Skip to main content
LLM-Powered Penetration Testing

The AI That Thinks Like a Red Teamer

35 autonomous agents. 12 scan phases. Chain of Thought reasoning.

View on GitHub See Pro Features

Open Source Core 22 Tool Integrations Works with any LLM

See It In Action

Watch zeScanner orchestrate a real penetration test.

zeScanner — scan session
Speed:
0 +
AI Agents
0
Scan Phases
0 +
Security Tools
0
Scan Profiles

How It Works

From target to report in three steps.

1

Target

Point it at a target — IPs, CIDRs, domains, or use pre-built scan recipes to get started instantly.

2

Orchestrate

35 AI agents coordinate across 12 phases. The LLM reasons about strategy, adapts tactics, and chains tools intelligently.

3

Report

Get actionable results — correlated findings, attack chains, compliance mapping, and MITRE ATT&CK coverage.

Agent Orchestration

29 specialized agents coordinated through 12 scan phases.

ORCHESTRATOR 1Passive Reconnaissance2 2Network Discovery 3Service Detection 4Internet Research 5Service Enumeration 6Web Analysis 7Vulnerability Scanning 8Finding Correlation 9Compliance Checks 10Exploitation 11Post-Exploitation 12Reporting
1

Phase 1: Passive Reconnaissance

2 agents

Auto

Gather intelligence from public sources without touching the target. WHOIS lookups, certificate transparency logs, DNS records, and OSINT collection to build a complete picture before active scanning begins.

Recon Threat Intel

Intelligent Security Features

Powered by LLM reasoning and multi-agent orchestration.

LLM Reasoning

Chain of Thought strategic reasoning. The AI analyzes scan state and adapts strategy in real time.

Adaptive Evasion

Detects WAF/IDS responses and adjusts scan parameters dynamically. Rate limiting, fragmentation, decoys.

Attack Chain Correlation

Connects findings across phases into exploitable attack paths. SQLi → Creds → SSH → Root.

RAG Intelligence

Cross-references NVD, ExploitDB, EPSS scores, CISA KEV, and GitHub PoCs for enriched context.

Article-to-Scan

Feed a security blog post and auto-generate a targeted scan configuration with CVEs and IOCs.

Compliance Mapping

Automated checks against PCI-DSS, CIS benchmarks, and TLS best practices.

Attack Chain Correlation

zeScanner connects findings across phases into exploitable attack paths.

critical
high
medium
low
Auto-play

Select a node to view finding details

Scan Profiles

From paranoid stealth to maximum speed.

Stealth Speed

Balanced

General purpose (default)

T3
Masscan Rate 10,000 pps
Nmap Timing T3
Evasion Level Basic
Intensity 55%
$ zescanner -t target -p balanced

Tool Integrations

22+ security tools, orchestrated by AI.

Port Scanning

nmap

Network scanner

masscan

Fast port scanner

Vulnerability

nuclei

Template-based scanner

nikto

Web server scanner

wpscan

WordPress scanner

Web Testing

ffuf

Web fuzzer

testssl.sh

TLS/SSL testing

curl

HTTP client

Enumeration

enum4linux

SMB enumeration

smbclient

SMB client

snmpwalk

SNMP enumeration

snmp-check

SNMP assessment

ssh-audit

SSH auditing

dig

DNS lookup

ldapsearch

LDAP queries

rpcclient

RPC enumeration

Exploitation

metasploit

Exploit framework

hydra

Login bruteforce

sqlmap

SQL injection

OSINT

subfinder

Subdomain discovery

theHarvester

Email & domain OSINT

whois

Domain registration

Scan Recipes

Pre-configured scans for common scenarios.

How zeScanner Compares

The first AI-native penetration testing framework.

Feature zeScanner Nessus Burp Suite OpenVAS Metasploit
LLM Reasoning / CoT
Multi-Agent Orchestration
Attack Chain Correlation
Adaptive Evasion Partial Partial
CLI-First Interface
Article-to-Scan
RAG Intelligence
Auto Strategy Adaptation
Compliance Checks Partial
Open Source Core
Custom Scan Recipes Partial Partial
Confidence Scoring

zeScanner: 12/12 features Nearest competitor: 3/12

Works With Any LLM

Bring your own provider. Run locally with Ollama for complete privacy.

Anthropic

Default

Claude Sonnet 4.5

ANTHROPIC_API_KEY

$ zescanner -t target --llm-provider anthropic

OpenAI

GPT-4 Turbo

OPENAI_API_KEY

$ zescanner -t target --llm-provider openai --llm-model gpt-4o

Groq

Fast

Llama 3.1 70B

GROQ_API_KEY

$ zescanner -t target --llm-provider groq

Ollama

Privacy

Qwen 2.5 7B

No API key needed

$ zescanner -t target --llm-provider ollama --llm-model qwen2.5:7b

Code Examples

Get started in seconds.

# Install zeScanner
pip install zescanner

# Set your API key
export ANTHROPIC_API_KEY="sk-ant-..."

# Run your first scan
zescanner -t 192.168.1.0/24

Choose Your Plan

Open source core with professional features.

Community

Free forever
  • Core scan agents (25+)
  • All 6 scan profiles
  • 12 scan recipes
  • CLI interface
  • Basic reporting (MD/JSON/HTML)
  • Community support
  • MIT License

Get notified at launch

Coming Soon

Pro

Custom pricing
  • Everything in Community
  • Advanced agents (AD, exploit, post-exploit)
  • RAG threat intelligence enrichment
  • Article-to-Scan pipeline
  • Attack chain visualization
  • Priority support
  • Custom integrations

Get notified when Pro launches

Get Early Access

Be the first to know when zeScanner launches. Join the waitlist.

View on GitHub See Pro Features

Open Source Core No Cloud Required Pro Features Available