AI-driven automated penetration testing agent. Uses Google Gemini to autonomously orchestrate 51 security tools across recon, scanning, and exploitation phases — adapting its attack plan in real time based on what each step discovers. Outputs HTML, Markdown, and JSON reports.
Only run this against systems you own or have written authorization to test. Unauthorized use is illegal.
- Python 3.11+
GEMINI_API_KEYenvironment variable
External binaries are optional — any step is skipped if the binary is not found. Run breachx check-tools for install hints.
Recon
| Tool | Purpose |
|---|---|
| whois | registration data, registrar, expiry date |
| dns_analysis | A/MX/TXT/NS/SOA records, zone transfer attempt, SPF/DMARC |
| nmap | port scanning, service and version detection |
| masscan | high-speed full port scanning |
| subfinder | passive subdomain enumeration via certificate transparency and public APIs |
| amass | active + passive subdomain enumeration |
| httpx | HTTP probing — liveness, status codes, titles, technology detection |
| whatweb | technology fingerprinting: CMS, frameworks, server software, JS libraries |
| wafw00f | WAF detection |
| katana | JavaScript-aware web crawler — discovers real endpoints, forms, and parameters |
| detect_cms | passive CMS identification from HTTP responses and HTML (no binary) |
Scanning
| Tool | Purpose |
|---|---|
| analyze_headers | HTTP security header checks: CSP, HSTS, X-Frame-Options, cookie flags (no binary) |
| analyze_robots_and_sitemap | parse robots.txt and sitemap.xml for hidden endpoints (no binary) |
| check_sensitive_paths | probe for exposed .env, .git, backups, phpinfo, admin panels (no binary) |
| discover_api_endpoints | find and parse Swagger/OpenAPI/GraphQL/Spring Actuator docs (no binary) |
| fetch_js_secrets | scan JavaScript files for hardcoded API keys, tokens, and internal endpoints (no binary) |
| check_http_methods | detect dangerous HTTP methods: PUT, DELETE, TRACE, CONNECT (no binary) |
| check_cache_poisoning | cache poisoning via X-Original-URL, X-Forwarded-Host override headers (no binary) |
| nikto | web server misconfigurations, dangerous files, outdated software |
| nuclei | template-based scanner: 10,000+ CVE, misconfiguration, exposed-panel, and takeover templates |
| gobuster | directory and file brute-forcing |
| ffuf | web fuzzer for directories and parameter discovery |
| feroxbuster | recursive directory brute-forcing |
| testssl.sh | SSL/TLS analysis: weak ciphers, protocol versions, Heartbleed, POODLE |
| wpscan | WordPress plugin, theme, and user enumeration; version vulnerabilities |
| joomscan | Joomla vulnerability scanner |
| cmseek | CMS detection and vulnerability scanning across 180+ platforms |
| droopescan | Drupal and SilverStripe plugin and version enumeration |
| eyewitness / gowitness | screenshot capture for visual evidence in reports |
Exploitation checks
| Tool | Purpose |
|---|---|
| check_cors | CORS misconfiguration: reflected origin, wildcard with credentials (no binary) |
| check_open_redirect | open redirect in URL parameters (no binary) |
| check_ssrf | SSRF via URL parameters — internal network and cloud metadata access (no binary) |
| check_jwt | JWT analysis: alg:none, missing expiry, weak algorithm (no binary) |
| check_graphql | GraphQL introspection, batch query abuse, field suggestion leakage (no binary) |
| check_lfi | local file inclusion via path traversal payloads (no binary) |
| check_ssti | server-side template injection across Jinja2, Twig, Freemarker (no binary) |
| check_xxe | XML external entity injection on XML/SOAP endpoints (no binary) |
| check_nosql_injection | MongoDB operator injection: $ne, $gt, $regex, $where (no binary) |
| check_command_injection | OS command injection via shell metacharacters (no binary) |
| check_idor | insecure direct object reference via sequential ID enumeration (no binary) |
| check_prototype_pollution | JavaScript prototype pollution via __proto__ and constructor.prototype (no binary) |
| check_deserialization | Java/PHP/Python deserialization payload detection (no binary) |
| check_request_smuggling | HTTP request smuggling: CL.TE and TE.CL detection (no binary) |
| check_subdomain_takeover | dangling DNS CNAME checks across discovered subdomains (no binary) |
| sqlmap | SQL injection detection in forms, URL params, and cookies |
| dalfox | XSS scanner: reflected, DOM-based, stored |
| commix | automated command injection exploitation |
| interactsh | out-of-band callback server for blind SSRF, XXE, and command injection |
git clone https://github.com/yourname/breachx
cd breachx
pip install -e .pip install breachxexport GEMINI_API_KEY=your_key_hereWindows:
$env:GEMINI_API_KEY = "your_key_here"breachx check-tools
breachx scan <target> [options]
breachx quickscan <target>
scan prompts for authorization confirmation before running. Pass --confirm to skip.
quickscan runs passive checks only (headers, robots.txt, DNS, sensitive paths) — no prompt.
Options
| Flag | Description |
|---|---|
--confirm |
skip authorization prompt |
--model <model> |
Gemini model to use (default: gemini-2.5-pro) |
--max-iter <n> |
max LLM iterations (default: 40) |
-o <dir> |
output directory for reports (default: ./reports) |
-q |
quiet mode — suppress tool output |
--session-cookie <cookie> |
session cookie string for authenticated scanning |
--session-header <k:v> |
extra request header, repeatable |
--resume |
resume a previously interrupted scan |
Examples:
breachx scan https://example.com
breachx scan https://example.com --confirm --model gemini-2.0-flash --max-iter 10
breachx scan https://example.com -o /tmp/results -q
breachx scan https://example.com --session-cookie "session=abc123; csrf=xyz"
breachx scan https://example.com --session-header "Authorization: Bearer eyJ..."
breachx scan https://example.com --resume
breachx quickscan https://example.comReports are written to ./reports by default, three files per scan:
breachx_example.com_20240101_120000.html
breachx_example.com_20240101_120000.md
breachx_example.com_20240101_120000.json
breachx is not recognized (Windows)
Python's Scripts folder is not in your PATH. Three options:
Option 1 — run without changing PATH:
python -m breachx.cli scan https://example.com
python -m breachx.cli check-tools
python -m breachx.cli quickscan https://example.comOption 2 — add the Scripts folder to PATH (run once in PowerShell, then restart terminal):
$scripts = (python -c "import sysconfig; print(sysconfig.get_path('scripts'))")
[Environment]::SetEnvironmentVariable("PATH", $env:PATH + ";$scripts", "User")Option 3 — use a virtual environment:
python -m venv .venv
.venv\Scripts\activate
pip install -e .
breachx check-toolspip install -e . fails
Run it from inside the breachx directory — the one containing pyproject.toml.
GEMINI_API_KEY not set error
$env:GEMINI_API_KEY = "your_key_here"This lasts only for the current terminal session. To persist it: Settings → System → Environment Variables, or add the line to your PowerShell profile (notepad $PROFILE).
Scan exits immediately with "aborted"
The authorization prompt defaults to n. Type y and Enter, or pass --confirm to skip it:
python -m breachx.cli scan https://example.com --confirmThis software is provided for authorized security testing, research, and education only.
You are solely responsible for ensuring you have permission to scan any target before running this tool. The authors do not condone and are not responsible for unauthorized use. Running this tool against targets without permission may violate the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and equivalent laws in your jurisdiction.
This software is provided as-is with no warranty. The authors accept no liability for damages, data loss, service disruption, or legal consequences arising from its use.
MIT