Before PentAGI: what automated security testing actually looked like
To understand why PentAGI is generating the reaction it is, you first need to understand what security testing automation looked like before large language models entered the picture, and more importantly, what it consistently failed to do.
For most of the past two decades, the security industry operated with two categories of tooling: scanners that found known vulnerabilities, and frameworks that helped humans exploit them. Both were valuable. Neither was intelligent.
The scanner era: fast, noisy, and shallow
Dynamic scanners like Nessus, Qualys, and OpenVAS could sweep thousands of hosts in minutes and flag misconfigurations, unpatched CVEs, and weak services. Static analysis tools could parse source code and identify insecure patterns. These tools were genuinely useful and remain so today.
But they shared a fundamental limitation: they could only find what they had been programmed to look for. Every check was written by a human, encoded as a signature or a rule, and applied identically to every target regardless of context. A scanner would flag an outdated version of Apache. It would not notice that the outdated Apache instance sat in front of an application with a custom authentication bypass that chained to a database it had no business touching.
The signal-to-noise problem was also severe. A typical enterprise scan could generate thousands of findings, the vast majority of which were low severity or false positives. Security teams spent enormous amounts of time triaging output rather than acting on it. The tools found things. Humans had to figure out which things mattered and why.
Scanners were good at finding known problems in known places. They were useless at discovering unknown problems in unexpected places, and they had no concept of how individual findings connected to each other.
The framework era: powerful but manual
On the offensive side, frameworks like Metasploit gave practitioners a structured way to select, configure, and execute exploits. Tools like Burp Suite gave web application testers an intercepting proxy with a growing library of active checks. These were force multipliers for skilled humans, not replacements for them.
The workflow was deeply manual. A tester would enumerate a target, identify a potentially vulnerable service, select an appropriate module, configure it for the specific version and environment, execute it, interpret the result, and decide what to try next. Every step required judgment. Every step required context that the tool itself did not have. The framework did not know why it was running or what the goal was. The human knew both and used the framework as a sophisticated toolkit.
This was not a flaw. It was an appropriate division of labour given what the technology could do. But it meant penetration testing was fundamentally unscalable. A skilled tester could thoroughly assess one environment at a time. Continuous testing across a changing infrastructure was economically impossible for most organisations.
What was missing: the connective tissue
The gap between scanning and exploitation was always a human. Someone had to look at the scanner output, identify which findings were actually exploitable in this specific environment, develop an attack chain, execute it, and document the result. That connective tissue, the reasoning layer that sits between raw tool output and actionable conclusions, was entirely absent from the tooling itself.
Attempts were made to automate it. Vulnerability management platforms tried to prioritise findings by severity and exposure. Breach and attack simulation tools ran predefined attack scenarios and checked whether controls blocked them. Continuous penetration testing platforms scheduled regular assessments. All of this improved efficiency at the margins. None of them solved the core problem: automated tools could not reason. They could execute, but they could not think.
What large language models actually changed
Large language models did not arrive in security and immediately solve everything. What they did, and this took time for the industry to figure out, was provide something that had never existed in software before: a general-purpose reasoning layer that could operate on unstructured information.
That sounds abstract. Here is what it means in practice for security work.
Understanding context, not just patterns
A traditional scanner sees a service running on port 443 and checks it against a database of known vulnerabilities. An LLM can read the response from that service, understand what the application appears to do, infer what kind of data it probably handles, reason about what an attacker would want to achieve against it, and suggest where to look next based on all of that. It is not matching patterns. It is building a mental model of the target.
This is closer to how a skilled human tester thinks. Not what is the CVE for this version number, but what is this thing, why does it exist, what would break if I pushed on it here, and what would that let me do next.
Chaining information across steps
Legacy tools operated in isolation. Nmap found open ports. Metasploit exploited a specific service. sqlmap tested a specific parameter. Each tool knew nothing about what the others had found. A human had to hold all of that context and connect the dots.
LLMs can hold and reason across that context. Feed the results of a reconnaissance phase into an LLM and ask it what to try next: it can synthesise the information, identify the most promising attack surface, and suggest a specific approach. More importantly, it can explain its reasoning in terms a human can evaluate and correct. That correction loop is something no previous generation of tooling supported.
Generating rather than selecting
Every exploit in a traditional framework was written by a human and encoded in advance. If your target had a vulnerability that the framework did not have a module for, you were on your own. LLMs can write code. They can read documentation, understand a vulnerability class, and generate a proof of concept tailored to the specific target and configuration. This is not reliable enough to replace skilled exploit developers for novel vulnerabilities. But for adapting known techniques to new environments, it works surprisingly well.
The limits that remain
None of this means LLMs solved penetration testing. They introduced their own failure modes that did not exist before: hallucination, where the model confidently asserts something false; context drift, where a long chain of reasoning gradually loses track of what it is trying to do; and brittleness, where unexpected target behaviour causes the model to fail in ways a human would not.
They also did not change what matters most in offensive security: understanding the business, knowing what the organisation is actually trying to protect, and translating technical findings into risk that decision-makers can act on. LLMs can generate a report. They cannot understand that the finding they just documented would take down a payment processing system used by three million customers if exploited during business hours.
LLMs brought reasoning to security tooling for the first time. They did not bring judgment. That distinction matters a great deal for understanding what tools like PentAGI can and cannot do.

From single LLMs to multi-agent systems
Once practitioners started using LLMs for security tasks, a limitation became obvious quickly. A single LLM conversation has finite context. A penetration test does not. Reconnaissance generates data. That data informs exploitation attempts. Those attempts generate more data. By the time you are three hours into a complex engagement, the early context has either been forgotten or the context window is full.
Multi-agent architectures emerged as the practical answer. Rather than one LLM trying to do everything, you decompose the work into specialised agents. Each agent handles a specific phase or function. A central orchestrator coordinates them, passing relevant context between steps rather than feeding everything into a single conversation. The agents share memory through a persistent store rather than relying on a single context window.
This is the architecture PentAGI implements, and it represents the current state of the art for AI-driven offensive security tooling. The question is not whether multi-agent pentesting is a good idea. It clearly is. The question is how well this particular implementation delivers on it.
PentAGI: what it actually is
PentAGI has been generating significant buzz on social media, so I decided to share my take on it. It is an open-source multi-agent AI system for autonomous penetration testing, often described as a game changer for offensive security workflows with potential impact across cybersecurity broadly.
At a high level, it uses multiple AI agents to plan, execute, and chain penetration testing tasks using real tools: Nmap, Metasploit, sqlmap, Hydra, and others. The key difference from previous automation attempts is that it does not run tools blindly. It chains steps together more like a human would during an engagement and keeps track of context throughout. A knowledge graph combined with vector memory allows it to remember what it has seen and done before, helping build attack paths across runs instead of starting from scratch each time.

|
Agent |
What it does |
|
Orchestrator |
Plans the engagement,
sequences sub-agents, queries memory for prior context |
|
Researcher |
OSINT, web intelligence,
network reconnaissance |
|
Developer / Coder |
Writes custom exploit code
and payloads on the fly |
|
Executor |
Runs tools inside sandboxed
containers |
|
Adviser / Reflector |
Monitors for loops and
failures, enforces hard limits |
|
Installer |
Manages tool dependencies
inside the sandbox |
Each agent only has access to the tools its role requires. The coder cannot invoke network scanners. The executor cannot write files outside its namespace. This scoping limits the blast radius of any failure and mirrors the principle of least privilege that good security architecture demands.
The memory layer is the real differentiator. Findings are stored in PostgreSQL with vector search, and a Neo4j knowledge graph tracks relationships across hosts, credentials, and attack paths: Host A exploited, credentials reused, lateral movement to Host B. This is what enables genuine attack chain reasoning rather than scan and report. Most open-source tools do not have this. Most commercial ones charge significantly for it.
The system supports 12 or more LLM providers via LiteLLM: OpenAI, Anthropic Claude, Google Gemini, AWS Bedrock, and locally hosted Ollama models. Teams with strict data residency requirements can run everything air-gapped on local inference. The full observability stack, including Langfuse for LLM tracing and Grafana for metrics and logs, means every agent action and reasoning step is auditable.
What it does well
In authorised lab environments, PentAGI can plan attack chains, find vulnerabilities, generate exploits, execute tools in isolated Docker setups, and iterate across workflows using memory. That is genuinely useful and goes meaningfully beyond what most automated tooling can do today.

The real test: where automation still struggles
The real test is how it performs outside controlled environments. Real systems are messy. Business logic issues, custom workflows, edge cases, and incomplete access are where automation consistently struggles. Long reasoning chains can go off track. Hallucinations are a real risk during complex multi-step sequences. WAFs, rate limits, and unexpected system behaviour can block progress in ways the agents do not always recover from gracefully.
These are not flaws unique to PentAGI. They are the fundamental challenge of applying LLM-based reasoning to adversarial, real-world environments. The hard part of penetration testing is not running the tools. It is knowing where the tools fail, chaining issues into real business impact, understanding organisational context, and translating technical findings into risk that a board or auditor can act on. None of that is automated here.
If you want a quick reality check on how autonomous any of these tools actually are, point one at the easiest lab on HackTheBox or PortSwigger. Not a complex chain, not a custom environment the beginner stuff. See how far it gets without hand-holding. That result will tell you more than any benchmark or demo video.
Then check your LLM bill. The token cost to complete a single task tells you exactly how inefficient the reasoning is. A mature system solves problems with fewer cycles. These tools burn through context going in circles, and you pay for every loop.
Automation handles the known playbooks well. The creative, contextual, and adversarial thinking that turns a finding into a meaningful attack chain remains human work.
Where the viral claims fall apart
It is not zero input
Getting PentAGI running requires Docker, multiple configured services, LLM API keys, and proper scoping in the UI. You still define the target, approve actions, interpret results, and take legal and professional responsibility for what the system does. Long runs on frontier models generate real API costs. Zero input it is not.
It does not replace professional engagements
Enterprises do not just pay for execution. They pay for liability, legal authorisation letters, compliance-grade reporting acceptable to auditors, and accountability. If something goes wrong in production, who carries the risk? Who stands behind the findings in court or in front of a regulator? An MIT-licensed tool running on your own infrastructure answers none of these questions.
It is not AGI
The name is marketing. PentAGI automates known offensive playbooks intelligently. It does not generalise the way artificial general intelligence implies. The agents are sophisticated within their defined roles. Outside those roles, or on targets that behave unexpectedly, the system fails in ways a skilled human practitioner would not.
These tools are smart scanners with memory, not autonomous agents. That distinction matters. Autonomy means a system can reason through ambiguity, recover from wrong assumptions, and make accountable decisions under uncertainty. PentAGI plans, chains tools, and recalls prior findings but when the LLM hallucinates a vulnerability, misreads output, or confidently pursues a dead-end chain, there is no real mechanism to catch it. The agent just keeps going.
Hallucination is not a bug waiting to be patched. It’s a property of how large language models generate output they predict plausible tokens, not ground truth. In a penetration test, a confident wrong answer is not neutral. It produces false positives, missed impact chains, and reports that need human review regardless. The workflow does not change as much as the hype suggests. You still need someone who knows when the tool is wrong, and in security, that is the whole job.
The real value is in reducing repetitive reconnaissance and tool orchestration. That is useful. But calling it autonomous is a positioning choice, not a technical one. These are power tools, not replacements for the person who knows how to use them.
Who faces pressure, and who does not

The bottom line
PentAGI is best seen as a force multiplier for pentesters, DevSecOps teams, and bug bounty hunters working within proper authorisation frameworks. It makes workflows faster and more scalable while raising the bar for both attackers and defenders.
You are far more likely to be replaced by someone using tools like this than by the tool itself.
What is changing here is not replacement. It is how the work gets done. The hard part of penetration testing, knowing where tools fail, chaining issues into real impact, translating findings into business risk, that part remains human. PentAGI is an evolution in offensive security, not the end of it.
The security professionals who come out ahead will not be those who ignored tools like this. They will be the ones who understood them well enough to direct them, catch their failures, and provide the judgment layer no multi-agent system can replicate.
Ready to Strengthen Your Security Posture?
AI-driven tools like PentAGI can accelerate testing workflows, but effective security still requires expert oversight, validated methodologies, and compliance-ready reporting.
At RedSecLabs, our certified security professionals combine advanced automation with human expertise to deliver reliable penetration testing, vulnerability assessments, and compliance-aligned security services.
Contact us today to discuss your security testing requirements or schedule a consultation with our team.
Visit: redseclabs.com | Contact: [email protected]