hexstrike-ai

Exposes 150+ professional cybersecurity tools (nmap, gobuster, nuclei, sqlmap, ghidra, prowler, etc.) through the Model Context Protocol (MCP) as decorated @mcp.tool functions in hexstrike_mcp.py. External AI agents (Claude, GPT, Copilot) invoke tools via standardized MCP protocol, which routes requests through a Flask-based REST API server (hexstrike_server.py) that executes commands and returns structured results. The architecture decouples LLM agents from direct tool execution, enabling multi-agent orchestration with intelligent parameter optimization.

Implements POST /api/intelligence/analyze-target and POST /api/intelligence/select-tools endpoints that use AI-powered profiling to automatically recommend which security tools to execute based on target characteristics. The system analyzes target metadata (IP ranges, domain structure, cloud provider, application stack) and generates a ranked list of applicable tools with context-aware parameters. This eliminates manual tool selection and enables adaptive pentesting workflows where tool chains adjust based on discovered vulnerabilities.

Exposes sqlmap_scan() MCP tool that automates SQL injection vulnerability testing with intelligent parameter optimization. The tool automatically detects injectable parameters, tests multiple injection techniques (UNION-based, blind, time-based), and extracts database information. Integration with the intelligence engine enables context-aware tuning (e.g., aggressive testing for development targets, stealthy testing for production). Results include vulnerability confirmation, database schema extraction, and exploitation proof-of-concept.

Exposes ghidra_analyze() MCP tool that automates binary analysis and reverse engineering using Ghidra's decompilation engine. The tool analyzes binaries to extract function signatures, identify vulnerabilities (buffer overflows, format strings, use-after-free), and generate decompiled source code. Integration with the intelligence engine enables context-aware analysis (e.g., focusing on network-facing functions for network services, authentication functions for security-critical binaries). Results include vulnerability findings, function call graphs, and decompiled code snippets.

Exposes prowler_assess() MCP tool that automates cloud security assessment for AWS, Azure, and GCP environments. The tool runs 200+ security checks against cloud infrastructure, identifying misconfigurations, compliance violations, and security risks. Integration with the intelligence engine enables context-aware assessment (e.g., focusing on identity/access checks for AWS, network security checks for Azure). Results include compliance status (CIS, PCI-DSS, HIPAA), risk ratings, and remediation recommendations.

Implements result parsing and aggregation logic that converts heterogeneous tool outputs (nmap XML, nuclei JSON, sqlmap text, ghidra binary analysis) into a unified vulnerability data model. The system deduplicates findings across tools, assigns severity scores, and generates structured reports. Parsing uses tool-specific parsers (regex, XML parsing, JSON extraction) that normalize results into a common schema with vulnerability type, affected asset, severity, and remediation guidance.

Enables users to provide security assessment objectives in natural language (e.g., 'Find all SQL injection vulnerabilities in the web application and generate proof-of-concept exploits'), which the AI agent interprets and decomposes into a sequence of tool invocations. The system uses Claude/GPT to understand assessment intent, map it to available tools, and generate execution plans. This abstraction layer eliminates the need for users to know specific tool names or parameters, enabling non-experts to conduct security assessments.

Implements BugBountyWorkflowManager that orchestrates a multi-stage reconnaissance and vulnerability discovery pipeline: reconnaissance → service enumeration → vulnerability scanning → exploitation → reporting. The manager chains tools (nmap, gobuster, nuclei, sqlmap) with AI-driven decision logic between stages, automatically escalating findings and adapting the workflow based on discovered vulnerabilities. Each stage outputs structured findings that feed into the next stage's tool selection, creating a closed-loop autonomous pentesting loop.

Implements CTFWorkflowManager that decomposes Capture-The-Flag challenges into sub-tasks (binary analysis, web exploitation, cryptography, forensics) and autonomously selects appropriate tools (ghidra for reverse engineering, sqlmap for web exploits, steghide for forensics). The manager uses AI reasoning to interpret challenge descriptions, map them to tool capabilities, and chain tools to solve multi-stage challenges. Results from each tool feed into the next stage's analysis, enabling complex challenge solving without explicit step-by-step instructions.

Implements VulnerabilityResearchManager that conducts deep vulnerability analysis by chaining multiple tools (nuclei with custom templates, ghidra for binary analysis, sqlmap for injection testing) with feedback loops. The manager discovers vulnerabilities, analyzes their root causes using reverse engineering, tests exploitation paths, and generates detailed technical reports. AI reasoning determines which tools to apply based on vulnerability type, enabling adaptive research workflows that adjust based on findings.

Exposes POST /api/command endpoint that executes arbitrary security commands with real-time output streaming, combined with GET /health for server status and tool availability checks, and GET /api/telemetry for performance metrics. The Flask-based server manages command execution lifecycle, captures stdout/stderr, and tracks execution time and resource usage. Health checks verify that all 150+ tools are installed and accessible, enabling proactive detection of missing dependencies.

Implements GET /api/cache/stats endpoint that tracks cache performance and statistics for repeated security tool executions. The system caches tool outputs (nmap scans, directory enumeration results, vulnerability findings) to avoid redundant execution of expensive operations. Cache keys are based on tool name, target, and parameters, enabling intelligent reuse of previous results when scanning the same target multiple times or across different agents.

Implements 12+ specialized AI agents (reconnaissance agent, exploitation agent, analysis agent, reporting agent, etc.) that operate autonomously within the HexStrike framework, each with specific responsibilities and decision-making logic. Agents communicate through a shared context and decision bus, coordinating tool execution and result analysis. The system uses AI reasoning (Claude, GPT) to enable agents to make autonomous decisions about which tools to run, when to escalate findings, and how to adapt workflows based on discovered vulnerabilities.

Exposes nmap_scan() MCP tool that executes advanced Nmap scans with optimization for different target types (cloud infrastructure, on-premises networks, IoT devices). The tool automatically selects appropriate scan types (SYN stealth scans, UDP scans, service version detection) based on target characteristics, applies timing templates for network conditions, and parses results into structured JSON. Integration with the intelligence engine enables context-aware parameter tuning (e.g., aggressive scanning for cloud targets, stealthy scanning for defended networks).

Exposes gobuster_scan() and nuclei_scan() MCP tools that automate web application reconnaissance and vulnerability scanning. Gobuster performs directory and file enumeration with customizable wordlists and filtering, while nuclei runs vulnerability templates against discovered endpoints. The tools integrate with the intelligence engine to select appropriate wordlists and templates based on target technology stack (e.g., WordPress-specific templates for WordPress sites). Results are parsed into structured JSON and feed into downstream exploitation workflows.