for future enhancements

Quick Start

Prerequisites

Installation

# Clone and build
git clone --recurse-submodules https://github.com/shadowcat-dast/ShadowCat.git
cd ShadowCat
make install

# Configure authentication (first time only)
make config

# Connect to container
make connect

Note: The --recurse-submodules flag downloads the benchmark suite. If you already cloned without it, run: git submodule update --init --recursive

Try a Benchmark

cd benchmark/standalone-xbow-benchmark-runner
python3 run_benchmarks.py --range 1-1 --pattern-flag

See Benchmark Documentation for detailed usage.

Commands Reference

Command Description
make install Build the Docker image
make config Configure API key (first-time setup)
make connect Connect to container (main entry point)
make stop Stop container (config persists)
make clean-docker Remove everything including config

Usage

# Interactive TUI mode (default)
shadowcat --target 10.10.11.234

# Non-interactive mode
shadowcat --target 10.10.11.100 --non-interactive

# With challenge context
shadowcat --target 10.10.11.50 --instruction "WordPress site, focus on plugin vulnerabilities"

Keyboard Shortcuts: F1 Help | Ctrl+P Pause/Resume | Ctrl+Q Quit


Using Local LLMs

ShadowCat supports routing requests to local LLM servers (LM Studio, Ollama, text-generation-webui, etc.) running on your host machine.

Prerequisites

  • Local LLM server with an OpenAI-compatible API endpoint
    • LM Studio: Enable server mode (default port 1234)
    • Ollama: Run ollama serve (default port 11434)

Setup

# Configure ShadowCat for local LLM
make config
# Select option 4: Local LLM

# Start your local LLM server on the host machine
# Then connect to the container
make connect

Customizing Models

Edit scripts/ccr-config-template.json to customize:

  • localLLM.api_base_url: Your LLM server URL (default: host.docker.internal:1234)
  • localLLM.models: Available model names on your server
  • Router section: Which models handle which operations
Route Purpose Default Model
default General tasks openai/gpt-oss-20b
background Background operations openai/gpt-oss-20b
think Reasoning-heavy tasks qwen/qwen3-coder-30b
longContext Large context handling qwen/qwen3-coder-30b
webSearch Web search operations openai/gpt-oss-20b

Troubleshooting

  • Connection refused: Ensure your LLM server is running and listening on the configured port
  • Docker networking: Use host.docker.internal (not localhost) to access host services from Docker
  • Check CCR logs: Inside the container, run cat /tmp/ccr.log

Telemetry

ShadowCat collects anonymous usage data to help improve the tool. This data is sent to our Langfuse project and includes:

  • Session metadata (target type, duration, completion status)
  • Tool execution patterns (which tools are used, not the actual commands)
  • Flag detection events (that a flag was found, not the flag content)

No sensitive data is collected - command outputs, credentials, or actual flag values are never transmitted.

Opting Out

# Via command line flag
shadowcat --target 10.10.11.234 --no-telemetry

# Via environment variable
export LANGFUSE_ENABLED=false

Benchmarks

ShadowCat includes 104 XBOW validation benchmarks for comprehensive testing and evaluation.

cd benchmark/standalone-xbow-benchmark-runner

python3 run_benchmarks.py --range 1-10 --pattern-flag   # Run benchmarks 1-10
python3 run_benchmarks.py --all --pattern-flag          # Run all 104 benchmarks
python3 run_benchmarks.py --retry-failed                # Retry failed benchmarks
python3 run_benchmarks.py --dry-run --range 1-5         # Preview without executing

Performance Highlights

ShadowCat achieved an 86.5% success rate (90/104 benchmarks) on the XBOW validation suite:

  • Cost: Average $1.11, Median $0.42 per successful benchmark
  • Time: Average 6.1 minutes, Median 3.3 minutes per successful benchmark
  • Success rates by difficulty:
    • Level 1: 91.1%
    • Level 2: 74.5%
    • Level 3: 62.5%

For detailed benchmark results, analysis, and automated testing instructions, see the Benchmark Documentation.


Legacy Version

The previous multi-LLM version (v0.15) supporting OpenAI, Gemini, Deepseek, and Ollama is archived in legacy/:

cd legacy && pip install -e . && shadowcat --reasoning gpt-4o

License

Distributed under the MIT License. See LICENSE.md for more information.

Disclaimer: This tool is for educational purposes and authorized security testing only. The authors do not condone any illegal use. Use at your own risk.


Acknowledgments

  • Developed by the ShadowCat Team for the National Software Contest 2026 (NSC2026).

(back to top)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

shadowcat_agent-2.0.0.tar.gz (460.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

shadowcat_agent-2.0.0-py3-none-any.whl (281.5 kB view details)

Uploaded Python 3

File details

Details for the file shadowcat_agent-2.0.0.tar.gz.

File metadata

  • Download URL: shadowcat_agent-2.0.0.tar.gz
  • Upload date:
  • Size: 460.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.4

File hashes

Hashes for shadowcat_agent-2.0.0.tar.gz
Algorithm Hash digest
SHA256 79d508682c9339783a6166ffad0ec5fd7730c1b9834bc234c347f8f32da577e4
MD5 0c782a97d0b36517b7c6d81f08f4fe2b
BLAKE2b-256 2f85c7f394a21ea85bf481cadfbc72a070ec1d3c4bd6d75730403fe237e2333b

See more details on using hashes here.

File details

Details for the file shadowcat_agent-2.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for shadowcat_agent-2.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 3f69f459caa64ddd90d2703b0b6faedc49316e83c749c664d7db31f26f59238d
MD5 3efa056f75bb1b416965515486895d21
BLAKE2b-256 dd5eb5cbde986f75dcee0f0628afc5c925ca0250fb887d7fcbdbe71a7261e562

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page