A new open-source cybersecurity platform called DarkMoon has emerged as a significant advancement in autonomous penetration testing.

It provides security teams and DevSecOps professionals with a fully AI-powered vulnerability assessment system. DarkMoon integrates over 50 specialized offensive security tools, all managed through a controlled execution interface.

DarkMoon is an automated penetration testing platform that uses artificial intelligence to orchestrate complete security assessments without manual intervention.

Unlike traditional vulnerability scanners, DarkMoon deploys a multi-agent AI architecture where specialized sub-agents reason, plan, and execute real offensive security operations through a controlled Model Context Protocol (MCP) interface, a gatekeeper layer that ensures the AI never directly touches the underlying system.

The platform aligns with recognized security frameworks, including ISO 27001, NIST SP 800-115, and the MITRE ATT&CK methodology, making it a standards-compliant option for organizations seeking repeatable, evidence-based assessments.

DarkMoon AI-Powered Platform

When a target is provided via the command line, DarkMoon automatically progresses through a multi-phase assessment: discovering open ports and services, fingerprinting the technology stack, modeling the attack surface, and then deploying specialized sub-agents based on what it detects.

The platform dynamically triggers agents tailored to discovered technologies:

• CMS Agent — activates for WordPress, Drupal, Joomla, Magento, and Moodle environments
• Stack-Specific Agent — targets PHP, Node.js, Flask, ASP.NET, Spring Boot, and Ruby on Rails
• Active Directory Agent — covers NetExec, BloodHound, and 30+ Impacket scripts
• Kubernetes Agent — uses kubectl, Kubescape, and Kubeletctl
• GraphQL Agent — handles GraphQL-specific attack surfaces
• Headless Browser Agent — deployed when browser rendering is required

Multiple agents can execute in parallel across a hybrid infrastructure, significantly accelerating assessment timelines compared to sequential manual testing.

DarkMoon ships with a purpose-built Docker image housing over 50 compiled security tools organized by category.

Port scanning is handled by Naabu and Masscan; web application testing leverages Nuclei, ffuf, sqlmap, Arjun, and wafw00f; reconnaissance uses Subfinder, Katana, Waybackurls, and httpx; CMS testing relies on WPScan and CMSeeK; and network enumeration employs Hydra, dig, and SNMP tooling.

All tools are accessible inside the Docker toolbox without path configuration — the AI reasons and plans, the MCP controls execution, and the Docker container runs the tools in isolation.

DarkMoon is designed for security teams running continuous automated testing, DevSecOps engineers integrating security into CI/CD pipelines, bug bounty hunters accelerating target analysis, and security researchers exploring adaptive attack surfaces in real time.

The platform supports bug bounty mode natively, with command-line flags such as FOCUS, EXCLUDE, SEVERITY, and FORMAT=h1 interpreted directly by the AI agent.

DarkMoon is available on GitHub at github.com/ASCIT31/Dark-Moon and requires only Docker, Docker Compose, and an LLM API key from providers such as Anthropic, OpenAI, or OpenRouter with local model support via Ollama and llama.cpp also available.

The platform represents a broader industry trend toward autonomous AI-driven penetration testing that scales beyond the limits of human-only security teams.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post DarkMoon AI-Powered Autonomous Penetration Testing Platform With 50+ Tools appeared first on Cyber Security News.

A new open-source project called CVE MCP Server is redefining how security teams triage vulnerabilities, transforming Anthropic’s Claude AI into a fully capable security analyst by giving it direct, correlated access to 27 intelligence tools spanning 21 external APIs all through a single natural-language query.

Every security analyst knows the painful reality: triaging even a single CVE can mean opening a dozen browser tabs simultaneously, NVD for CVSS scores, EPSS for exploitation probability, CISA’s Known Exploited Vulnerabilities (KEV) catalog, GitHub for patch status, VirusTotal for malware associations, Shodan for exposed hosts, and more.

Industry data confirms this bottleneck is severe, with EPSS v4 research showing that 96% of CVE alerts that fall below an exploitation threshold go completely uninvestigated due to manual workload alone.

For teams managing 50 or more CVEs simultaneously, that fragmented workflow can consume an entire workday.

Released on GitHub by developer Mahipal (mukul975), CVE MCP Server is a production-grade implementation of Anthropic’s Model Context Protocol (MCP) an open standard that enables seamless integration between LLM applications and external data sources and tools.

CVE MCP Server With 27 Tools

The server integrates Claude with 27 security tools organized into five categories: Core Vulnerability Intelligence, Exploit & Attack Intelligence, Advanced Risk & Reporting, Network Intelligence, and Threat Intelligence.

Built with Python, FastMCP, httpx, aiosqlite, Pydantic v2, and defusedxml, the entire stack operates via outbound HTTPS only, no inbound ports, no telemetry, no API keys ever logged.

The tool catalog is extensive and immediately production-ready. Core vulnerability tools include lookup_cve (NVD), get_epss_score (FIRST), check_kev_status (CISA), and bulk_cve_lookup for batch-fetching up to 20 CVEs in parallel.

Exploit intelligence tools map CVEs to MITRE ATT&CK techniques, check PoC availability across GitHub and Exploit-DB, and retrieve CAPEC attack patterns.

Network intelligence layers in AbuseIPDB reputation scoring, GreyNoise scan activity, Shodan host profiling, and CIRCL Passive DNS. Threat intelligence tools connect to VirusTotal, MalwareBazaar, ThreatFox for IOC lookups, and Ransomwhere for ransomware Bitcoin address tracking.

At the heart of the project is a weighted risk scoring formula that moves beyond CVSS-only prioritization, a methodology aligned with the industry shift toward multi-signal triage.

The formula weights EPSS probability at 35%, CISA KEV status at 30%, CVSS at 20%, and PoC availability at 15%, with boost multipliers applied for active KEV+PoC combinations, CVSS ≥ 9.0 with high EPSS, and recently published CVEs.

A score of 76–100 triggers a CRITICAL label requiring patching within 24–48 hours under an emergency change window.

One notable design decision is accessibility: eight tools require zero API keys to function, including EPSS, CISA KEV, OSV.dev, MITRE ATT&CK, CWE lookups, CVSS parsing, Ransomwhere, and NVD at a reduced rate.

Teams can deploy and begin querying immediately, then progressively add Tier 1 keys (NVD, GitHub) for 10× throughput and Tier 2 keys (AbuseIPDB, VirusTotal, GreyNoise, Shodan) for full multi-domain intelligence.

The server also addresses the software supply chain angle with three DevSecOps tools: scan_dependencies queries OSV.dev for vulnerable package versions, scan_github_advisories searches GitHub Security Advisories by ecosystem, and urlscan_check analyzes suspicious URLs.

In a single Claude prompt, a developer can scan an entire requirements.txt and receive prioritized upgrade recommendations.

The CVE MCP Server is available now at github.com/mukul975/cve-mcp-server under an open-source license, with Claude Desktop and Claude Code configuration supported out of the box.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CVE MCP Server Turns Claude Into a Fully Capable Security Analyst With 27 Tools Across 21 APIs appeared first on Cyber Security News.

A new open-source penetration testing framework called METATRON is gaining attention in the security research community for its fully offline, AI-driven approach to vulnerability assessment.

Built for Parrot OS and other Debian-based Linux distributions, METATRON combines automated reconnaissance tooling with a locally hosted large language model (LLM), eliminating the need for cloud connectivity, API keys, or third-party subscriptions.

METATRON is a CLI-based penetration testing assistant written in Python 3 that accepts a target IP address or domain and autonomously orchestrates a suite of standard reconnaissance tools.

These include nmap for port scanning, nikto for web server vulnerability detection, whois and dig for DNS and registration data, whatweb for technology fingerprinting, and curl for HTTP header inspection.

Once recon data is collected, all results are piped directly into a locally running AI model — metatron-qwen — a fine-tuned variant of the huihui_ai/qwen3.5-abliterated:9b base model, customized specifically for penetration testing analysis.

The model is served via Ollama, a local LLM runner, and is configured with a 16,384-token context window, a temperature of 0.7, top-k of 10, and top-p of 0.9 — parameters optimized for precise, technically grounded security analysis rather than creative generation.

Agentic Loop and CVE Integration

One of METATRON’s more technically notable features is its agentic loop: the AI model can autonomously request additional tool executions mid-analysis if it determines more data is needed before rendering a verdict. This enables a dynamic, iterative assessment workflow rather than a single static scan pass.

The framework also integrates DuckDuckGo-based web search and CVE lookups without requiring any API credentials, allowing the model to cross-reference discovered services and versions against known public vulnerability databases in real time.

METATRON uses a five-table MariaDB schema to persist all scan data, structured around a central history table keyed by session number (sl_no). Linked tables store discovered vulnerabilities with severity ratings, recommended fixes sourced from AI analysis, attempted exploits with payloads and results, and a full summary table containing raw scan output alongside the complete AI analysis dump and overall risk level.

Users can edit or delete any saved record directly from the CLI, and export reports in PDF or HTML format for documentation or client delivery — a critical feature for professional penetration testers who need audit trails.

The project’s most significant differentiator in the current AI tooling landscape is its zero-exfiltration guarantee. All LLM inference happens on-device through Ollama, meaning sensitive target data, including internal IP ranges, banner information, and discovered vulnerabilities, never leaves the tester’s machine. This positions METATRON as a viable option for engagements with strict data handling requirements.

METATRON is available on GitHub under the MIT License at github.com/sooryathejas/METATRON, with minimum hardware requirements of 8.4 GB RAM for the 9b model variant.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post METATRON – Open-Source AI Penetration Testing Assistant Brings Local LLM Analysis to Linux appeared first on Cyber Security News.