hexstrike-ai

Exposes 150+ cybersecurity tools through the Model Context Protocol (MCP) as decorated functions (@mcp.tool) that external AI agents (Claude, GPT, Copilot) can invoke autonomously. The hexstrike_mcp.py FastMCP client translates natural language requests from LLMs into structured tool invocations with parameter binding, enabling multi-step security workflows without manual tool switching or context loss between agent and execution environment.

Analyzes target characteristics (IP ranges, domain structure, service fingerprints, cloud provider) via POST /api/intelligence/analyze-target endpoint and recommends optimal tool subsets via POST /api/intelligence/select-tools. Uses AI-powered decision logic to match target attributes (e.g., AWS infrastructure, web application, binary) to relevant tools from the 150+ arsenal, reducing tool selection overhead and improving scan efficiency by avoiding irrelevant tools.

Orchestrates nuclei_scan() MCP tool that executes community and custom vulnerability detection templates against targets. Agents analyze target characteristics and select optimal nuclei templates (by severity, relevance, execution time) to maximize vulnerability discovery while minimizing scan time. Implements template chaining where findings from one template inform execution of subsequent templates, and correlates results across templates to identify complex vulnerabilities requiring multiple detection vectors.

Orchestrates sqlmap_scan() MCP tool with AI-driven payload adaptation based on target response analysis. Agents analyze HTTP responses to injection attempts, identify database type and version from error messages and behavior, and generate context-specific payloads (time-based blind, boolean-based blind, union-based, error-based) optimized for detected database. Implements intelligent parameter prioritization that tests most likely vulnerable parameters first, reducing total scan time.

Discovers REST API endpoints through multiple techniques: directory enumeration (gobuster), JavaScript analysis for API calls, OpenAPI/Swagger specification parsing, and HTTP method enumeration. Agents analyze discovered endpoints to identify authentication mechanisms, parameter types, and potential vulnerabilities. Implements automated API security testing including authentication bypass attempts, authorization flaws, rate limiting evasion, and injection attacks across API parameters.

Implements intelligent caching layer (GET /api/cache/stats endpoint) that stores scan results, tool outputs, and reconnaissance data to avoid redundant tool execution. Agents query cache before executing tools, reusing previous results for unchanged targets or similar reconnaissance queries. Cache invalidation is time-based and event-based (target changes, tool updates), and cache statistics track hit rates and storage usage to optimize cache size and retention policies.

Provides real-time system health monitoring via GET /api/health endpoint and telemetry collection via GET /api/telemetry endpoint. Tracks server status, tool availability, resource utilization (CPU, memory, disk), and scan performance metrics (execution time, success rate, tool-specific statistics). Agents use telemetry data to make decisions about scan aggressiveness, tool selection, and resource allocation, and health checks enable graceful degradation when tools or services become unavailable.

Optimizes tool execution parameters via POST /api/intelligence/optimize-parameters by analyzing target context (network size, service types, scan scope) and adjusting tool arguments (e.g., nmap timing templates, nuclei concurrency, sqlmap risk levels) to balance speed, accuracy, and resource consumption. Uses AI reasoning to select appropriate parameter presets (aggressive vs stealthy, comprehensive vs quick) based on engagement goals and target constraints.

Implements BugBountyWorkflowManager that orchestrates multi-stage reconnaissance, vulnerability discovery, and reporting via specialized AI agents. Chains tools in sequence (nmap → service enumeration → vulnerability scanning → exploitation → impact assessment) with intelligent decision points where agents decide whether to escalate findings, pivot to new targets, or conclude assessment. Manages state across tool invocations and generates structured vulnerability reports with CVSS scores and remediation guidance.

Implements CTFWorkflowManager that decomposes CTF challenges into sub-tasks (flag discovery, cryptography, reverse engineering, web exploitation) and assigns specialized AI agents to solve each category. Agents reason about challenge hints, execute relevant tools (ghidra for binary analysis, hashcat for cracking, sqlmap for web exploits), and iteratively refine approaches based on tool output. Maintains challenge state and coordinates multi-agent collaboration for complex challenges requiring cross-domain expertise.

Implements VulnerabilityResearchWorkflowManager that correlates findings from multiple scanning tools (nuclei, nessus, burp, custom scripts) to identify complex vulnerabilities requiring cross-tool evidence. Agents analyze tool outputs, identify patterns (e.g., multiple XSS vectors in same parameter, privilege escalation chains), and synthesize findings into high-confidence vulnerability reports. Integrates with vulnerability databases (NVD, CVE feeds) to enrich findings with exploit availability and patch status.

Orchestrates multi-phase network reconnaissance (ping sweep → port scanning → service enumeration → OS fingerprinting) via nmap_scan() MCP tool with adaptive strategy selection. Agents analyze network topology and service distribution to decide between aggressive full-port scans, targeted scanning of common ports, or stealthy scanning with timing evasion. Implements incremental scanning where initial results inform subsequent scan parameters, reducing total scan time and network impact.

Orchestrates web application testing via gobuster_scan() for directory enumeration and sqlmap_scan() for SQL injection detection, with AI-driven payload generation and parameter fuzzing. Agents analyze application structure (forms, parameters, API endpoints) discovered by gobuster and generate context-aware payloads for sqlmap based on parameter types and application behavior. Implements intelligent parameter discovery that identifies hidden parameters through JavaScript analysis and API endpoint enumeration.

Integrates Ghidra reverse engineering platform via ghidra_analyze() MCP tool, enabling AI agents to analyze binary files, decompile code, and identify vulnerabilities. Agents interpret decompiled code, recognize common vulnerability patterns (buffer overflows, format strings, use-after-free), and generate exploitation strategies. Supports automated function identification, string extraction, and cross-reference analysis to understand binary behavior without manual reverse engineering.

Implements cloud security assessment via prowler_assess() MCP tool that audits AWS, Azure, and GCP configurations against CIS benchmarks and compliance frameworks (PCI-DSS, HIPAA, SOC2). Agents analyze cloud resource configurations (IAM policies, security groups, encryption settings, logging) and identify misconfigurations, overprivileged accounts, and compliance violations. Generates remediation recommendations aligned with cloud provider best practices and organizational policies.