PentestGPT: GPT-empowered penetration testing tool

by ddos · October 21, 2025

PentestGPT is a penetration testing tool empowered by ChatGPT.
It is designed to automate the penetration testing process. It is built on top of ChatGPT and operate in an interactive mode to guide penetration testers in both overall progress and specific operations.
PentestGPT is able to solve easy to medium HackTheBox machines, and other CTF challenges. You can check this example in resources where we use it to solve HackTheBox challenge TEMPLATED (web challenge).
A sample testing process of PentestGPT on a target VulnHub machine (Hackable II) is available at here.
A sample usage video is below: (or available here: Demo)

PentestGPT provides a unified terminal input handler, and backed by three main components:

A test generation module which generates the exact penetration testing commands or operations for the users to execute.
A test reasoning module which conducts the reasoning of the test, guiding the penetration testers on what to do next.
A parsing module which parses the output of the penetration tools and the contents on the webUI.

The handler is the main entry point of the penetration testing tool. It allows pentesters to perform the following operations:

(initialize itself with some pre-designed prompts.)
Start a new penetration testing session by providing the target information.
Ask for todo-list, and acquire the next step to perform.
After completing the operation, pass the information to PentestGPT.
1. Pass a tool output.
2. Pass a webpage content.
3. Pass a human description.
The generation module can also start a continuous mode, which helps the user to dig into a specific task.

Q: What is PentestGPT?
- A: PentestGPT is a penetration testing tool empowered by ChatGPT. It is designed to automate the penetration testing process. It is built on top of ChatGPT and operate in an interactive mode to guide penetration testers in both overall progress and specific operations.
Q: Do I need to be a ChatGPT plus member to use PentestGPT?
- A: Yes. PentestGPT relies on GPT-4 model for high-quality reasoning. Since there is no public GPT-4 API yet, a wrapper is included to use ChatGPT session to support PentestGPT.
Q: Why GPT-4?
- A: After empirical evaluation, we found that GPT-4 performs better than GPT-3.5 in terms of penetration testing reasoning. In fact, GPT-3.5 leads to failed test in simple tasks.
Q: Why not just use GPT-4 directly?
- A: We found that GPT-4 suffers from losses of context as test goes deeper. It is essential to maintain a “test status awareness” in this process. You may check the PentestGPT design here for more details.
Q: What about AutoGPT?
- A: AutoGPT is not designed for pentest. It may perform malicious operations. Due to this consideration, we design PentestGPT in an interactive mode. Of course, our end goal is an automated pentest solution.
Q: Future plan?
- A: We’re working on a paper to explore the tech details behind automated pentest. Meanwhile, please feel free to raise issues/discussions. I’ll do my best to address all of them.