HexStrike AI is an orchestration framework that connects large language model agents to a broad offensive toolchain. It implements a Model Context Protocol server that accepts agent intents, selects toolchains, runs tools and aggregates results.
The project advertises support for over 150 security tools and a set of autonomous agents that chain scans, analysis, and exploitation into repeatable campaigns. The repository contains installation, tool integration and agent connection guidance.
Features
- Multi-agent architecture with a central MCP server that coordinates agent workflows and tool selection.
- Large tool ecosystem integrating over 150 security utilities across network, web, cloud and binary categories such as nmap, masscan, amass, gobuster, ffuf, sqlmap and many others (see README tool list).
- Attack templates and CVE intelligence to prioritise likely successful attack chains.
- Real-time dashboards and reporting that produce vulnerability cards and exportable artefacts for triage and audit.
- Extensible agent clients with adapters for MCP-compatible agents and example integration guidance.
Installation
The README provides a quick setup to run the MCP server. These commands are copied directly from the project documentation:
# 1. Clone the repository git clone https://github.com/0x4m4/hexstrike-ai.git cd hexstrike-ai # 2. Create virtual environment python3 -m venv hexstrike-env source hexstrike-env/bin/activate # Linux/Mac # hexstrike-env\Scripts\activate # Windows # 3. Install Python dependencies pip3 install -r requirements.txt |
Follow the README for optional steps such as installing Chrome/Chromedriver for browser-capable agents and installing the core security tool binaries listed in the repository.
Usage
The repository documents how to start the central server. The project does not publish a consolidated --help output in the README. Use the documented start commands below:
# Start the MCP server python3 hexstrike_server.py # Optional: Start with debug mode python3 hexstrike_server.py --debug # Optional: Custom port configuration python3 hexstrike_server.py --port 8888 |
See the README for details on connecting agent clients and installing the optional toolchain components. The README also includes troubleshooting guidance for common issues such as verifying tools (for example, which nmap gobuster nuclei) and checking server ports.
To verify the installation:
# Test server health curl http://localhost:8888/health # Test AI agent capabilities curl -X POST http://localhost:8888/api/intelligence/analyze-target \ -H "Content-Type: application/json" \ -d '{"target": "example.com", "analysis_type": "comprehensive"}' |
Attack scenario
Scenario: after a public disclosure for a vulnerable appliance, a red team operator configures HexStrike in an isolated lab and connects an MCP-compatible agent. The agent runs a discovery chain (network scanning with masscan and nmap), enumerates hosts and services, follows up with web enumeration (amass, httpx) and then triggers focused web checks (ffuf, sqlmap) where relevant. HexStrike correlates and ranks findings, producing evidence cards. This automated process reduces manual coordination time and accelerates triage and proof-of-concept generation.
Red team relevance and detection guidance
HexStrike accelerates scale and repeatability for offensive teams, but it also raises detection considerations for defenders. Key defensive signals to monitor include unusually high rates of multi-tool invocation from a single host, rapid sequential scans following public disclosures, and coordinated tool combinations that match automation templates. Defenders should focus telemetry on process lineage, tool invocation patterns and bursty activity that indicate agentified automation.
Limitations and operational notes
- Run in isolation: HexStrike gives agents powerful system access; run it in dedicated virtual machines or containers and do not connect it to production resources without strict controls.
- Tool dependencies: Many integrated tools must be installed separately; follow the README tool list and install the required binaries.
- Human oversight required: Automation can lead to unintended impact; operator governance and legal authorisation are mandatory.
Related reading
For operational synergy, consider combining HexStrike with classic proxy and fingerprinting tools such as mitmproxy and WAFW00F. Mitmproxy helps intercept and tune requests, WAFW00F helps identify protection stacks to avoid or probe, and HexStrike automates large-scale scanning and exploitation workflows that benefit from the contextual insight those tools provide.
Conclusion
HexStrike AI exemplifies the next generation of LLM-driven offensive platforms that combine model decision-making with real tool execution. It is a force multiplier for reconnaissance and exploit automation when used responsibly. Defenders should treat agentified toolchains as a priority risk and enhance telemetry to detect rapid, orchestrated scanning or high-volume tool usage.
You can read more or download HexStrike AI here: https://github.com/0x4m4/hexstrike-ai