HexStrike AI

HexStrike AI is an open-source offensive security framework (GitHub: 0x4m4/hexstrike-ai) that exposes 150+ cybersecurity tools to AI agents (Claude, GPT-4, GitHub Copilot) via an MCP server. Now included in Kali Linux, it enables LLMs to autonomously execute recon, exploitation, and bug bounty workflows without human hand-holding.

Installation

Kali Linux (Recommended)

# Available in Kali repos
sudo apt update
sudo apt install hexstrike-ai

# Verify installation
hexstrike --version
hexstrike tools list | wc -l    # Should show 150+

pip

pip install hexstrike-ai

# Or with extras for all tool wrappers
pip install hexstrike-ai[full]

From Source

git clone https://github.com/0x4m4/hexstrike-ai
cd hexstrike-ai
pip install -r requirements.txt
pip install -e .

# Install tool dependencies
./scripts/install-tools.sh

Docker

# Pull the full toolkit image (includes all 150+ tools)
docker pull 0x4m4/hexstrike-ai:latest

# Run with host network for tool access
docker run -it --rm \
  --network host \
  -e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
  -e OPENAI_API_KEY=$OPENAI_API_KEY \
  -v $(pwd)/results:/results \
  0x4m4/hexstrike-ai:latest

Configuration

API Keys and Model Selection

# Set AI provider keys
export ANTHROPIC_API_KEY="sk-ant-..."
export OPENAI_API_KEY="sk-..."
export GITHUB_TOKEN="ghp_..."         # For Copilot integration

# Choose default model
export HEXSTRIKE_MODEL="claude"       # claude | gpt4 | copilot

# Persist configuration
hexstrike config set model claude
hexstrike config set anthropic_api_key $ANTHROPIC_API_KEY
hexstrike config show

MCP Server Setup

# Start the MCP server (bridges LLMs to security tools)
hexstrike mcp start --port 8765

# Register with Claude Desktop
hexstrike mcp register --client claude-desktop

# Register with custom MCP client
hexstrike mcp register \
  --client custom \
  --config ~/.config/mcp/servers.json

# Check MCP server status
hexstrike mcp status

Tool Configuration (`~/.hexstrike/config.yaml`)

model:
  provider: claude               # claude | openai | copilot
  name: claude-opus-4-5
  fallback: claude-haiku-4-5    # Used for lightweight subtasks

tools:
  nmap:
    default_flags: "-sV -sC --open"
  nuclei:
    templates_dir: ~/nuclei-templates
    rate_limit: 300
  ffuf:
    wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
    threads: 50

output:
  dir: ~/hexstrike-results
  format: markdown              # markdown | json | html
  save_tool_output: true

safety:
  confirm_destructive: true     # Prompt before exploit execution
  scope_file: scope.txt         # Restrict to in-scope targets

Core Commands

Command	Description
`hexstrike agent start`	Start an autonomous AI agent session
`hexstrike agent run "<task>"`	Run a one-shot agent task
`hexstrike mcp start`	Start the MCP server
`hexstrike mcp status`	Show MCP server and tool health
`hexstrike tools list`	List all 150+ available tools
`hexstrike tools run <tool> <args>`	Execute a specific tool directly
`hexstrike tools info <tool>`	Show tool documentation and options
`hexstrike recon <target>`	Launch autonomous recon workflow
`hexstrike scan <target>`	Launch vulnerability scan workflow
`hexstrike exploit <target>`	Launch exploitation workflow
`hexstrike bug-bounty <target>`	Run full bug bounty workflow
`hexstrike report <session-id>`	Generate report from session
`hexstrike config show`	Display current configuration
`hexstrike update`	Update tool wrappers and templates

Advanced Usage

Autonomous Agent Sessions

# Start interactive agent session
hexstrike agent start \
  --model claude-opus-4-5 \
  --target example.com \
  --scope scope.txt \
  --session-name "example-com-pentest"

# One-shot agent task
hexstrike agent run \
  "Perform full recon on example.com, identify all subdomains, \
   check for exposed admin panels, and report any open redirects" \
  --target example.com \
  --output recon-report.md

# Agent with custom toolset
hexstrike agent run \
  "Find SQL injection vulnerabilities in the login flow" \
  --tools "sqlmap,ffuf,burp" \
  --target https://example.com

Tool Orchestration

Category	Tools Available
Recon	nmap, amass, subfinder, httpx, waybackurls, gau
Web Scanning	nuclei, nikto, whatweb, wapiti, skipfish
Fuzzing	ffuf, gobuster, feroxbuster, wfuzz
Exploitation	sqlmap, hydra, metasploit, commix
Post-Exploit	linpeas, winpeas, mimikatz, bloodhound
Crypto	hashcat, john, crackmapexec
OSINT	theHarvester, sherlock, maltego, recon-ng
Network	masscan, zmap, netcat, socat

# Chain tools manually with agent guidance
hexstrike tools run subfinder -d example.com | \
  hexstrike tools run httpx --probe | \
  hexstrike agent run "Analyze these live hosts and prioritize for vuln scanning"

# Run nuclei with AI-selected templates
hexstrike agent run \
  "Run nuclei against https://example.com, select the most relevant \
   templates based on the tech stack, and report findings" \
  --tools nuclei

Bug Bounty Automation

# Full bug bounty workflow
hexstrike bug-bounty \
  --target example.com \
  --scope scope.txt \
  --program-rules rules.txt \
  --output ./bb-results/ \
  --format markdown

# Targeted bug class hunt
hexstrike agent run \
  "Hunt for SSRF vulnerabilities across all endpoints of example.com. \
   Use ffuf for endpoint discovery, then test each for SSRF with \
   your callback server at http://collab.burpcollaborator.net" \
  --target example.com \
  --tools "ffuf,nuclei,curl"

MCP Integration with Claude Desktop

# After hexstrike mcp register --client claude-desktop
# Add to Claude Desktop MCP config:
# {
#   "mcpServers": {
#     "hexstrike": {
#       "command": "hexstrike",
#       "args": ["mcp", "serve"]
#     }
#   }
# }

# Test MCP connection
hexstrike mcp test --client claude-desktop

# List MCP-exposed tool functions
hexstrike mcp tools list

Common Workflows

Full Penetration Test Workflow

# Step 1: Define scope
cat > scope.txt << 'EOF'
*.example.com
10.0.0.0/24
EOF

# Step 2: Start agent with full pentest task
hexstrike agent run \
  "Conduct a comprehensive penetration test of example.com.
   Phase 1: Subdomain enumeration and live host discovery.
   Phase 2: Port scanning and service fingerprinting.
   Phase 3: Vulnerability scanning with nuclei.
   Phase 4: Manual verification of top findings.
   Phase 5: Attempt exploitation of confirmed vulnerabilities.
   Generate a detailed report at the end." \
  --scope scope.txt \
  --output ./pentest-results/ \
  --session-name "example-pentest-$(date +%Y%m%d)"

# Step 3: Generate final report
hexstrike report \
  --session "example-pentest-$(date +%Y%m%d)" \
  --format html \
  --output final-report.html

Subdomain Takeover Hunt

hexstrike agent run \
  "Enumerate all subdomains of example.com using amass, subfinder, \
   and certificate transparency logs. Check each subdomain for \
   takeover vulnerabilities using nuclei subdomain-takeover templates. \
   Document any vulnerable CNAME records." \
  --target example.com \
  --tools "amass,subfinder,nuclei,dig"

API Security Testing

hexstrike agent run \
  "Test the REST API at https://api.example.com for security issues.
   Import the OpenAPI spec from https://api.example.com/openapi.json.
   Check for: broken authentication, excessive data exposure, mass
   assignment, BOLA/IDOR, rate limiting bypass, and injection flaws." \
  --target https://api.example.com \
  --tools "ffuf,nuclei,sqlmap,curl"

Tips and Best Practices

Always define a scope file — Pass --scope scope.txt for every engagement to prevent the agent from testing out-of-scope assets. The scope file supports CIDR ranges, domain wildcards, and explicit URL patterns.

Use confirm_destructive: true in your config during client engagements — this prompts before running exploit modules, giving you a review checkpoint before active exploitation.

Match model to task complexity — Use claude-opus-4-5 for complex multi-phase tasks; set fallback: claude-haiku-4-5 for sub-tasks like parsing tool output.

Session persistence — Name sessions with --session-name so you can resume with hexstrike agent resume <name> after interruption without losing progress.

Rate limit nuclei — Set rate_limit: 150-300 in tool config when testing production targets; the agent will respect these limits automatically.

Save all tool output — Keep save_tool_output: true in config; raw tool output is invaluable for report evidence and recreating findings.

Pipe to jq for quick triage — hexstrike agent run "<task>" --format json | jq '.findings[] | select(.severity == "high")' quickly surfaces critical issues from long sessions.

Update templates regularly — Run hexstrike update before each engagement to pull the latest nuclei templates and tool wrappers.