AIRecon: A Fully Local Autonomous Penetration Testing Agent

AIRecon is an open-source autonomous cybersecurity agent that integrates self-hosted large language models, Kali Linux Docker sandboxes, and an interactive TUI to enable fully local penetration testing and bug bounty reconnaissance automation without API keys. Its core advantages include zero cloud dependency (data stored locally throughout the process), privacy-first design, and deep integration of professional toolchains, addressing the cloud data leakage risks and high manual intervention issues of traditional tools.

Traditional automated penetration testing tools have two major pain points: 1. Cloud dependency risk: Most rely on commercial APIs like GPT-4 and Claude, and uploading sensitive target information to third-party servers can easily lead to data leaks, violating compliance requirements; 2. High manual intervention: A large number of manual operations are required to complete the testing process. AIRecon was developed to address these issues through a zero-cloud architecture and autonomous capabilities.

AIRecon's technical architecture consists of four core modules:

1. Ollama Large Language Model Layer: Uses self-hosted Ollama models (Qwen3.5 series recommended, 9B-122B parameters), requires tool calling capability. It is recommended to use models with ≥8B parameters and enable reasoning blocks to reduce errors;
2. Kali Linux Docker Sandbox: Isolates testing operations, has a built-in complete set of security tools, ensuring environment reproducibility and host security;
3. Caido Proxy Integration: Provides 5 built-in tools including request management, fuzz testing, and vulnerability discovery, supporting web application security testing;
4. Textual TUI Interface: Monitors agent status in real time, views logs, and supports manual intervention.

AIRecon follows a four-stage workflow:

• Reconnaissance Phase: Collects basic target information (domain name resolution, port scanning, tech stack detection), and intelligently selects tools through 57 skill files and 289 keyword mappings;
• Analysis Phase: Uses LLM reasoning capabilities to identify risk points, assess attack surfaces, and develop testing strategies;
• Exploitation Phase: Validates vulnerabilities using tools like custom fuzz testers, Schemathesis API fuzz testing, and Semgrep static analysis;
• Reporting Phase: Generates structured reports containing vulnerability details, risk ratings, repair suggestions, and evidence screenshots.

AIRecon achieves adaptive learning through local telemetry data without model fine-tuning:

• SQLite Memory Database: Stores session history, discovery results, tool usage statistics, target intelligence, etc.;
• Adaptive Learning State: Records tool performance, strategy patterns, and extracted insights;
• Target-Specific Memory: Maintains records of endpoints, vulnerabilities, WAF bypass methods, and authentication endpoints for each target, optimizing testing strategies based on historical experience.

Hardware Requirements:

• 122B parameter model: Requires ≥48GB VRAM (best quality);
• 35B parameter model: Requires ≥20GB VRAM (recommended; Qwen3.5-35B-A3B with MoE architecture only needs 16GB);
• 9B parameter model: Requires ≥6GB VRAM (usable but with higher error rate).

Installation Configuration: Provides an automatic installation script that detects the mode, installs Poetry dependencies, and builds wheel packages; Customizes thinking intensity, Docker memory limits, proxy settings, etc., via YAML configuration files.

Community Ecosystem: Has an active community, maintains the "airecon-skills" library (57 command-line scripts for CTF, bug bounty, and penetration testing), and supports users to expand skills or share best practices.

Application Scenarios:

• Enterprise Security Assessment: Regular automated scanning of internal systems;
• Bug Bounty Reconnaissance: Helps researchers quickly collect target intelligence;
• CTF Competition Training: Serves as a practice range to improve skills;
• Security Training and Teaching: Demonstrates complete penetration testing processes and methodologies.