AI News HubLIVE
站内改写3 min read

Darkmoon

Darkmoon is an autonomous penetration testing platform built by professional pentesters. It combines 18 specialized AI agents and 80+ offensive security tools to assess Active Directory, Kubernetes, cloud infrastructure, APIs, CMSs, and networks. Open-source, self-hosted, MITRE-mapped, with evidence-backed findings and attack paths.

SourceProduct Hunt AIAuthor: Mehdi Boutayeb

Darkmoon: Autonomous penetration testing platform | Product Hunt

Darkmoon

Launching today

Autonomous penetration testing platform

11 followers

Autonomous penetration testing platform

11 followers

Visit website

Security software

Most AI pentesting tools stop at the web layer. Darkmoon goes further. Built by professional pentesters, it combines 18 specialized AI agents and 80+ offensive security tools to assess Active Directory, Kubernetes, cloud infrastructure, APIs, CMSs, and networks. Self-hosted, open-source, MITRE-mapped, and designed to deliver evidence-backed findings, attack paths, and publication-ready reports.

Overview

Reviews

Alternatives

Built with

Team

More

Free

Launch tags:Open Source•Developer Tools•Artificial Intelligence

Launch Team / Built With

Subscribe

Promoted

📌

Hey Product Hunt,

We're a small team of professional pentesters.

Over the last few years we've tested almost every AI-powered pentesting tool we could find.

Most of them turned out to be web scanners with an LLM wrapped around them.

That's fine if your target is a marketing website and you're hunting for XSS.

Real engagements don't look like that.

They look like:

  • Active Directory
  • Kubernetes
  • AWS
  • Internal networks
  • APIs
  • Legacy systems

That's where we spend our time. That's also where most AI tools hit a wall.

So we built Darkmoon.

Darkmoon is an open-source, self-hosted autonomous penetration testing platform.

It currently includes:

  • 18 specialized methodology agents
  • 80+ integrated offensive security tools
  • Infrastructure mapping
  • Evidence-backed reporting
  • Attack-path generation

The orchestrator fingerprints the target and selects the most appropriate methodology.

Examples:

  • Active Directory
  • Kubernetes
  • WordPress
  • Drupal
  • Magento
  • GraphQL
  • PHP
  • Node.js
  • ASP.NET
  • Spring Boot
  • Network infrastructure

One thing we cared about from day one was transparency.

The agents are not hidden prompts.

Every methodology is stored as a plain Markdown file that can be:

  • reviewed
  • audited
  • version controlled
  • customized

Each methodology is mapped to:

  • MITRE ATT&CK
  • NIST 800-115

Under the hood Darkmoon orchestrates more than 80 offensive security tools including:

  • Nuclei
  • SQLMap
  • NetExec
  • BloodHound
  • Impacket
  • FFUF
  • Hydra
  • Kubescape

The model doesn't execute tools directly.

It plans. It prioritizes. It delegates.

A separate execution layer runs the commands, captures the output and feeds the results back into the workflow.

Findings include:

  • supporting evidence
  • executed commands
  • command output
  • severity ratings
  • infrastructure maps

A few honest caveats:

  • Web and Active Directory are currently the most mature agents.
  • Cloud coverage is improving but still evolving.
  • Frontier models currently perform better than smaller local models.
  • There is an API cost associated with each run.

Darkmoon is GPLv3. Fully self-hosted. No telemetry.

You can bring:

  • OpenAI
  • Anthropic
  • Ollama
  • llama.cpp

We're launching today to gather feedback from the security and open-source communities.

Happy to answer questions about the architecture, methodology, roadmap, or anything else.

Thanks for checking it out.

GitHub: https://github.com/ASCIT31/Dark-...

Report

20h ago

@mehdi_boutayeb Congrats on the launch! It’s refreshing to see a security platform that avoids the AI hype and tackles complex environments like Active Directory and Kubernetes under a GPLv3 license.

Quick question: Since the orchestrator delegates tasks rather than executing tools directly, how do you manage or mitigate potential LLM hallucinations when it parses complex command outputs from tools like NetExec or BloodHound?

Report

24m ago

Maker

@laraib Great question.

This is actually one of the main reasons we designed Darkmoon around MCP-gated tool execution rather than letting the LLM directly interact with the environment.

The orchestrator doesn't generate findings from imagination. It works from structured evidence produced by the tools themselves. Outputs from tools such as NetExec, BloodHound, Nuclei, WPScan, Kubescape, etc. are collected, normalized and passed back as context for reasoning.

A few mechanisms help reduce hallucinations:

The LLM cannot arbitrarily execute commands. All actions must go through controlled MCP workflows.

Findings are expected to be evidence-backed. Reports include commands, outputs and supporting artifacts whenever possible.

Multiple steps often corroborate the same observation before it is promoted into a finding or attack path.

Specialized agents work within narrower scopes (AD, Kubernetes, WordPress, GraphQL, etc.) instead of relying on a single general-purpose agent for everything.

Human validation remains part of the process. Our goal is to assist pentesters, not replace their judgment.

In practice, we treat the model as a reasoning layer sitting on top of offensive tooling, not as a source of truth. The source of truth remains the evidence collected from the target environment.

This is also why we're very careful not to market Darkmoon as "fully autonomous hacking". The value comes from orchestrating tools, methodologies and evidence in a coherent workflow while keeping the process auditable and reviewable.

Report

13m ago