Professional Autonomous Pentesting

AI-WAR
CYBER PLATFORM

AI 战争 · 网络平台

ai-war agent platform (war.xcom.dev)

AI-driven autonomous pentesting infrastructure for cybersecurity professionals. Orchestrate 20+ integrated tools through a single LLM-powered attack chain. For authorized network testing only. OSINT → Enumeration → Exploitation → Reporting.

Download Attack Chain Try GUI Demo View Agent Skills
Scroll
00
Deployment

Download Attack Chain

下载攻击链

Deploy the autonomous pentesting orchestrator on your infrastructure. The attack chain script handles tool orchestration, authorization checking, and multi-stage scan execution. Full scope verification required before scan initiation.

Quick Deploy (Curl)

$ bash deployment 
curl -O https://war.xcom.dev/attack-chain.sh
bash attack-chain.sh --target example.com --mode standard

✓ Requires: nmap, nikto, gobuster (optional: enhanced results)
✓ Output: JSON/Markdown/PDF report
✓ Authorized scope verification required
✓ Scans: OSINT → Enumeration → Web → Exploitation

Advanced Usage

./attack-chain.sh \
  --target TARGET_DOMAIN \
  --mode [quick|standard|thorough|continuous] \
  --output /path/to/output/ \
  --format [json|markdown|html|sarif] \
  --scope-token YOUR_AUTH_TOKEN

✓ Full parametrization for CI/CD integration
✓ Docker deployment: docker run war.xcom.dev:latest
✓ Kubernetes manifests available
✓ See: ./attack-chain.sh --help

00.5
GUI Client

Interactive Scanning Interface

交互式扫描界面

Download the cross-platform war.xcom.dev GUI client for macOS, Linux, and Windows. Point-and-click target selection, real-time scan progress, and one-click report export.

Scan Interface

Features

  • Real-time Progress
    Live scan stage updates. Cancel anytime.
  • Multi-Format Export
    JSON, Markdown, PDF, HTML, SARIF output formats.
  • CVSS Scoring
    Every finding auto-scored. CRITICAL/HIGH/MEDIUM/LOW filtering.
  • Local Execution
    Runs on your infrastructure. No cloud scanning. Full privacy.
  • History & Comparison
    Track scan history. Compare findings over time. Detect drift.
Download GUI (v2.1.0)
macOS (Intel/Apple Silicon) • Linux • Windows • Docker
00.7
OpenClaw Integration

AI Agent Orchestration

AI 智能体编排

war.xcom.dev is fully integrated with the OpenClaw AI agent framework. Manage, customize, and orchestrate pentesting agents from a unified workspace. Chain multiple skills together. Deploy autonomous red teams.

🎯

Terminator Agent

Primary autonomous pentesting agent. Orchestrates the full attack chain. Handles scope verification, tool sequencing, and report synthesis.

Edit in OpenClaw →
🛠

Pentest Skill (D2)

Full D2 specification for pentesting workloads. SKILL.md + TOOLS.md + REPORT.md. Integrated tool chain definitions. Customizable scan templates.

View Specification →
🔍

Hunter Skill

Continuous vulnerability hunting and asset monitoring. Real-time alerts. Feeds into pentesting pipeline. Detects infrastructure drift and new exposures.

Configure Monitoring →
OpenClaw Workspace

Access the OpenClaw agent management interface at ai.xcom.dev/workspace. Create custom agents, chain skills, set trigger conditions, and deploy autonomous red teams to your network.

Open OpenClaw Workspace
01
Overview

Full-Stack Attack Surface Coverage

全栈攻击面覆盖

war.xcom.dev is the autonomous pentesting surface of the XCOM network. A single command triggers a multi-stage scan pipeline — OSINT first, then network enumeration, web application probing, credential testing, and LLM-powered synthesis of the full attack surface. Every finding is CVSS-scored, de-duplicated, and exported in your format of choice. For authorized security professionals only.

20+
Integrated Tools
4
Scan Modes
6
Report Formats
LLM
Attack Synthesis
02
Tool Stack

The Pentest Arsenal

渗透测试工具库

Every tool in the stack is open source, battle-tested, and orchestrated via the XCOM pentest skill. Click any tool to view its upstream documentation.

OSINT & Reconnaissance

OSINT
AMASS
Deep subdomain enumeration using DNS brute-force, certificate transparency, ASN mapping, and 40+ data sources. Maps the full external attack surface.
github.com/owasp-amass
DNS Subdomain ASN
OSINT
theHarvester
Email, username, hostname, and IP harvesting from search engines, LinkedIn, Shodan, and DNS. Aggregates passive intel before any active scan begins.
github.com/laramies
Email Passive OSINT
OSINT
crt.sh
Certificate transparency log search. Extracts all issued TLS certificates for a domain, exposing subdomains, internal hosts, and infrastructure history.
crt.sh
TLS Cert Transparency
Threat Intel
Shodan
Internet-wide device and service search. Enumerate open ports, service banners, known CVEs, and exposed industrial control systems without sending a single packet.
shodan.io
Passive CVE ICS
Threat Intel
Censys
Continuous internet scan data. Search TLS certificates, open ports, and running services across IPv4 space. Complements Shodan with deeper certificate analytics.
censys.io
IPv4 Certificates
Threat Intel
VirusTotal
Multi-engine malware and URL/IP reputation database. Correlates target IPs and domains against 70+ security vendor feeds for passive threat context.
virustotal.com
Reputation Malware

Network & Infrastructure

Network
Nmap
The gold standard of network scanning. SYN stealth scan, version detection (-sV), OS fingerprinting (-O), NSE script engine for targeted service probing.
nmap.org
Port Scan NSE OS Detection
Network / AD
smbmap
SMB share enumeration with permissions mapping. Identifies readable/writable shares, traverses directories, and checks for null session access on Windows targets.
github.com/ShawnDEvans
SMB Windows AD
Network / AD
CrackMapExec
Swiss army knife for Active Directory environments. Mass credential testing, SMB relay detection, Pass-the-Hash, Kerberoasting enumeration, and LDAP queries.
github.com/byt3bl33d3r
Active Directory Kerberos SMB
Active Directory
ldapdomaindump
LDAP-based Active Directory information dumper. Extracts users, groups, GPOs, computers, and policy objects into structured HTML/JSON reports.
github.com/dirkjanm
LDAP AD GPO
Secrets
TruffleHog
Secret scanning for git repos, S3 buckets, filesystems, and APIs. Detects API keys, tokens, private keys, and credentials with 700+ regex detectors and entropy analysis.
github.com/trufflesecurity
Git Secrets API Keys
Network
snmp-check
SNMP enumeration tool. Queries v1/v2c community strings to extract system information, running processes, network interfaces, and installed software from network devices.
snmp-check
SNMP IoT Network Devices

Web Application

Web
Nikto
Web server scanner for 6700+ known vulnerabilities — dangerous files, outdated server versions, insecure headers, default credentials, and misconfigured SSL.
github.com/sullo/nikto
HTTP CVE Misconfig
Web
Gobuster
High-speed directory, file, DNS, and vhost brute-forcer. Parallel goroutine engine rips through SecLists wordlists to expose hidden endpoints and admin panels.
github.com/OJ/gobuster
Directory DNS Vhost
Web
FFUF
Fast web fuzzer for directories, parameters, headers, and POST data. Highly configurable rate-limiting, response filtering, and recursive scanning make it the go-to for parameter discovery.
github.com/ffuf/ffuf
Fuzzing Params Headers
Web / DAST
OWASP ZAP
Full DAST scanner with active and passive modes. Spider, AJAX spider, headless Chrome integration, custom scan policies, and OpenAPI schema support for REST APIs.
zaproxy.org
DAST Spider API
Database
sqlmap
Automated SQL injection detection and exploitation. Supports MySQL, PostgreSQL, MSSQL, Oracle, and SQLite. Extracts schema, dumps tables, and attempts OS command execution.
sqlmap.org
SQLi Database Blind
Web
Retire.js
JavaScript component vulnerability scanner. Detects outdated jQuery, Angular, React, Bootstrap, and 500+ other libraries against a curated CVE database.
retire.js
JavaScript SCA CVE

Credentials & Exploitation

Credentials
Hydra
Parallelized login cracker supporting SSH, FTP, HTTP-form, RDP, SMB, LDAP, SMTP, and 50+ protocols. Configurable task threads and per-service timing to avoid lockouts.
github.com/vanhauser-thc
Brute-Force SSH HTTP
Credentials
Medusa
Speedy, massively parallel password brute-forcer. Modular architecture supports custom protocol modules. Used in XCOM as a Hydra complement for SSH and database credential testing.
github.com/jmk-foofus
Parallel Modular Database
Exploitation
Metasploit
The world's most-used penetration testing framework. 2000+ exploits, 500+ auxiliary modules, Meterpreter post-exploitation, and MSFvenom payload generation. Used in XCOM for CVE validation.
metasploit.com
Exploitation Post-Exploit CVE
03
Scan Modes

Four Levels of Depth

四层深度扫描

Each mode progressively deepens coverage and increases dwell time. Use Quick for rapid triage, Standard for typical engagements, Thorough for comprehensive red teams, and Continuous for persistent monitoring loops.

Mode Duration Tools Active Use Case
Quick 5–15 min Nmap top-1000, Nikto, Gobuster common, Shodan passive Rapid triage. First look at unknown asset. CTF reconnaissance.
Standard 30–90 min Full TCP Nmap, Gobuster + FFUF, Nikto, sqlmap detect, Amass, ZAP passive Standard pentest engagement. VAPT scoping phase. Bug bounty initial recon.
Thorough 2–6 hrs All tools. UDP scan, ZAP active, sqlmap exploit, Hydra credential test, Metasploit CVE validation, TruffleHog git scan Full red team engagement. Compliance audit. Comprehensive VAPT report.
Continuous
24/7 		Persistent Lightweight diff-based. Amass + Shodan polling. New port/service delta alerts. Attack surface monitoring. Detect new exposures. Notify on configuration drift.
04
Attack Chain

LLM-Orchestrated Pipeline

LLM 驱动的流水线

Every scan follows the same structured attack chain. Each stage feeds its findings into the next. The LLM synthesis layer correlates all outputs into a unified attack narrative with prioritised remediation.

1

Scope Gate

Authorization check. Verify written scope. Apply production blocklist. Log operator identity and scan parameters to immutable audit trail.

2

OSINT Layer

Amass subdomain enum → theHarvester email/IP harvest → crt.sh cert scrape → Shodan/Censys/VT/OTX passive intel → DNS zone transfer attempts.

3

Network Enumeration

Nmap SYN stealth full TCP + UDP top-200 → service version detection → NSE vuln scripts → smbmap + CrackMapExec on Windows targets → SNMP enumeration.

4

Web Application

Nikto banner + vuln scan → Gobuster dir + DNS → FFUF parameter fuzzing → ZAP spider + active scan → GraphQL introspection → JWT decode → CORS check.

5

Database & Auth

sqlmap on discovered injection points (w/ tamper scripts for WAF bypass) → NoSQL injection probes → Hydra/Medusa credential testing → IDOR enumeration.

6

LLM Synthesis

All findings fed to local Qwen model. Correlates CVEs, chains attack vectors, estimates impact, assigns CVSS scores, and generates human-readable attack narrative.

ORCHESTRATION SCRIPT

# xcom-pentest standard mode TARGET="example.com" MODE="standard" OUTPUT="/tmp/xcom-pentest-$(date +%s)" # Stage 1 — OSINT (parallel) amass enum -d $TARGET & theHarvester -d $TARGET -l 300 -b all & curl -s "https://crt.sh/?q=$TARGET&output=json" & wait # Stage 2 — Network nmap -sS -sV -O --script vuln \ -p- --min-rate 2000 $TARGET # Stage 3 — Web nikto -host $TARGET -output $OUTPUT/nikto.txt gobuster dir -u https://$TARGET \ -w /usr/share/seclists/Discovery/\ Web-Content/common.txt ffuf -u https://$TARGET/FUZZ \ -w /usr/share/seclists/Fuzzing/\ fuzz-Bo0oM.txt -mc 200,301,302,403 # Stage 4 — LLM synthesis xcom-analyze --findings $OUTPUT/ \ --model qwen3.5:35b \ --output $OUTPUT/report.md
05
Reporting

Six Export Formats

六种导出格式

Every scan auto-generates a full report. CVSS v3.1 scoring on every finding. De-duplicated across tool outputs. Remediation steps linked to CVE references.

MD

Markdown

Human-readable report with executive summary, per-host findings, CVSS table, and remediation checklist. Renders natively in GitHub, Obsidian, and Notion.

{}

JSON

Machine-readable structured output. Feeds directly into SIEM pipelines, ticketing systems (Jira, Linear), and CI/CD security gates.

HTML

HTML / PDF

Branded client-ready report. Full CVSS risk matrix, executive summary, and technical appendix. Converts to PDF via headless Chrome.

SA

SARIF

Static Analysis Results Interchange Format. GitHub Code Scanning compatible. Surfaces findings directly in pull request annotations and security dashboard.

Telegram / WhatsApp

Live scan progress and summary alerts delivered to your channel. Critical findings (CVSS ≥ 9.0) trigger immediate push notifications.

GH

GitHub Issues

Auto-creates labelled issues from findings. CRITICAL/HIGH/MEDIUM/LOW severity labels, CVSS score in title, full technical detail and remediation in body.

06
Commands

Quick Start

快速开始

The XCOM pentest skill integrates with the OpenClaw agent framework. Trigger scans via Telegram, WhatsApp, or direct CLI. All commands require a valid scope authorization token.

TELEGRAM / WHATSAPP

Message your XCOM agent from any device. The skill handles scope verification, orchestrates the scan, and pushes progress updates every 5 minutes.

# Start a scan /pentest scan example.com --mode standard # Get latest report /pentest report --format markdown # Compare two scans /pentest compare scan-001 scan-002 # Check scope /pentest scope example.com

CLI / OPENCLAW SKILL

Run the pentest skill directly from the OpenClaw agent framework. The full D2 skill specification is available at the link below.

# Install skill dependencies sudo apt install nmap nikto gobuster ffuf \ sqlmap amass hydra zaproxy # Run via OpenClaw openclaw skill run pentest \ --target example.com \ --mode thorough \ --output /tmp/report/ # Skill specification ~/.openclaw/workspace/skills/pentest/ ├── SKILL.md # Full D2 spec ├── TOOLS.md # Install guide └── REPORT.md # Report templates
View Skill Protocol

Start Your First Scan

Authorize a target. Trigger the chain. Receive a full attack surface report in under 90 minutes.

Browse Tool Stack Quick Start Guide Back to Platform