Automated, intelligent, and scalable API security testing powered by Rust and Agentic AI.
Status: Work in Progress (WIP) – This project is actively being developed and refined.
PentestCrowd is an experimental side project designed to explore the potential of combining medium-sized language models (like LLAMA 70B Instruct) with agentic AI design for automated API pentesting. Built in Rust for its modern, safe, and performant characteristics, this tool aims to provide a flexible framework for vulnerability scanning while leveraging custom LLM interaction and function-calling logic. It’s important to note that this project is not production-ready, nor does it guarantee comprehensive security testing—it’s a learning-driven initiative aimed at experimenting with novel approaches to API security. The current implementation targets an intentionally vulnerable container using the excellent VAmPI Docker image. Contributions, feedback, and discussions are welcome as we continue refining and expanding this project.
- AI Agents for Automation: Deploy intelligent agents capable of autonomously navigating API endpoints, crafting payloads, and identifying vulnerabilities.
- Meta-Agent Orchestration: Utilize meta-agents that recursively call other agents as tools, enabling complex, multi-layered workflows.
- Function Calling Framework: Leverage a flexible function-calling system to dynamically interact with APIs and adapt to their behavior.
- Scalable Architecture: Built on Rust for high performance, concurrency, and memory safety, ensuring reliability during large-scale scans.
- Customizable Workflows: Define custom rules, agent behaviors, and scanning strategies to tailor the tool to your specific needs.
- Open Source & Community Driven: Fully transparent and extensible, with contributions welcome from the security and AI communities.
In today's fast-paced development environment, APIs are at the core of most applications, making them a prime target for attackers. Traditional API security tools often rely on predefined rulesets or static test cases, which can miss vulnerabilities introduced by complex or unconventional API behaviors. Meanwhile, manual pentesting is time-consuming and requires significant expertise, making it less scalable for modern CI/CD pipelines.
This is where PentestCrowd comes in. By combining Agentic AI with automated pentesting, this tool explores a new paradigm in API security testing:
- Adaptive Testing: Leveraging medium-sized language models allows the tool to dynamically adapt its testing strategies based on the API's responses, uncovering edge cases that traditional tools might overlook.
- Custom Function Calling: Unlike off-the-shelf libraries, the custom LLM interaction logic ensures seamless integration with platforms like OpenRouter, enabling precise control over how tests are executed.
- Performance and Safety: Written in Rust, PentestCrowd benefits from the language's memory safety guarantees and high performance, ensuring reliable execution even during intensive testing scenarios.
- Exploration of New Ideas: This project isn't just about building another pentesting tool—it's about experimenting with innovative concepts like combining agentic workflows with AI-powered automation to push the boundaries of what's possible in API security.
While this tool doesn't claim to replace existing solutions, it serves as a playground for exploring how AI and modern programming languages can enhance traditional security practices. Whether you're a developer curious about AI-driven testing or a security enthusiast looking to contribute, PentestCrowd invites you to join the journey of reimagining API pentesting.
- Rust (stable version)
- Cargo package manager
- Git
- Docker & Docker Compose
-
Clone the repository:
git clone https://github.com/LcsH0s/PentestCrowd.git cd PentestCrowd -
Build the project:
docker compose build
-
Run the tool:
docker compose up --abort-on-container-exit
We welcome contributions from developers, security researchers, and AI enthusiasts! Here's how you can help:
- Report Issues: Found a bug or have a feature request? Open an issue on GitHub.
- Submit PRs: Fork the repository, make your changes, and submit a pull request.
- Improve Documentation: Help us enhance the README, guides, and examples.
- Test the Tool: Try it out and share feedback or edge cases.
- Core AI agent framework
- Meta-agent orchestration
- Enhanced logging and reporting features
- Web-based dashboard for visualization
- Integration with popular vulnerability databases (RAG)
This project is licensed under the MIT License - see the LICENSE file for details.
- Built with ❤️ using Rust.
- Inspired by advancements in AI function calling LLMs and agentic designs.
For questions, feedback, or collaboration opportunities, feel free to reach out:
- Email: lucas@decastro.one
- GitHub: @yourusername