RedAmon: Teaching AI Agents to Break Into Your Infrastructure While You Sleep
Hook
A penetration test that costs $47 in API calls just executed a multi-stage attack chain, discovered 23 subdomains, exploited two CVEs, and established persistent access—all while the red team was offline. Welcome to autonomous offensive security.
Context
Traditional penetration testing follows a predictable rhythm: a security consultant manually runs nmap, analyzes results, googles CVE details, crafts exploits, and documents findings. This works, but it’s expensive, time-consuming, and doesn’t scale. Organizations with hundreds of subdomains and constantly shifting infrastructure can’t afford weekly manual assessments. Meanwhile, the first wave of AI coding assistants proved LLMs could write exploit code, but they still required humans to orchestrate the kill chain—deciding which targets to probe, interpreting scan results, and sequencing attacks.
RedAmon represents a different approach: an agentic AI framework that treats penetration testing as an autonomous reasoning problem. Instead of replacing individual security tools, it wraps them in the Model Context Protocol (MCP) and hands control to an LLM that plans reconnaissance, interprets vulnerabilities, and executes exploits without human intervention. Built by a security researcher frustrated with repetitive assessments, it’s essentially a robot red teamer that combines the reconnaissance power of Kali Linux with the decision-making of Claude or GPT-4. The result is a containerized framework that turns ‘run a pentest’ into a one-command operation—though at the cost of losing human intuition and racking up AI inference bills.
Technical Insight
RedAmon’s architecture centers on a clever abstraction: the Model Context Protocol as a universal adapter between security tools and AI reasoning. Unlike traditional frameworks where you write Python glue code to chain nmap into Metasploit, RedAmon exposes each tool as an MCP server—a JSON-RPC interface the AI agent can discover and invoke like API endpoints. The agent orchestrator receives a target domain, queries available MCP tools, then constructs a plan: ‘First I’ll enumerate subdomains using subfinder, then resolve IPs, then port scan, then…’ Each tool returns structured JSON that gets stored in Neo4j, building a graph of relationships between assets, services, and vulnerabilities.
The graph database is where RedAmon gets interesting. Traditional pentest tools output flat lists—here’s 50 open ports, here’s 200 subdomains. Neo4j models these as nodes with typed relationships: (Subdomain)-[:RESOLVES_TO]->(IP)-[:EXPOSES]->(Port)-[:RUNS]->(Service)-[:VULNERABLE_TO]->(CVE). The AI can then query the graph with Cypher to reason about attack paths: ‘Show me all web services running outdated software that’s exposed on internet-facing IPs.’ This transforms reconnaissance from string parsing into graph traversal, letting the agent identify pivot points and lateral movement opportunities that humans might miss in spreadsheet chaos.
Here’s what an MCP tool server looks like under the hood. The nmap server exposes port scanning as a callable function:
@mcp_server.tool()
async def nmap_scan(target: str, ports: str = "1-65535",
scan_type: str = "syn") -> dict:
"""Execute nmap port scan and return structured results"""
cmd = ["nmap", "-T4", f"-p{ports}"]
if scan_type == "syn":
cmd.append("-sS")
cmd.extend(["-oX", "-", target]) # XML output
result = await asyncio.create_subprocess_exec(
*cmd, stdout=PIPE, stderr=PIPE
)
stdout, _ = await result.communicate()
# Parse XML into structured JSON
parsed = parse_nmap_xml(stdout)
# Store in Neo4j graph
await graph_db.create_scan_results(target, parsed)
return {
"target": target,
"open_ports": parsed["ports"],
"services": parsed["services"],
"graph_node_id": parsed["neo4j_id"]
}The AI agent doesn’t know nmap syntax—it just sees a function signature and decides when to call it. The orchestrator maintains conversation context with the LLM, feeding in previous reconnaissance results and letting the model reason: ‘I found port 8080 running Apache Tomcat 8.5.2. Let me search the vulnerability database for CVEs, then check if Metasploit has an exploit module.’ This is where the Model Context Protocol shines: adding a new tool (say, SQLmap for injection testing) means writing a thin MCP wrapper, not retraining the AI or modifying orchestration logic.
The six-phase reconnaissance pipeline runs sequentially, but the AI can loop back based on findings. If subdomain enumeration discovers admin.example.com, the agent might decide that’s more interesting than the original target and pivot reconnaissance efforts. Each phase outputs to both Neo4j (for graph relationships) and PostgreSQL (for project/session management). The Next.js frontend subscribes to a WebSocket feed, rendering attack progress in real-time: ‘Currently exploiting CVE-2021-44228 on 10.0.1.45:8080, established reverse shell, escalating privileges…’
The GVM integration deserves mention. Greenbone Vulnerability Manager runs as a separate container with its own 30-minute feed sync process, providing CVE correlation against the National Vulnerability Database. When the AI discovers a service, it queries GVM: ‘Is Apache 2.4.49 vulnerable?’ GVM returns CVE-2021-41773 (path traversal), and the agent can then search for exploits. This creates a feedback loop: reconnaissance feeds vulnerability scanning, which feeds exploitation, which feeds post-exploitation reconnaissance in compromised systems. It’s the full kill chain, orchestrated by function-calling LLMs.
Gotcha
The API costs are no joke. A thorough pentest against a mid-sized target with 50 subdomains can burn through 500K tokens—around $15-50 depending on whether you’re using GPT-4 or Claude Sonnet. The AI makes a lot of ‘thinking’ calls: interpreting scan results, reasoning about next steps, deciding which exploits to try. Every decision is a round-trip to Anthropic or OpenAI, introducing both latency (30-60 seconds per phase) and cost. For continuous attack surface monitoring, this gets expensive fast. You’re essentially paying for the AI to read nmap output and decide what to do next, which a human could do faster and cheaper for small engagements.
The ‘zero human intervention’ promise is both a feature and a risk. The AI will follow vulnerable paths deterministically, but it lacks situational awareness. If a target has a web application firewall that’s blocking scans, a human would notice the pattern of failed requests and adjust tactics. The AI just keeps hammering endpoints until its context window fills up. Similarly, it might spend ten minutes trying to exploit a patched vulnerability because the version banner is misleading, while a human would recognize the defensive patterns and move on. The graph database helps with decision-making, but the LLM still makes hilariously bad choices occasionally—like attempting to exploit a honeypot service or pivoting into a network monitoring system that alerts the SOC. The resource footprint is also brutal: the full Docker Compose stack consumes 15GB disk space and 8GB RAM at idle. GVM’s initial feed sync downloads gigabytes of CVE data, and the Neo4j graph database grows quickly on large targets. This isn’t a tool you spin up on a laptop for quick assessments—it’s infrastructure that needs dedicated compute, preferably with GPU access if you want to run local LLMs instead of API-based ones (though that’s not currently supported).
Verdict
Use RedAmon if you’re managing continuous attack surface monitoring for large, dynamic environments—think cloud-native companies with hundreds of subdomains that change weekly, or security teams that need repeatable baseline assessments without burning consultant hours. It’s genuinely excellent for educational demonstrations of agentic AI capabilities, and the graph-based attack modeling is worth stealing even if you don’t use the full framework. The autonomous reconnaissance phase alone justifies the setup cost if you’re tired of manually orchestrating subfinder → nmap → nuclei chains. Skip it for production red team engagements where stealth, custom exploits, or human intuition matter. The AI is loud, predictable, and makes rookie mistakes that would get you caught immediately. Also skip if you’re cost-sensitive (API bills add up), resource-constrained (15GB is hefty), or need offline operation (requires internet for LLM calls). This is an augmentation tool for security teams who want to automate the boring parts of pentesting, not a replacement for skilled operators who understand the art of intrusion.
