AI is reshaping offensive security from both directions simultaneously. On one side, security professionals are using AI-powered tools to find vulnerabilities faster, write exploits more efficiently, and automate reconnaissance tasks that previously took days. On the other side, AI systems themselves have become a new attack surface — LLMs, AI agents, and machine learning pipelines introduce vulnerability classes that simply did not exist three years ago.
This guide covers both. The top 10 AI security tools for ethical hackers in 2026 — tools that either use AI to improve offensive security work, or tools specifically designed to attack and test AI systems. Every tool here is open-source or has a meaningful free tier, works on Kali Linux, and is actively maintained as of mid-2026.
- Nuclei AI — AI-generated vulnerability templates
- PentestGPT — LLM-guided penetration testing
- BurpGPT — AI-powered Burp Suite extension
- Spiderfoot AI — AI-enhanced OSINT and recon
- WormGPT and adversarial AI — threat actor tools explained
- Garak — automated LLM vulnerability scanner
- PyRIT — Microsoft's AI red teaming framework
- Promptfoo — LLM red teaming and safety testing
- Vigil — prompt injection detection and bypass testing
- Ollama + local LLM lab — unlimited safe testing environment
- Full comparison table
- Recommended workflows — how to combine these tools
- FAQ
Nuclei is already the most popular open-source vulnerability scanner — a template-driven engine that fires thousands of checks against a target in seconds. Nuclei AI is the 2025–2026 evolution: it uses an LLM to generate new vulnerability templates on the fly from natural language descriptions, analyse responses and suggest new attack vectors, and auto-triage findings from large scan results.
In practice, this means you can describe a vulnerability class — "check for IDOR in user profile endpoints where ID is sequential" — and Nuclei AI generates a custom YAML template to scan for it across your entire target. This collapses hours of manual template writing into seconds and means your scan coverage adapts to the specific application rather than only matching known-CVE signatures.
- AI template generation — describe a vulnerability in English, get a working Nuclei YAML template in seconds
- 9,000+ community templates — the largest open-source template library, covering CVEs, misconfigurations, exposed panels, and custom checks
- Headless browser support — scans JavaScript-heavy SPAs and authenticated endpoints
- CI/CD integration — runs in GitHub Actions, GitLab CI, or any pipeline for continuous security scanning
PentestGPT is not an automated scanner — it is an interactive LLM assistant that maintains context across an entire penetration testing engagement and guides you through each phase: reconnaissance, scanning, exploitation, post-exploitation, and reporting. Think of it as a senior penetration tester you can consult at each step, one who remembers everything found so far and suggests what to try next.
What makes PentestGPT genuinely useful rather than just a ChatGPT wrapper is its task tree architecture: it maintains a graph of the engagement's progress — what has been tried, what was found, what is still unexplored — and uses this to give contextually relevant next steps rather than generic advice. It bridges the gap between tool output (raw Nmap XML, Burp logs) and human understanding of what that output means tactically.
- Persistent engagement context — remembers all previous findings and tool outputs within a session
- Task tree management — tracks what has been explored and what remains, prevents missing attack vectors
- Tool output interpretation — paste raw Nmap, Gobuster, or Nikto output and get a plain-English analysis of what it means and what to do next
- Exploitation guidance — suggests specific exploit approaches for discovered vulnerabilities, with Metasploit module recommendations
BurpGPT integrates directly into the Burp Suite interface and adds AI analysis to your HTTP traffic in real time. While you browse a target application and Burp captures the traffic, BurpGPT analyses requests and responses for vulnerability indicators — flagging anomalies, suggesting parameters to fuzz, identifying potential injection points, and explaining what it sees in plain English.
The killer feature is the passive traffic analysis mode: as you proxy traffic through Burp normally, BurpGPT runs in the background analysing each exchange and adding AI-generated notes to the proxy history — similar to how Burp Pro's scanner annotates traffic, but driven by LLM pattern recognition rather than static rules. It catches business logic issues and semantic vulnerabilities that rule-based scanners routinely miss.
- Passive analysis mode — automatically annotates proxy history with vulnerability suggestions as you browse
- Prompt-driven active testing — describe what you want to test in natural language; BurpGPT generates and sends the test requests
- Custom prompts — configure your own analysis prompts for specific vulnerability classes or application types
- Local LLM support — can be pointed at a local Ollama instance instead of OpenAI for privacy-sensitive engagements
Spiderfoot automates OSINT collection by querying 200+ data sources — Shodan, VirusTotal, HaveIBeenPwned, WHOIS, LinkedIn, DNS records, certificate transparency logs, dark web sources, and dozens more — and correlating the results into a unified attack surface map. The AI enhancement layer adds natural language querying of intelligence results, automatic relationship graph analysis, and prioritised attack path suggestions based on the collected data.
For external penetration tests and bug bounty reconnaissance, Spiderfoot AI collapses what would be a day of manual OSINT into a 20-minute automated run. It surfaces forgotten subdomains, exposed internal panels, leaked credentials in paste sites, and infrastructure relationships that manual enumeration routinely misses.
- 200+ modules — DNS, WHOIS, Shodan, Censys, leaked credential databases, social media, dark web, certificate transparency
- AI correlation — automatically identifies relationships between discovered entities (e.g., email → employee → LinkedIn → company infrastructure)
- Attack path visualisation — interactive graph showing connections between discovered assets
- SpiderfootHX integration — cloud-hosted version with additional commercial intelligence sources
This entry is different from the others. WormGPT, FraudGPT, and similar dark web LLM tools are included here not because ethical hackers should use them, but because defenders and red teamers need to understand what real attackers are using. You cannot defend against a threat you do not understand.
WormGPT is a fine-tuned LLM based on GPT-J, trained specifically on malware, exploit code, and phishing templates with all safety guardrails removed. First documented in mid-2023, it was marketed on dark web forums as a tool for crafting convincing phishing emails, generating malware code, and automating social engineering campaigns. FraudGPT is a similar tool positioned for fraud-specific use cases — creating fake invoices, impersonating brands, generating BEC (Business Email Compromise) lures.
What defenders and red teamers should know about adversarial AI:
- Phishing email quality has increased dramatically — AI-generated phishing now produces grammatically perfect, contextually targeted emails that defeat the "look for typos" heuristic entirely. Email security controls need to be updated accordingly.
- Malware generation is accessible — while WormGPT-generated code is not sophisticated exploit development, it lowers the bar for script kiddie-level actors to produce functional malware variants. Expect higher volume, lower average sophistication.
- BEC attacks are more convincing — AI tools that can mimic a specific executive's writing style from public emails make BEC attacks far harder to detect. Organisations need payment verification processes that do not rely on email authenticity.
- Simulating AI-generated attacks in red team engagements — use Claude, GPT-4o, or similar to generate phishing lures and simulate AI-assisted social engineering during authorised red team exercises. This tests whether your security awareness training is effective against modern AI-quality attacks.
Garak is the most complete open-source LLM vulnerability scanner available. Named after a character from Star Trek: Deep Space Nine known for subtlety and information gathering, Garak probes LLM endpoints for over 50 distinct vulnerability classes including prompt injection, jailbreaks, hallucination, data leakage, toxicity bypass, encoding-based evasion, and many more. It runs each probe at scale — hundreds of variations per class — to account for the probabilistic nature of LLM responses.
The output is an HTML report showing which probes succeeded, at what rate, and with which specific payloads — essentially a vulnerability report for an LLM application. This makes Garak the ideal first tool to run against any new LLM application you are assessing: it gives you a comprehensive baseline in minutes that would take days to produce manually.
- 50+ probe classes — prompt injection, jailbreaks, DAN variants, encoding attacks, continuation attacks, toxicity, PII leakage, hallucination
- Multiple detectors — evaluates responses using rule-based, ML-based, and LLM-judge detectors to assess whether a probe succeeded
- Universal LLM support — works against any model accessible via OpenAI-compatible API, HuggingFace inference, Ollama, or a custom REST endpoint
- Extendable — write custom probes in Python to test application-specific behaviour
PyRIT is Microsoft's production-grade AI red teaming framework, used internally by Microsoft's AI Red Team before being open-sourced in early 2024. It provides a comprehensive Python SDK for building custom AI red teaming workflows — from loading jailbreak datasets to orchestrating multi-turn attacks to evaluating responses with AI-powered scoring.
Where Garak excels at broad automated scanning, PyRIT excels at targeted, customisable attack campaigns. You write Python code that specifies your attack orchestration — which model to attack, which prompt datasets to use, how to evaluate responses, and how to adapt based on model behaviour. This makes it the professional tool of choice when you need to go beyond standard templates and test specific hypotheses about a model's security properties.
- Orchestrators — pre-built multi-turn attack flows including PromptSendingOrchestrator, RedTeamingOrchestrator (attacker LLM attacks defender LLM), and TreeOfAttacksWithPruningOrchestrator (PAIR-based jailbreak)
- Dataset library — built-in datasets for jailbreaks, many-shot attacks, harmful topic probes, and system prompt extraction
- Converters — transform payloads via Base64, ROT13, translation, tone-shifting, and dozens of other encoding/obfuscation methods
- Scorers — AI-powered response evaluation using LLM judges to assess whether an attack succeeded
- Memory system — persistent storage of all prompts and responses for audit and analysis
Promptfoo sits between Garak (broad automated scanning) and PyRIT (custom Python framework) in the LLM security testing stack. It is YAML-configured, has a clean web UI for reviewing results, and is designed for both developers who want to test their LLM applications continuously and security professionals who want a structured way to evaluate model behaviour across a large test matrix.
The built-in red teaming mode (promptfoo redteam) automatically generates adversarial test cases from your application's system prompt using an attacker LLM, then evaluates whether the target model's responses constitute a security failure. This is the closest thing to automated penetration testing that works reliably against LLM applications without requiring custom Python code.
- Red team mode — generates application-specific attack prompts from your system prompt; no manual payload writing required
- Side-by-side model comparison — compare security posture across GPT-4o, Claude, Gemini, and local models simultaneously
- Assertion-based testing — define what a safe response looks like; Promptfoo flags failures automatically
- CI/CD integration — runs in any pipeline via npx promptfoo eval; add LLM security gates to your deployment workflow
Vigil is a prompt injection detection library — and understanding it from both sides is essential for AI security practitioners. As a defender, you deploy Vigil as a guard layer in front of your LLM application to flag suspicious inputs before they reach the model. As an attacker / red teamer, understanding exactly what Vigil detects and how it detects it reveals precisely which attack techniques will and will not be caught — making it an invaluable resource for developing bypass techniques during authorised assessments.
Vigil uses a multi-layer detection approach: regular expression matching against known injection patterns, vector similarity comparison against a database of known injection prompts (inputs that are semantically similar to known attacks are flagged), and optional LLM-judge evaluation where a second model assesses whether a given input is an injection attempt. Each layer can be configured independently.
- Regex scanner — fast, lightweight detection of known injection patterns and keyword combinations
- Vector similarity scanner — compares input embeddings against a database of known injection prompts; catches paraphrased and novel variants
- LLM scanner — uses an LLM to evaluate whether an input is an injection attempt; most accurate but slowest
- REST API mode — deploy as a sidecar service that any LLM application can call to pre-screen inputs
Ollama is a tool for running open-source large language models locally on your own hardware. It manages model downloads, serves an OpenAI-compatible API, and handles GPU/CPU resource allocation automatically. For AI security practitioners, running models locally is transformative: you can run unlimited red team tests with no API costs, test on sensitive engagement data without privacy concerns, modify model system prompts freely, and even study unaligned model variants that cloud providers would not host.
Every other LLM security tool in this list — Garak, PyRIT, Promptfoo, BurpGPT, Vigil — supports Ollama as a backend. This means you can build an entire AI red team lab that costs nothing beyond the hardware you already have, with no rate limits, no logging, and no data leaving your machine.
- One-command model management — ollama pull llama3.2 downloads and runs a model; ollama list shows all installed models
- OpenAI-compatible API — any tool or code that works with OpenAI works with Ollama by changing the base URL to http://localhost:11434/v1
- Modelfile customisation — create custom model variants with specific system prompts, temperature settings, or fine-tuning for security testing scenarios
- GPU acceleration — automatically uses NVIDIA CUDA, AMD ROCm, or Apple Metal; runs on CPU for smaller models on any hardware
| # | Tool | Primary use | Skill level | Cost | Best for |
|---|---|---|---|---|---|
| 1 | Nuclei AI | Web vulnerability scanning | Beginner–Intermediate | Free | Bug bounty, web app pentesting, CVE scanning |
| 2 | PentestGPT | Pentest methodology coach | Beginner–Intermediate | API costs only | OSCP prep, learning methodology, getting unstuck |
| 3 | BurpGPT | AI-assisted HTTP analysis | Intermediate | Free (local LLM) | Web app pentesting, traffic analysis, logic bugs |
| 4 | Spiderfoot AI | OSINT and attack surface | Beginner | Free | External pentests, bug bounty recon, red team prep |
| 5 | Adversarial AI (WormGPT) | Threat intelligence | All levels | N/A (awareness only) | Understanding modern phishing/BEC threat landscape |
| 6 | Garak | LLM vulnerability scanner | Beginner | Free | First-pass LLM assessment, portfolio building |
| 7 | PyRIT | AI red teaming framework | Advanced | API costs only | Professional AI red team engagements, custom attacks |
| 8 | Promptfoo | LLM testing and red team | Intermediate | Free tier | Continuous LLM security testing, CI/CD integration |
| 9 | Vigil | Injection detection / bypass research | Intermediate | Free | Testing defences, developing bypass techniques |
| 10 | Ollama | Local LLM lab | Beginner | Free | Safe unlimited testing, privacy-first engagements |
⚡ Start building your AI security toolkit today
- Start with Ollama and Garak today — both are fully free, install in minutes, and give you immediate hands-on experience. Install Ollama, pull Llama 3.2, create a victim bot with a custom Modelfile, then point Garak at it. You will have your first LLM vulnerability scan results within 30 minutes.
- Add Nuclei to your existing toolkit — if you already use Burp Suite and Nmap, Nuclei is the easiest high-value addition. The template library covers thousands of CVEs and misconfigurations that manual testing misses. Nmap tutorial →
- Understand the attacks these tools find — the tools are more effective when you understand the vulnerabilities they detect. Prompt injection deep dive → | AI red teaming guide →
- Add BurpGPT to your Burp workflow — it is a one-click install from the BApp Store and costs nothing if you point it at a local Ollama model. It adds AI analysis to traffic you are already capturing. Burp Suite tutorial →
- Build a portfolio with Garak reports — a Garak HTML report showing a systematic LLM vulnerability assessment is a portfolio item most AI security hiring managers have never seen from a junior candidate. Run it against a local model, document your findings, and write a short analysis of each vulnerability class detected.
For beginners getting started with AI-powered security tools, Nuclei is the easiest entry point — install it, run it against a target you own, and immediately see real vulnerability findings. For beginners specifically interested in AI security (testing LLMs), Garak is the easiest start — one command scans an LLM endpoint for dozens of vulnerability classes and produces a readable HTML report. Both are completely free and work on Kali Linux out of the box.
Yes. Nuclei, PentestGPT, Spiderfoot, Garak, PyRIT, Promptfoo, and Vigil all run efficiently on any modern CPU — they either use cloud AI APIs (OpenAI, Anthropic) or perform their own processing without large model inference. Ollama can run smaller models (3B–7B parameters) on CPU with 8–16GB RAM — slower but functional. For the best local model performance, an NVIDIA GPU with 8GB+ VRAM is ideal, but it is not a hard requirement.
Garak is an automated scanner that runs a large predefined set of vulnerability probes against an LLM endpoint with minimal configuration — ideal for fast broad assessment and initial reconnaissance of an LLM application. PyRIT is a Python SDK for building custom AI red teaming workflows — it requires coding knowledge but offers far more flexibility, including custom attack orchestration, automatic jailbreak refinement (PAIR), and integration with enterprise AI infrastructure. Use Garak first for breadth; use PyRIT for depth on confirmed vulnerability areas.
WormGPT and similar adversarial AI tools are circulated on dark web forums and criminal marketplaces. Ethical hackers should not seek them out or use them. They are included in this article purely as threat intelligence — understanding what capabilities real attackers have. For simulating AI-assisted phishing or social engineering in authorised red team engagements, use legitimate LLMs like Claude or GPT-4o with appropriate prompting. They produce equally convincing output for testing purposes without the legal and ethical problems of engaging with criminal infrastructure.
All tools in this list support OpenAI's API. Most also support Anthropic (Claude), Google Gemini, HuggingFace models, and local models via Ollama. The OpenAI-compatible API has become the de facto standard — any tool built for OpenAI works with Ollama locally, with Groq, with any provider that exposes an OpenAI-compatible endpoint. Check individual tool documentation for specific provider compatibility.
Always check the programme's scope and rules before running any automated tools — many programmes explicitly prohibit automated scanning or have rate limits. For in-scope automated scanning, Nuclei and Spiderfoot are generally accepted when used carefully. For AI-specific testing (LLM injection, jailbreaks), check whether the AI product is in scope — many programmes have added LLM vulnerability categories in 2025–2026. Tools like Garak and Promptfoo are appropriate for in-scope LLM testing when used at a rate that does not constitute a DoS attack against the service.




