Overview
Production Readiness
0.4
Novelty Score
0.6
Cost Impact Score
0.5
Citation Count
0
Why It Matters For Business
Automates routine pentest steps and lets teams swap in better models or updated tools without changing agent code. That can speed internal red‑team work and reproduce attacks for testing. However, exploitation reliability depends on the model and legal safeguards are essential.
Summary TLDR
PentestMCP is a set of MCP (Model-Context-Protocol) servers that expose common penetration‑testing tools as RPC-style functions. The paper shows agents using these servers to automatically scan, find, and exploit two well-known vulnerabilities (CVE-2017-5638 and CVE-2017-0144) in sandboxed labs. Success depends strongly on the language model used.
Problem Statement
Security teams and researchers want agents to run real pentest tools without baking those tools into agent code. Existing agentic systems often mix tools into the agent, making updates hard. PentestMCP decouples tools (as networked RPC servers) so agents can call standard pentest functionality at run-time.
Main Contribution
A working PentestMCP library that implements four MCP servers (nmap, curl, nuclei, metasploit) to expose scanning, enumeration, vuln scanning, and exploitation as callable tools.
End-to-end agent demonstrations that use these MCP servers to identify and exploit two historical vulnerabilities in sandboxed environments (Apache Struts CVE-2017-5638 and SMB EternalBlue CVE-2017-0144).
Model comparison notes showing exploitation success varies by LLM; repository and examples are published on GitHub.
Key Findings
PentestMCP exposes four core pentest servers (nmap, curl, nuclei, metasploit).
For CVE-2017-5638 the agent identified the vuln in 4/4 model runs and exploited it in 2/4 runs on the evaluated setup.
For CVE-2017-0144 the agent identified the vuln in 3/4 model runs and exploited it in 2/4 runs on the evaluated setup.
Results
CVE-2017-5638 identification rate
CVE-2017-5638 exploitation rate
CVE-2017-0144 identification rate
CVE-2017-0144 exploitation rate
Who Should Care
What To Try In 7 Days
Clone the PentestMCP GitHub repo and run the demo in a sandbox lab (TryHackMe or local VMs).
Wire PentestMCP to a simple agent (FastAgent example) and run a scan→vuln-scan workflow.
Compare 2–3 LLMs: check 'identified' vs 'exploited' and log tool calls and token cost.
Agent Features
Planning
- iterative step planning (scan → scan/detail → exploit → post-exploit)
Tool Use
- nmap
- nuclei
- metasploit
- curl
Frameworks
- FastAgent
Is Agentic
true
Architectures
- MCP (Model-Context-Protocol) RPC pattern
Collaboration
- multi-function agent workflows (playbook-driven)
Reproducibility
Code Available
Open Source Status
- partial
Risks & Boundaries
Limitations
- Evaluation limited to two historical CVEs in sandbox environments; no large-scale benchmark.
- Small model pool; reported success rates may not generalize to other targets or models.
- Automation increases offensive capability; ethical and legal safeguards must be applied.
When Not To Use
- Do not run PentestMCP against production or external networks without explicit legal permission.
- Not a turnkey replacement for experienced pentesters: model failures and misconfigurations can cause incorrect or unsafe actions.
Failure Modes
- Model selects an incorrect payload architecture (e.g., aarch64 payload for x64 host) causing exploit failure (Table 9).
- Agent fails to populate required module options in an exploit call, producing input validation errors (Table 7).
- Model finds a vuln but fails to locate a reliable exploit via metasploit (observed with grok-4).
Core Entities
Models
- gpt-4o-2024-08-06
- o3-2025-04-16
- grok-4-0709
- gemini-2.5-flash-preview-05-20
- Claude Opus 4
- OpenAI GPT 5
Metrics
- identified (yes/no)
- exploited (yes/no)
- tool calls
- tokens
Context Entities
Datasets
- TryHackMe Blue (sandbox)