AIRecon: AI-Powered Penetration Testing Tool with Kali Linux Sandbox
Cybersecurity NewsArchived Jun 17, 2026✓ Full text saved
AIRecon is an autonomous penetration testing agent that runs entirely offline, combining a self-hosted Ollama LLM with a Kali Linux Docker sandbox to automate end-to-end security assessments without exposing any data to the cloud. Developed by researcher pikpikcu, it eliminates the prohibitive cost of commercial API-based models like GPT-4 or Claude for recursive recon workflows […] The post AIRecon: AI-Powered Penetration Testing Tool with Kali Linux Sandbox appeared first on Cyber Security New
Full text archived locally
✦ AI Summary· Claude Sonnet
Discover more
Threat actor analysis
Software
Computer Security
HomeCyber Security
AIRecon: AI-Powered Penetration Testing Tool with Kali Linux Sandbox
By Guru Baran
June 17, 2026
AIRecon is an autonomous penetration testing agent that runs entirely offline, combining a self-hosted Ollama LLM with a Kali Linux Docker sandbox to automate end-to-end security assessments without exposing any data to the cloud.
Developed by researcher pikpikcu, it eliminates the prohibitive cost of commercial API-based models like GPT-4 or Claude for recursive recon workflows that can demand thousands of LLM calls per session.
Commercial AI-powered security tools send target intelligence to external servers and require ongoing API subscriptions. AIRecon flips this model entirely; all tool output, vulnerability reports, and session data stay on the operator’s machine.
It integrates natively with Caido proxy, offering five built-in tools: list, replay, automate (using §FUZZ§ markers), findings, and scope management. This makes it particularly well-suited for bug bounty hunters and red teamers who operate under strict data-handling policies.
AIRecon structures every engagement through four automated phases, each with defined objectives, recommended tools, and automatic transition criteria. Phase enforcement is intentionally soft; the agent is guided but never blocked, and checkpoints fire every 5 iterations (phase evaluation), every 10 (self-evaluation), and every 15 (context compression).
The full stack includes the Kali sandbox, browser automation, a custom fuzzer, Schemathesis API fuzzing, and Semgrep SAST for static source analysis.
AIRecon Tool
One of AIRecon’s standout features is its optional airecon-dataset companion, which indexes approximately 1.09 million security records into local SQLite FTS5 databases including CVEs, red team techniques, CTF writeups, Nuclei templates, and bug bounty payloads all completely offline.
The LLM autonomously calls dataset_search before attempting unfamiliar techniques, grounding its decisions in real indexed data rather than pure hallucination. Session memory persists in ~/.airecon/memory/airecon.db, storing findings, WAF bypass patterns, tool reliability scores, and per-target attack chain discoveries that shape future behavior.
AIRecon requires a model with native tool-calling support and extended thinking (<think> blocks). Models below 8B parameters are strongly discouraged due to frequent hallucinations, invented CVEs, and unreliable tool calls. Recommended configurations:
Model VRAM Use Case
Qwen3.5 122B 48+ GB Best quality, most reliable
Qwen3.5 35B 20 GB Recommended for most users
Qwen3.5 35B (MoE) 16 GB Lower VRAM footprint
Qwen3.5 9B 6 GB Minimum viable setup
AIRecon ships with 57 built-in skill files and 289 keyword-to-skill auto-mappings covering the most common offensive techniques. The community airecon-skills repository adds 57 additional CLI-based playbooks for CTF, bug bounty, and penetration testing engagements.
MCP server integration is also supported via ~/.airecon/mcp.json, allowing the agent to dynamically expose external tooling such as custom XSS generators or proprietary API scanners as first-class agent tools.
Installation & Google Colab Support
Installation from GitHub requires Python 3.12+, Docker 20.10+, and a running Ollama instance, and can be completed in a single command:
bashcurl -fsSL https://raw.githubusercontent.com/pikpikcu/airecon/refs/heads/main/scripts/install.sh | bash
For operators without sufficient local VRAM, AIRecon supports a Google Colab T4 GPU tunnel setup via Cloudflare, allowing a free-tier Colab session to serve the model while AIRecon’s TUI runs locally.
The free T4 GPU (15 GB VRAM) supports qwen3.5:9b, though sessions are capped at 12 hours and are not suited for deep autonomous recon that exceeds that window.
CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine”
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
ServiceNow Confirms Vulnerability Allowing Unauthorized Access to Customer Instance Tables
Hackers Abuse TikTok and Instagram Reels to Spread Malware via Fake Free Software Tutorials
Ivanti Endpoint Manager Mobile Vulnerability Enables Remote Code Execution Attacks
Ransomware Ecosystem Consolidates Around LockBit Alumni, Qilin, Hyflock, and The Gentlemen
Splunk Enterprise Pre-Auth RCE Chain Exposes Database With Zero Authentication
Latest News
Chrome
Critical Chrome Vulnerabilities Allow Attackers to Execute Arbitrary Code – Update Now!
Cyber Security News
Hackers Use Rokarolla Android Malware to Disable Google Play Protect and Control Devices
Cyber Security News
Deno-Based RAT Uses Microsoft Teams Impersonation and Mailbombing to Target Employees
Cyber Security
Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions
AI
Hackers Using Claude and OpenAI’s Codex for Exploitation, and Data Exfiltration Activities