A new open-source tool applies the multi-agent coordination pattern from business workflow automation directly to offensive security. PentestCode, a hard fork of OpenCode rebuilt specifically for penetration testing, runs security tools, analyzes output, and makes tactical decisions from a terminal interface with minimal human intervention, according to Cyber Security News.

Developer Zhangir Ospanov built PentestCode around a strategist-coordinator architecture based on HPTSA research, which the project claims delivers a 4.3x improvement over single-agent approaches.

13 Agents, 18 Tools, One Engagement State

The system coordinates 13 specialized agents handling distinct roles: reconnaissance, scanning, enumeration, exploitation, Active Directory and Kerberos identity attacks, infrastructure protocols (SNMP, IPMI), web application testing, post-exploitation, exploit development, false-positive filtering, and reporting. All agents share a unified engagement state in real time, per the Cyber Security News report.

That shared state tracks hosts, services, vulnerabilities (with confidence scores and status), credentials, access levels, and an entity relationship graph connecting findings via labels like EXPLOITED_VIA and PIVOT_TO. An attack-path module uses cost-based Dijkstra and Yen’s K-shortest-paths algorithms to suggest routes through the graph. State persists across sessions, so testers can resume multi-day engagements without losing context.

The 18 integrated tools include parsers that convert raw output from Nmap, Nuclei, NetExec, Gobuster, BloodHound, and sqlmap directly into structured state entries. Additional tools handle JWT analysis, XSS detection, credential-spray planning, scope validation, tunnel management, and report generation. Parser use is mandatory, preventing findings from slipping through manual grep work.

Nineteen on-demand “skill” packs, markdown-based knowledge files covering phase checklists and playbooks for Active Directory, web apps, and cloud, extend the agent’s domain knowledge without code changes.

Cost and Limitations

Token costs for real engagements range from $5 to $50 depending on scope and LLM choice, with Claude Opus and Sonnet outperforming GPT-4o and local models for multi-agent coordination, according to the project documentation on GitHub.

The project is explicit about what it is not. PentestCode is “not stealthy” and unsuitable for red-team OPSEC scenarios. It has no GUI, no Burp Suite integration, and evolving APIs. The developers position it as a force multiplier for methodical enumeration rather than a replacement for human-led complex exploit chains or creative attack development. It is also prone to redundant tool runs, a common limitation of agentic loops operating in multi-step security workflows.

The Pattern, Not Just the Tool

PentestCode follows the same structural pattern now visible across every domain where AI agents are deploying: connect specialized tools, feed output into an agent coordinator, let the agent make tactical decisions. The difference is that offensive security testing has exceptionally well-defined methodology. Phase checklists, service-specific enumeration steps, and privilege escalation playbooks translate cleanly into the kind of structured decision trees that multi-agent systems handle effectively.

For security teams, the immediate question is practical. If an AI agent can achieve domain admin access in a methodical enumeration scenario at $5 to $50 in compute cost, the economics of continuous penetration testing shift. The tool is beta software with significant gaps, but the cost structure alone signals where the market is heading.