Question 1

What is pwnkit?

Accepted Answer

pwnkit is an open-source agentic framework for autonomous security research. It uses AI agents in a research-then-verify pipeline to find and prove vulnerabilities in AI/LLM apps, npm packages, and source code.

Question 2

How does pwnkit eliminate false positives?

Accepted Answer

pwnkit's Verify agent independently re-exploits every finding. If it can't reproduce the vulnerability, the finding is killed as a false positive. Only confirmed vulnerabilities with working proof-of-concept code make it into the final report. The local dashboard provides a triage workbench for operators to review evidence, manage finding families, and control the verification workflow.

Question 3

How much does pwnkit cost?

Accepted Answer

pwnkit is free and open source (Apache 2.0 license). It's an agentic harness — bring your own API key, or use it with Claude Code CLI or Codex CLI through your existing subscription. pwnkit orchestrates the pipeline, your tools power the AI.

Question 4

What can pwnkit scan?

Accepted Answer

pwnkit scans AI/LLM apps, traditional web apps, npm packages, and source code repositories. It includes resumable scans, finding triage with deduplication, deterministic replay, a local verification dashboard, diff-aware PR review, and autonomous orchestration workers.

blog

the attack surface XBOW and KinoSec don't test

we built benchmarks for everything pwnkit does

pwnkit v0.4: shell-first pentesting, 27 XBOW flags, and the bug that broke everything

why we gave our agent a terminal instead of tools

what we learned running pwnkit against 104 CTF challenges

running pwnkit against the XBOW benchmark

100% on our AI security benchmark

why i built blind verification

why i built pwnkit

how ai agents found 7 CVEs in popular npm packages

the age of agentic security