[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-4866":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":45,"readmeContent":46,"aiSummary":47,"trendingCount":16,"starSnapshotCount":16,"syncStatus":48,"lastSyncTime":49,"discoverSource":50},4866,"pentagi","vxcontrol\u002Fpentagi","vxcontrol","Fully autonomous AI Agents system capable of performing complex penetration testing tasks","https:\u002F\u002Fpentagi.com",null,"Go",17653,2411,119,30,0,33,201,880,144,45,"MIT License",false,"main",true,[27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44],"ai-agents","ai-security-tool","anthropic","autonomous-agents","golang","gpt","graphql","multi-agent-system","offensive-security","open-source","openai","penetration-testing","penetration-testing-tools","react","security-automation","security-testing","security-tools","self-hosted","2026-06-12 02:01:05","# PentAGI\n\n\u003Cdiv align=\"center\" style=\"font-size: 1.5em; margin: 20px 0;\">\n \u003Cstrong>P\u003C\u002Fstrong>enetration testing \u003Cstrong>A\u003C\u002Fstrong>rtificial \u003Cstrong>G\u003C\u002Fstrong>eneral \u003Cstrong>I\u003C\u002Fstrong>ntelligence\n\u003C\u002Fdiv>\n\u003Cbr>\n\u003Cdiv align=\"center\">\n\n> **Join the Community!** Connect with security researchers, AI enthusiasts, and fellow ethical hackers. Get support, share insights, and stay updated with the latest PentAGI developments.\n\n[![Discord](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FDiscord-7289DA?logo=discord&logoColor=white)](https:\u002F\u002Fdiscord.gg\u002F2xrMh7qX6m)⠀[![Telegram](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FTelegram-2CA5E0?logo=telegram&logoColor=white)](https:\u002F\u002Ft.me\u002F+Ka9i6CNwe71hMWQy)\n\n\u003Ca href=\"https:\u002F\u002Ftrendshift.io\u002Frepositories\u002F15161\" target=\"_blank\">\u003Cimg src=\"https:\u002F\u002Ftrendshift.io\u002Fapi\u002Fbadge\u002Frepositories\u002F15161\" alt=\"vxcontrol%2Fpentagi | Trendshift\" style=\"width: 250px; height: 55px;\" width=\"250\" height=\"55\"\u002F>\u003C\u002Fa>\n\n\u003C\u002Fdiv>\n\n## Table of Contents\n\n- [Overview](#overview)\n- [Features](#features)\n- [Architecture](#architecture)\n - [Agent Supervision](#advanced-agent-supervision)\n- [Quick Start](#quick-start)\n- [API Access](#api-access)\n - [LLM Provider Configuration](#custom-llm-provider-configuration)\n - [Ollama](#ollama-provider-configuration)\n - [OpenAI](#openai-provider-configuration)\n - [Anthropic](#anthropic-provider-configuration)\n - [Google AI (Gemini)](#google-ai-gemini-provider-configuration)\n - [AWS Bedrock](#aws-bedrock-provider-configuration)\n - [DeepSeek](#deepseek-provider-configuration)\n - [GLM](#glm-provider-configuration)\n - [Kimi](#kimi-provider-configuration)\n - [Qwen](#qwen-provider-configuration)\n- [Advanced Setup](#advanced-setup)\n - [Langfuse Integration](#langfuse-integration)\n - [Monitoring and Observability](#monitoring-and-observability)\n - [Knowledge Graph (Graphiti)](#knowledge-graph-integration-graphiti)\n - [OAuth Integration](#github-and-google-oauth-integration)\n - [Docker Image Configuration](#docker-image-configuration)\n- [Development](#development)\n- [Testing LLM Agents](#testing-llm-agents)\n- [Embedding Configuration and Testing](#embedding-configuration-and-testing)\n- [Function Testing with ftester](#function-testing-with-ftester)\n- [Building](#building)\n- [Credits](#credits)\n- [License](#license)\n\n## Overview\n\nPentAGI is an innovative tool for automated security testing that leverages cutting-edge artificial intelligence technologies. The project is designed for information security professionals, researchers, and enthusiasts who need a powerful and flexible solution for conducting penetration tests.\n\nYou can watch the video **PentAGI overview**:\n[![PentAGI Overview Video](https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F0828dc3e-15f1-4a1d-858e-9696a146e478)](https:\u002F\u002Fyoutu.be\u002FR70x5Ddzs1o)\n\n## Features\n\n- Secure & Isolated. All operations are performed in a sandboxed Docker environment with complete isolation.\n- Fully Autonomous. AI-powered agent that automatically determines and executes penetration testing steps with optional execution monitoring and intelligent task planning for enhanced reliability.\n- Professional Pentesting Tools. Built-in suite of 20+ professional security tools including nmap, metasploit, sqlmap, and more.\n- Smart Memory System. Long-term storage of research results and successful approaches for future use.\n- Knowledge Graph Integration. Graphiti-powered knowledge graph using Neo4j for semantic relationship tracking and advanced context understanding.\n- Web Intelligence. Built-in browser via [scraper](https:\u002F\u002Fhub.docker.com\u002Fr\u002Fvxcontrol\u002Fscraper) for gathering latest information from web sources.\n- External Search Systems. Integration with advanced search APIs including [Tavily](https:\u002F\u002Ftavily.com), [Traversaal](https:\u002F\u002Ftraversaal.ai), [Perplexity](https:\u002F\u002Fwww.perplexity.ai), [DuckDuckGo](https:\u002F\u002Fduckduckgo.com\u002F), [Google Custom Search](https:\u002F\u002Fprogrammablesearchengine.google.com\u002F), [Sploitus Search](https:\u002F\u002Fsploitus.com) and [Searxng](https:\u002F\u002Fsearxng.org) for comprehensive information gathering.\n- Team of Specialists. Delegation system with specialized AI agents for research, development, and infrastructure tasks, enhanced with optional execution monitoring and intelligent task planning for optimal performance with smaller models.\n- Comprehensive Monitoring. Detailed logging and integration with Grafana\u002FPrometheus for real-time system observation.\n- Detailed Reporting. Generation of thorough vulnerability reports with exploitation guides.\n- Smart Container Management. Automatic Docker image selection based on specific task requirements.\n- Modern Interface. Clean and intuitive web UI for system management and monitoring.\n- Comprehensive APIs. Full-featured REST and GraphQL APIs with Bearer token authentication for automation and integration.\n- Persistent Storage. All commands and outputs are stored in PostgreSQL with [pgvector](https:\u002F\u002Fhub.docker.com\u002Fr\u002Fvxcontrol\u002Fpgvector) extension.\n- Scalable Architecture. Microservices-based design supporting horizontal scaling.\n- Self-Hosted Solution. Complete control over your deployment and data.\n- Flexible Authentication. Support for 10+ LLM providers ([OpenAI](https:\u002F\u002Fplatform.openai.com\u002F), [Anthropic](https:\u002F\u002Fwww.anthropic.com\u002F), [Google AI\u002FGemini](https:\u002F\u002Fai.google.dev\u002F), [AWS Bedrock](https:\u002F\u002Faws.amazon.com\u002Fbedrock\u002F), [Ollama](https:\u002F\u002Follama.com\u002F), [DeepSeek](https:\u002F\u002Fwww.deepseek.com\u002Fen\u002F), [GLM](https:\u002F\u002Fz.ai\u002F), [Kimi](https:\u002F\u002Fplatform.moonshot.ai\u002F), [Qwen](https:\u002F\u002Fwww.alibabacloud.com\u002Fen\u002F), Custom) plus aggregators ([OpenRouter](https:\u002F\u002Fopenrouter.ai\u002F), [DeepInfra](https:\u002F\u002Fdeepinfra.com\u002F)). For production local deployments, see our [vLLM + Qwen3.5-27B-FP8 guide](examples\u002Fguides\u002Fvllm-qwen35-27b-fp8.md).\n- API Token Authentication. Secure Bearer token system for programmatic access to REST and GraphQL APIs.\n- Quick Deployment. Easy setup through [Docker Compose](https:\u002F\u002Fdocs.docker.com\u002Fcompose\u002F) with comprehensive environment configuration.\n\n## Architecture\n\n### System Context\n\n```mermaid\nflowchart TB\n classDef person fill:#08427B,stroke:#073B6F,color:#fff\n classDef system fill:#1168BD,stroke:#0B4884,color:#fff\n classDef external fill:#666666,stroke:#0B4884,color:#fff\n\n pentester[\"👤 Security Engineer\n (User of the system)\"]\n\n pentagi[\"✨ PentAGI\n (Autonomous penetration testing system)\"]\n\n target[\"🎯 target-system\n (System under test)\"]\n llm[\"🧠 llm-provider\n (OpenAI\u002FAnthropic\u002FOllama\u002FBedrock\u002FGemini\u002FCustom)\"]\n search[\"🔍 search-systems\n (Google\u002FDuckDuckGo\u002FTavily\u002FTraversaal\u002FPerplexity\u002FSploitus\u002FSearxng)\"]\n langfuse[\"📊 langfuse-ui\n (LLM Observability Dashboard)\"]\n grafana[\"📈 grafana\n (System Monitoring Dashboard)\"]\n\n pentester --> |Uses HTTPS| pentagi\n pentester --> |Monitors AI HTTPS| langfuse\n pentester --> |Monitors System HTTPS| grafana\n pentagi --> |Tests Various protocols| target\n pentagi --> |Queries HTTPS| llm\n pentagi --> |Searches HTTPS| search\n pentagi --> |Reports HTTPS| langfuse\n pentagi --> |Reports HTTPS| grafana\n\n class pentester person\n class pentagi system\n class target,llm,search,langfuse,grafana external\n\n linkStyle default stroke:#ffffff,color:#ffffff\n```\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Container Architecture\u003C\u002Fb> (click to expand)\u003C\u002Fsummary>\n\n```mermaid\ngraph TB\n subgraph Core Services\n UI[Frontend UI\u003Cbr\u002F>React + TypeScript]\n API[Backend API\u003Cbr\u002F>Go + GraphQL]\n DB[(Vector Store\u003Cbr\u002F>PostgreSQL + pgvector)]\n MQ[Task Queue\u003Cbr\u002F>Async Processing]\n Agent[AI Agents\u003Cbr\u002F>Multi-Agent System]\n end\n\n subgraph Knowledge Graph\n Graphiti[Graphiti\u003Cbr\u002F>Knowledge Graph API]\n Neo4j[(Neo4j\u003Cbr\u002F>Graph Database)]\n end\n\n subgraph Monitoring\n Grafana[Grafana\u003Cbr\u002F>Dashboards]\n VictoriaMetrics[VictoriaMetrics\u003Cbr\u002F>Time-series DB]\n Jaeger[Jaeger\u003Cbr\u002F>Distributed Tracing]\n Loki[Loki\u003Cbr\u002F>Log Aggregation]\n OTEL[OpenTelemetry\u003Cbr\u002F>Data Collection]\n end\n\n subgraph Analytics\n Langfuse[Langfuse\u003Cbr\u002F>LLM Analytics]\n ClickHouse[ClickHouse\u003Cbr\u002F>Analytics DB]\n Redis[Redis\u003Cbr\u002F>Cache + Rate Limiter]\n MinIO[MinIO\u003Cbr\u002F>S3 Storage]\n end\n\n subgraph Security Tools\n Scraper[Web Scraper\u003Cbr\u002F>Isolated Browser]\n PenTest[Security Tools\u003Cbr\u002F>20+ Pro Tools\u003Cbr\u002F>Sandboxed Execution]\n end\n\n UI --> |HTTP\u002FWS| API\n API --> |SQL| DB\n API --> |Events| MQ\n MQ --> |Tasks| Agent\n Agent --> |Commands| PenTest\n Agent --> |Queries| DB\n Agent --> |Knowledge| Graphiti\n Graphiti --> |Graph| Neo4j\n\n API --> |Telemetry| OTEL\n OTEL --> |Metrics| VictoriaMetrics\n OTEL --> |Traces| Jaeger\n OTEL --> |Logs| Loki\n\n Grafana --> |Query| VictoriaMetrics\n Grafana --> |Query| Jaeger\n Grafana --> |Query| Loki\n\n API --> |Analytics| Langfuse\n Langfuse --> |Store| ClickHouse\n Langfuse --> |Cache| Redis\n Langfuse --> |Files| MinIO\n\n classDef core fill:#f9f,stroke:#333,stroke-width:2px,color:#000\n classDef knowledge fill:#ffa,stroke:#333,stroke-width:2px,color:#000\n classDef monitoring fill:#bbf,stroke:#333,stroke-width:2px,color:#000\n classDef analytics fill:#bfb,stroke:#333,stroke-width:2px,color:#000\n classDef tools fill:#fbb,stroke:#333,stroke-width:2px,color:#000\n\n class UI,API,DB,MQ,Agent core\n class Graphiti,Neo4j knowledge\n class Grafana,VictoriaMetrics,Jaeger,Loki,OTEL monitoring\n class Langfuse,ClickHouse,Redis,MinIO analytics\n class Scraper,PenTest tools\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Entity Relationship\u003C\u002Fb> (click to expand)\u003C\u002Fsummary>\n\n```mermaid\nerDiagram\n Flow ||--o{ Task : contains\n Task ||--o{ SubTask : contains\n SubTask ||--o{ Action : contains\n Action ||--o{ Artifact : produces\n Action ||--o{ Memory : stores\n\n Flow {\n string id PK\n string name \"Flow name\"\n string description \"Flow description\"\n string status \"active\u002Fcompleted\u002Ffailed\"\n json parameters \"Flow parameters\"\n timestamp created_at\n timestamp updated_at\n }\n\n Task {\n string id PK\n string flow_id FK\n string name \"Task name\"\n string description \"Task description\"\n string status \"pending\u002Frunning\u002Fdone\u002Ffailed\"\n json result \"Task results\"\n timestamp created_at\n timestamp updated_at\n }\n\n SubTask {\n string id PK\n string task_id FK\n string name \"Subtask name\"\n string description \"Subtask description\"\n string status \"queued\u002Frunning\u002Fcompleted\u002Ffailed\"\n string agent_type \"researcher\u002Fdeveloper\u002Fexecutor\"\n json context \"Agent context\"\n timestamp created_at\n timestamp updated_at\n }\n\n Action {\n string id PK\n string subtask_id FK\n string type \"command\u002Fsearch\u002Fanalyze\u002Fetc\"\n string status \"success\u002Ffailure\"\n json parameters \"Action parameters\"\n json result \"Action results\"\n timestamp created_at\n }\n\n Artifact {\n string id PK\n string action_id FK\n string type \"file\u002Freport\u002Flog\"\n string path \"Storage path\"\n json metadata \"Additional info\"\n timestamp created_at\n }\n\n Memory {\n string id PK\n string action_id FK\n string type \"observation\u002Fconclusion\"\n vector embedding \"Vector representation\"\n text content \"Memory content\"\n timestamp created_at\n }\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Agent Interaction\u003C\u002Fb> (click to expand)\u003C\u002Fsummary>\n\n```mermaid\nsequenceDiagram\n participant O as Orchestrator\n participant R as Researcher\n participant D as Developer\n participant E as Executor\n participant VS as Vector Store\n participant KB as Knowledge Base\n\n Note over O,KB: Flow Initialization\n O->>VS: Query similar tasks\n VS-->>O: Return experiences\n O->>KB: Load relevant knowledge\n KB-->>O: Return context\n\n Note over O,R: Research Phase\n O->>R: Analyze target\n R->>VS: Search similar cases\n VS-->>R: Return patterns\n R->>KB: Query vulnerabilities\n KB-->>R: Return known issues\n R->>VS: Store findings\n R-->>O: Research results\n\n Note over O,D: Planning Phase\n O->>D: Plan attack\n D->>VS: Query exploits\n VS-->>D: Return techniques\n D->>KB: Load tools info\n KB-->>D: Return capabilities\n D-->>O: Attack plan\n\n Note over O,E: Execution Phase\n O->>E: Execute plan\n E->>KB: Load tool guides\n KB-->>E: Return procedures\n E->>VS: Store results\n E-->>O: Execution status\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Memory System\u003C\u002Fb> (click to expand)\u003C\u002Fsummary>\n\n```mermaid\ngraph TB\n subgraph \"Long-term Memory\"\n VS[(Vector Store\u003Cbr\u002F>Embeddings DB)]\n KB[Knowledge Base\u003Cbr\u002F>Domain Expertise]\n Tools[Tools Knowledge\u003Cbr\u002F>Usage Patterns]\n end\n\n subgraph \"Working Memory\"\n Context[Current Context\u003Cbr\u002F>Task State]\n Goals[Active Goals\u003Cbr\u002F>Objectives]\n State[System State\u003Cbr\u002F>Resources]\n end\n\n subgraph \"Episodic Memory\"\n Actions[Past Actions\u003Cbr\u002F>Commands History]\n Results[Action Results\u003Cbr\u002F>Outcomes]\n Patterns[Success Patterns\u003Cbr\u002F>Best Practices]\n end\n\n Context --> |Query| VS\n VS --> |Retrieve| Context\n\n Goals --> |Consult| KB\n KB --> |Guide| Goals\n\n State --> |Record| Actions\n Actions --> |Learn| Patterns\n Patterns --> |Store| VS\n\n Tools --> |Inform| State\n Results --> |Update| Tools\n\n VS --> |Enhance| KB\n KB --> |Index| VS\n\n classDef ltm fill:#f9f,stroke:#333,stroke-width:2px,color:#000\n classDef wm fill:#bbf,stroke:#333,stroke-width:2px,color:#000\n classDef em fill:#bfb,stroke:#333,stroke-width:2px,color:#000\n\n class VS,KB,Tools ltm\n class Context,Goals,State wm\n class Actions,Results,Patterns em\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Chain Summarization\u003C\u002Fb> (click to expand)\u003C\u002Fsummary>\n\nThe chain summarization system manages conversation context growth by selectively summarizing older messages. This is critical for preventing token limits from being exceeded while maintaining conversation coherence.\n\n```mermaid\nflowchart TD\n A[Input Chain] --> B{Needs Summarization?}\n B -->|No| C[Return Original Chain]\n B -->|Yes| D[Convert to ChainAST]\n D --> E[Apply Section Summarization]\n E --> F[Process Oversized Pairs]\n F --> G[Manage Last Section Size]\n G --> H[Apply QA Summarization]\n H --> I[Rebuild Chain with Summaries]\n I --> J{Is New Chain Smaller?}\n J -->|Yes| K[Return Optimized Chain]\n J -->|No| C\n\n classDef process fill:#bbf,stroke:#333,stroke-width:2px,color:#000\n classDef decision fill:#bfb,stroke:#333,stroke-width:2px,color:#000\n classDef output fill:#fbb,stroke:#333,stroke-width:2px,color:#000\n\n class A,D,E,F,G,H,I process\n class B,J decision\n class C,K output\n```\n\nThe algorithm operates on a structured representation of conversation chains (ChainAST) that preserves message types including tool calls and their responses. All summarization operations maintain critical conversation flow while reducing context size.\n\n### Global Summarizer Configuration Options\n\n| Parameter | Environment Variable | Default | Description |\n| --------------------- | -------------------------------- | ------- | ---------------------------------------------------------- |\n| Preserve Last | `SUMMARIZER_PRESERVE_LAST` | `true` | Whether to keep all messages in the last section intact |\n| Use QA Pairs | `SUMMARIZER_USE_QA` | `true` | Whether to use QA pair summarization strategy |\n| Summarize Human in QA | `SUMMARIZER_SUM_MSG_HUMAN_IN_QA` | `false` | Whether to summarize human messages in QA pairs |\n| Last Section Size | `SUMMARIZER_LAST_SEC_BYTES` | `51200` | Maximum byte size for last section (50KB) |\n| Max Body Pair Size | `SUMMARIZER_MAX_BP_BYTES` | `16384` | Maximum byte size for a single body pair (16KB) |\n| Max QA Sections | `SUMMARIZER_MAX_QA_SECTIONS` | `10` | Maximum QA pair sections to preserve |\n| Max QA Size | `SUMMARIZER_MAX_QA_BYTES` | `65536` | Maximum byte size for QA pair sections (64KB) |\n| Keep QA Sections | `SUMMARIZER_KEEP_QA_SECTIONS` | `1` | Number of recent QA sections to keep without summarization |\n\n### Assistant Summarizer Configuration Options\n\nAssistant instances can use customized summarization settings to fine-tune context management behavior:\n\n| Parameter | Environment Variable | Default | Description |\n| ------------------ | --------------------------------------- | ------- | -------------------------------------------------------------------- |\n| Preserve Last | `ASSISTANT_SUMMARIZER_PRESERVE_LAST` | `true` | Whether to preserve all messages in the assistant's last section |\n| Last Section Size | `ASSISTANT_SUMMARIZER_LAST_SEC_BYTES` | `76800` | Maximum byte size for assistant's last section (75KB) |\n| Max Body Pair Size | `ASSISTANT_SUMMARIZER_MAX_BP_BYTES` | `16384` | Maximum byte size for a single body pair in assistant context (16KB) |\n| Max QA Sections | `ASSISTANT_SUMMARIZER_MAX_QA_SECTIONS` | `7` | Maximum QA sections to preserve in assistant context |\n| Max QA Size | `ASSISTANT_SUMMARIZER_MAX_QA_BYTES` | `76800` | Maximum byte size for assistant's QA sections (75KB) |\n| Keep QA Sections | `ASSISTANT_SUMMARIZER_KEEP_QA_SECTIONS` | `3` | Number of recent QA sections to preserve without summarization |\n\nThe assistant summarizer configuration provides more memory for context retention compared to the global settings, preserving more recent conversation history while still ensuring efficient token usage.\n\n### Summarizer Environment Configuration\n\n```bash\n# Default values for global summarizer logic\nSUMMARIZER_PRESERVE_LAST=true\nSUMMARIZER_USE_QA=true\nSUMMARIZER_SUM_MSG_HUMAN_IN_QA=false\nSUMMARIZER_LAST_SEC_BYTES=51200\nSUMMARIZER_MAX_BP_BYTES=16384\nSUMMARIZER_MAX_QA_SECTIONS=10\nSUMMARIZER_MAX_QA_BYTES=65536\nSUMMARIZER_KEEP_QA_SECTIONS=1\n\n# Default values for assistant summarizer logic\nASSISTANT_SUMMARIZER_PRESERVE_LAST=true\nASSISTANT_SUMMARIZER_LAST_SEC_BYTES=76800\nASSISTANT_SUMMARIZER_MAX_BP_BYTES=16384\nASSISTANT_SUMMARIZER_MAX_QA_SECTIONS=7\nASSISTANT_SUMMARIZER_MAX_QA_BYTES=76800\nASSISTANT_SUMMARIZER_KEEP_QA_SECTIONS=3\n```\n\n\u003C\u002Fdetails>\n\n\u003Ca id=\"advanced-agent-supervision\">\u003C\u002Fa>\n\u003Cdetails>\n\u003Csummary>\u003Cb>Advanced Agent Supervision\u003C\u002Fb> (click to expand)\u003C\u002Fsummary>\n\nPentAGI includes sophisticated multi-layered agent supervision mechanisms to ensure efficient task execution, prevent infinite loops, and provide intelligent recovery from stuck states:\n\n### Execution Monitoring (Beta)\n- **Automatic Mentor Intervention**: Adviser agent (mentor) is automatically invoked when execution patterns indicate potential issues\n- **Pattern Detection**: Monitors identical tool calls (threshold: 5, configurable) and total tool calls (threshold: 10, configurable)\n- **Progress Analysis**: Evaluates whether agent advances toward subtask objective, detects loops and inefficiencies\n- **Alternative Strategies**: Recommends different approaches when current strategy fails\n- **Information Retrieval Guidance**: Suggests searching for established solutions instead of reinventing\n- **Enhanced Response Format**: Tool responses include both `\u003Coriginal_result>` and `\u003Cmentor_analysis>` sections\n- **Configurable**: Enable via `EXECUTION_MONITOR_ENABLED` (default: false), customize thresholds with `EXECUTION_MONITOR_SAME_TOOL_LIMIT` and `EXECUTION_MONITOR_TOTAL_TOOL_LIMIT`\n\n**Best for**: Smaller models (\u003C 32B parameters), complex attack scenarios requiring continuous guidance, preventing agents from getting stuck on single approach\n\n**Performance Impact**: 2-3x increase in execution time and token usage, but delivers **2x improvement in result quality** based on testing with Qwen3.5-27B-FP8\n\n### Intelligent Task Planning (Beta)\n- **Automated Decomposition**: Planner (adviser in planning mode) generates 3-7 specific, actionable steps before specialist agents begin work\n- **Context-Aware Plans**: Analyzes full execution context via enricher agent to create informed plans\n- **Structured Assignment**: Original request wrapped in `\u003Ctask_assignment>` structure with execution plan and instructions\n- **Scope Management**: Prevents scope creep by keeping agents focused on current subtask only\n- **Enriched Instructions**: Plans highlight critical actions, potential pitfalls, and verification points\n- **Configurable**: Enable via `AGENT_PLANNING_STEP_ENABLED` (default: false)\n\n**Best for**: Models \u003C 32B parameters, complex penetration testing workflows, improving success rates on sophisticated tasks\n\n**Enhanced Adviser Configuration**: Works exceptionally well when adviser agent uses stronger model or enhanced settings. Example: using same base model with maximum reasoning mode for adviser (see [`vllm-qwen3.5-27b-fp8.provider.yml`](examples\u002Fconfigs\u002Fvllm-qwen3.5-27b-fp8.provider.yml)) enables comprehensive task analysis and strategic planning from identical model architecture.\n\n**Performance Impact**: Adds planning overhead but significantly improves completion rates and reduces redundant work\n\n### Tool Call Limits (Always Active)\n- **Hard Limits**: Prevent runaway executions regardless of supervision mode status\n- **Differentiated by Agent Type**:\n - General agents (Assistant, Primary Agent, Pentester, Coder, Installer): `MAX_GENERAL_AGENT_TOOL_CALLS` (default: 100)\n - Limited agents (Searcher, Enricher, Memorist, Generator, Reporter, Adviser, Reflector, Planner): `MAX_LIMITED_AGENT_TOOL_CALLS` (default: 20)\n- **Graceful Termination**: Reflector guides agents to proper completion when approaching limits\n- **Resource Protection**: Ensures system stability and prevents resource exhaustion\n\n### Reflector Integration (Always Active)\n- **Automatic Correction**: Invoked when LLM fails to generate tool calls after 3 attempts\n- **Strategic Guidance**: Analyzes failures and guides agents toward proper tool usage or barrier tools (`done`, `ask`)\n- **Recovery Mechanism**: Provides contextual guidance based on specific failure patterns\n- **Limit Enforcement**: Coordinates graceful termination when tool call limits are reached\n\n### Recommendations for Open Source Models\n\n**Must-Have for Models \u003C 32B Parameters**:\nTesting with Qwen3.5-27B-FP8 demonstrates that enabling both Execution Monitoring and Task Planning is **essential** for smaller open source models:\n- **Quality Improvement**: 2x better results compared to baseline execution without supervision\n- **Loop Prevention**: Significantly reduces infinite loops and redundant work\n- **Attack Diversity**: Encourages exploration of multiple attack vectors instead of fixating on single approach\n- **Air-Gapped Deployments**: Enables production-grade autonomous pentesting in closed network environments with local LLM inference\n\n**Trade-offs**:\n- Token consumption: 2-3x increase due to mentor\u002Fplanner invocations\n- Execution time: 2-3x longer due to analysis and planning steps\n- Result quality: 2x improvement in completeness, accuracy, and attack coverage\n- Model requirements: Works best when adviser uses enhanced configuration (higher reasoning parameters, stronger model variant, or different model)\n\n**Configuration Strategy**:\nFor optimal performance with smaller models, configure adviser agent with enhanced settings:\n- Use same model with maximum reasoning mode (example: [`vllm-qwen3.5-27b-fp8.provider.yml`](examples\u002Fconfigs\u002Fvllm-qwen3.5-27b-fp8.provider.yml))\n- Or use stronger model for adviser while keeping base model for other agents\n- Adjust monitoring thresholds based on task complexity and model capabilities\n\n\n\n\u003C\u002Fdetails>\n\nThe architecture of PentAGI is designed to be modular, scalable, and secure. Here are the key components:\n\n1. **Core Services**\n - Frontend UI: React-based web interface with TypeScript for type safety\n - Backend API: Go-based REST and GraphQL APIs with Bearer token authentication for programmatic access\n - Vector Store: PostgreSQL with pgvector for semantic search and memory storage\n - Task Queue: Async task processing system for reliable operation\n - AI Agent: Multi-agent system with specialized roles for efficient testing\n\n2. **Knowledge Graph**\n - Graphiti: Knowledge graph API for semantic relationship tracking and contextual understanding\n - Neo4j: Graph database for storing and querying relationships between entities, actions, and outcomes\n - Automatic capturing of agent responses and tool executions for building comprehensive knowledge base\n\n3. **Monitoring Stack**\n - OpenTelemetry: Unified observability data collection and correlation\n - Grafana: Real-time visualization and alerting dashboards\n - VictoriaMetrics: High-performance time-series metrics storage\n - Jaeger: End-to-end distributed tracing for debugging\n - Loki: Scalable log aggregation and analysis\n\n4. **Analytics Platform**\n - Langfuse: Advanced LLM observability and performance analytics\n - ClickHouse: Column-oriented analytics data warehouse\n - Redis: High-speed caching and rate limiting\n - MinIO: S3-compatible object storage for artifacts\n\n5. **Security Tools**\n - Web Scraper: Isolated browser environment for safe web interaction\n - Pentesting Tools: Comprehensive suite of 20+ professional security tools\n - Sandboxed Execution: All operations run in isolated containers\n\n6. **Memory Systems**\n - Long-term Memory: Persistent storage of knowledge and experiences\n - Working Memory: Active context and goals for current operations\n - Episodic Memory: Historical actions and success patterns\n - Knowledge Base: Structured domain expertise and tool capabilities\n - Context Management: Intelligently manages growing LLM context windows using chain summarization\n\nThe system uses Docker containers for isolation and easy deployment, with separate networks for core services, monitoring, and analytics to ensure proper security boundaries. Each component is designed to scale horizontally and can be configured for high availability in production environments.\n\n## Quick Start\n\n### System Requirements\n\n- Docker and Docker Compose (or Podman - see [Podman configuration](#running-pentagi-with-podman))\n- Minimum 2 vCPU\n- Minimum 4GB RAM\n- 20GB free disk space\n- Internet access for downloading images and updates\n\n### Using Installer (Recommended)\n\nPentAGI provides an interactive installer with a terminal-based UI for streamlined configuration and deployment. The installer guides you through system checks, LLM provider setup, search engine configuration, and security hardening.\n\n**Supported Platforms:**\n- **Linux**: amd64 [download](https:\u002F\u002Fpentagi.com\u002Fdownloads\u002Flinux\u002Famd64\u002Finstaller-latest.zip) | arm64 [download](https:\u002F\u002Fpentagi.com\u002Fdownloads\u002Flinux\u002Farm64\u002Finstaller-latest.zip)\n- **Windows**: amd64 [download](https:\u002F\u002Fpentagi.com\u002Fdownloads\u002Fwindows\u002Famd64\u002Finstaller-latest.zip)\n- **macOS**: amd64 (Intel) [download](https:\u002F\u002Fpentagi.com\u002Fdownloads\u002Fdarwin\u002Famd64\u002Finstaller-latest.zip) | arm64 (M-series) [download](https:\u002F\u002Fpentagi.com\u002Fdownloads\u002Fdarwin\u002Farm64\u002Finstaller-latest.zip)\n\n**Quick Installation (Linux amd64):**\n\n```bash\n# Create installation directory\nmkdir -p pentagi && cd pentagi\n\n# Download installer\nwget -O installer.zip https:\u002F\u002Fpentagi.com\u002Fdownloads\u002Flinux\u002Famd64\u002Finstaller-latest.zip\n\n# Extract\nunzip installer.zip\n\n# Run interactive installer\n.\u002Finstaller\n```\n\n**Prerequisites & Permissions:**\n\nThe installer requires appropriate privileges to interact with the Docker API for proper operation. By default, it uses the Docker socket (`\u002Fvar\u002Frun\u002Fdocker.sock`) which requires either:\n\n- **Option 1 (Recommended for production):** Run the installer as root:\n ```bash\n sudo .\u002Finstaller\n ```\n\n- **Option 2 (Development environments):** Grant your user access to the Docker socket by adding them to the `docker` group:\n ```bash\n # Add your user to the docker group\n sudo usermod -aG docker $USER\n \n # Log out and log back in, or activate the group immediately\n newgrp docker\n \n # Verify Docker access (should run without sudo)\n docker ps\n ```\n\n ⚠️ **Security Note:** Adding a user to the `docker` group grants root-equivalent privileges. Only do this for trusted users in controlled environments. For production deployments, consider using rootless Docker mode or running the installer with sudo.\n\nThe installer will:\n1. **System Checks**: Verify Docker, network connectivity, and system requirements\n2. **Environment Setup**: Create and configure `.env` file with optimal defaults\n3. **Provider Configuration**: Set up LLM providers (OpenAI, Anthropic, Gemini, Bedrock, Ollama, Custom)\n4. **Search Engines**: Configure DuckDuckGo, Google, Tavily, Traversaal, Perplexity, Sploitus, Searxng\n5. **Security Hardening**: Generate secure credentials and configure SSL certificates\n6. **Deployment**: Start PentAGI with docker-compose\n\n**For Production & Enhanced Security:**\n\nFor production deployments or security-sensitive environments, we **strongly recommend** using a distributed two-node architecture where worker operations are isolated on a separate server. This prevents untrusted code execution and network access issues on your main system.\n\n**See detailed guide**: [Worker Node Setup](examples\u002Fguides\u002Fworker_node.md)\n\nThe two-node setup provides:\n- **Isolated Execution**: Worker containers run on dedicated hardware\n- **Network Isolation**: Separate network boundaries for penetration testing\n- **Security Boundaries**: Docker-in-Docker with TLS authentication\n- **OOB Attack Support**: Dedicated port ranges for out-of-band techniques\n\n### Manual Installation\n\n1. Create a working directory or clone the repository:\n\n```bash\nmkdir pentagi && cd pentagi\n```\n\n2. Copy `.env.example` to `.env` or download it:\n\n```bash\ncurl -o .env https:\u002F\u002Fraw.githubusercontent.com\u002Fvxcontrol\u002Fpentagi\u002Fmaster\u002F.env.example\n```\n\n3. Touch examples files (`example.custom.provider.yml`, `example.ollama.provider.yml`) or download it:\n\n```bash\ncurl -o example.custom.provider.yml https:\u002F\u002Fraw.githubusercontent.com\u002Fvxcontrol\u002Fpentagi\u002Fmaster\u002Fexamples\u002Fconfigs\u002Fcustom-openai.provider.yml\ncurl -o example.ollama.provider.yml https:\u002F\u002Fraw.githubusercontent.com\u002Fvxcontrol\u002Fpentagi\u002Fmaster\u002Fexamples\u002Fconfigs\u002Follama-llama318b.provider.yml\n```\n\n4. Fill in the required API keys in `.env` file.\n\n```bash\n# Required: At least one of these LLM providers\nOPEN_AI_KEY=your_openai_key\nANTHROPIC_API_KEY=your_anthropic_key\nGEMINI_API_KEY=your_gemini_key\n\n# Optional: AWS Bedrock provider (enterprise-grade models)\nBEDROCK_REGION=us-east-1\n# Choose one authentication method:\nBEDROCK_DEFAULT_AUTH=true # Option 1: Use AWS SDK default credential chain (recommended for EC2\u002FECS)\n# BEDROCK_BEARER_TOKEN=your_bearer_token # Option 2: Bearer token authentication\n# BEDROCK_ACCESS_KEY_ID=your_aws_access_key # Option 3: Static credentials\n# BEDROCK_SECRET_ACCESS_KEY=your_aws_secret_key\n\n# Optional: Ollama provider (local or cloud)\n# OLLAMA_SERVER_URL=http:\u002F\u002Follama-server:11434 # Local server\n# OLLAMA_SERVER_URL=https:\u002F\u002Follama.com # Cloud service\n# OLLAMA_SERVER_API_KEY=your_ollama_cloud_key # Required for cloud, empty for local\n\n# Optional: Chinese AI providers\n# DEEPSEEK_API_KEY=your_deepseek_key # DeepSeek (strong reasoning)\n# GLM_API_KEY=your_glm_key # GLM (Zhipu AI)\n# KIMI_API_KEY=your_kimi_key # Kimi (Moonshot AI, ultra-long context)\n# QWEN_API_KEY=your_qwen_key # Qwen (Alibaba Cloud, multimodal)\n\n# Optional: Local LLM provider (zero-cost inference)\nOLLAMA_SERVER_URL=http:\u002F\u002Flocalhost:11434\nOLLAMA_SERVER_MODEL=your_model_name\n\n# Optional: Additional search capabilities\nDUCKDUCKGO_ENABLED=true\nDUCKDUCKGO_REGION=us-en\nDUCKDUCKGO_SAFESEARCH=\nDUCKDUCKGO_TIME_RANGE=\nSPLOITUS_ENABLED=true\nGOOGLE_API_KEY=your_google_key\nGOOGLE_CX_KEY=your_google_cx\nTAVILY_API_KEY=your_tavily_key\nTRAVERSAAL_API_KEY=your_traversaal_key\nPERPLEXITY_API_KEY=your_perplexity_key\nPERPLEXITY_MODEL=sonar-pro\nPERPLEXITY_CONTEXT_SIZE=medium\n\n# Searxng meta search engine (aggregates results from multiple sources)\nSEARXNG_URL=http:\u002F\u002Fyour-searxng-instance:8080\nSEARXNG_CATEGORIES=general\nSEARXNG_LANGUAGE=\nSEARXNG_SAFESEARCH=0\nSEARXNG_TIME_RANGE=\nSEARXNG_TIMEOUT=\n\n## Graphiti knowledge graph settings\nGRAPHITI_ENABLED=true\nGRAPHITI_TIMEOUT=30\nGRAPHITI_URL=http:\u002F\u002Fgraphiti:8000\nGRAPHITI_MODEL_NAME=gpt-5-mini\n\n# Neo4j settings (used by Graphiti stack)\nNEO4J_USER=neo4j\nNEO4J_DATABASE=neo4j\nNEO4J_PASSWORD=devpassword\nNEO4J_URI=bolt:\u002F\u002Fneo4j:7687\n\n# Assistant configuration\nASSISTANT_USE_AGENTS=false # Default value for agent usage when creating new assistants\n```\n\n5. Change all security related environment variables in `.env` file to improve security.\n\n\u003Cdetails>\n \u003Csummary>Security related environment variables\u003C\u002Fsummary>\n\n### Main Security Settings\n- `COOKIE_SIGNING_SALT` - Salt for cookie signing, change to random value\n- `PUBLIC_URL` - Public URL of your server (eg. `https:\u002F\u002Fpentagi.example.com`)\n- `SERVER_SSL_CRT` and `SERVER_SSL_KEY` - Custom paths to your existing SSL certificate and key for HTTPS (these paths should be used in the docker-compose.yml file to mount as volumes)\n\n### Scraper Access\n- `SCRAPER_PUBLIC_URL` - Public URL for scraper if you want to use different scraper server for public URLs\n- `SCRAPER_PRIVATE_URL` - Private URL for scraper (local scraper server in docker-compose.yml file to access it to local URLs)\n\n### Access Credentials\n- `PENTAGI_POSTGRES_USER` and `PENTAGI_POSTGRES_PASSWORD` - PostgreSQL credentials\n- `NEO4J_USER` and `NEO4J_PASSWORD` - Neo4j credentials (for Graphiti knowledge graph)\n\n\u003C\u002Fdetails>\n\n6. Remove all inline comments from `.env` file if you want to use it in VSCode or other IDEs as a envFile option:\n\n```bash\nperl -i -pe 's\u002F\\s+#.*$\u002F\u002F' .env\n```\n\n7. Run the PentAGI stack:\n\n```bash\ncurl -O https:\u002F\u002Fraw.githubusercontent.com\u002Fvxcontrol\u002Fpentagi\u002Fmaster\u002Fdocker-compose.yml\ndocker compose up -d\n```\n\nVisit [localhost:8443](https:\u002F\u002Flocalhost:8443) to access PentAGI Web UI (default is `admin@pentagi.com` \u002F `admin`)\n\n> [!NOTE]\n> If you caught an error about `pentagi-network` or `observability-network` or `langfuse-network` you need to run `docker-compose.yml` firstly to create these networks and after that run `docker-compose-langfuse.yml`, `docker-compose-graphiti.yml`, and `docker-compose-observability.yml` to use Langfuse, Graphiti, and Observability services.\n>\n> You have to set at least one Language Model provider (OpenAI, Anthropic, Gemini, AWS Bedrock, or Ollama) to use PentAGI. AWS Bedrock provides enterprise-grade access to multiple foundation models from leading AI companies, while Ollama provides zero-cost local inference if you have sufficient computational resources. Additional API keys for search engines are optional but recommended for better results.\n>\n> **For fully local deployment with advanced models**: See our comprehensive guide on [Running PentAGI with vLLM and Qwen3.5-27B-FP8](examples\u002Fguides\u002Fvllm-qwen35-27b-fp8.md) for a production-grade local LLM setup. This configuration achieves ~13,000 TPS for prompt processing and ~650 TPS for completion on 4× RTX 5090 GPUs, supporting 12+ concurrent flows with complete independence from cloud providers.\n>\n> `LLM_SERVER_*` environment variables are experimental feature and will be changed in the future. Right now you can use them to specify custom LLM server URL and one model for all agent types.\n>\n> `PROXY_URL` is a global proxy URL for all LLM providers and external search systems. You can use it for isolation from external networks.\n>\n> The `docker-compose.yml` file runs the PentAGI service as root user because it needs access to docker.sock for container management. If you're using TCP\u002FIP network connection to Docker instead of socket file, you can remove root privileges and use the default `pentagi` user for better security.\n\n### Accessing PentAGI from External Networks\n\nBy default, PentAGI binds to `127.0.0.1` (localhost only) for security. To access PentAGI from other machines on your network, you need to configure external access.\n\n#### Configuration Steps\n\n1. **Update `.env` file** with your server's IP address:\n\n```bash\n# Network binding - allow external connections\nPENTAGI_LISTEN_IP=0.0.0.0\nPENTAGI_LISTEN_PORT=8443\n\n# Public URL - use your actual server IP or hostname\n# Replace 192.168.1.100 with your server's IP address\nPUBLIC_URL=https:\u002F\u002F192.168.1.100:8443\n\n# CORS origins - list all URLs that will access PentAGI\n# Include localhost for local access AND your server IP for external access\nCORS_ORIGINS=https:\u002F\u002Flocalhost:8443,https:\u002F\u002F192.168.1.100:8443\n```\n\n> [!IMPORTANT]\n> - Replace `192.168.1.100` with your actual server's IP address\n> - Do NOT use `0.0.0.0` in `PUBLIC_URL` or `CORS_ORIGINS` - use the actual IP address\n> - Include both localhost and your server IP in `CORS_ORIGINS` for flexibility\n\n2. **Recreate containers** to apply the changes:\n\n```bash\ndocker compose down\ndocker compose up -d --force-recreate\n```\n\n3. **Verify port binding:**\n\n```bash\ndocker ps | grep pentagi\n```\n\nYou should see `0.0.0.0:8443->8443\u002Ftcp` or `:::8443->8443\u002Ftcp`.\n\nIf you see `127.0.0.1:8443->8443\u002Ftcp`, the environment variable wasn't picked up. In this case, directly edit `docker-compose.yml` line 31:\n\n```yaml\nports:\n - \"0.0.0.0:8443:8443\"\n```\n\nThen recreate containers again.\n\n4. **Configure firewall** to allow incoming connections on port 8443:\n\n```bash\n# Ubuntu\u002FDebian with UFW\nsudo ufw allow 8443\u002Ftcp\nsudo ufw reload\n\n# CentOS\u002FRHEL with firewalld\nsudo firewall-cmd --permanent --add-port=8443\u002Ftcp\nsudo firewall-cmd --reload\n```\n\n5. **Access PentAGI:**\n\n- **Local access:** `https:\u002F\u002Flocalhost:8443`\n- **Network access:** `https:\u002F\u002Fyour-server-ip:8443`\n\n> [!NOTE]\n> You'll need to accept the self-signed SSL certificate warning in your browser when accessing via IP address.\n\n---\n\n### Running PentAGI with Podman\n\nPentAGI fully supports Podman as a Docker alternative. However, when using **Podman in rootless mode**, the scraper service requires special configuration because rootless containers cannot bind privileged ports (ports below 1024).\n\n#### Podman Rootless Configuration\n\nThe default scraper configuration uses port 443 (HTTPS), which is a privileged port. For Podman rootless, reconfigure the scraper to use a non-privileged port:\n\n**1. Edit `docker-compose.yml`** - modify the `scraper` service (around line 199):\n\n```yaml\nscraper:\n image: vxcontrol\u002Fscraper:latest\n restart: unless-stopped\n container_name: scraper\n hostname: scraper\n expose:\n - 3000\u002Ftcp # Changed from 443 to 3000\n ports:\n - \"${SCRAPER_LISTEN_IP:-127.0.0.1}:${SCRAPER_LISTEN_PORT:-9443}:3000\" # Map to port 3000\n environment:\n - MAX_CONCURRENT_SESSIONS=${LOCAL_SCRAPER_MAX_CONCURRENT_SESSIONS:-10}\n - USERNAME=${LOCAL_SCRAPER_USERNAME:-someuser}\n - PASSWORD=${LOCAL_SCRAPER_PASSWORD:-somepass}\n logging:\n options:\n max-size: 50m\n max-file: \"7\"\n volumes:\n - scraper-ssl:\u002Fusr\u002Fsrc\u002Fapp\u002Fssl\n networks:\n - pentagi-network\n shm_size: 2g\n```\n\n**2. Update `.env` file** - change the scraper URL to use HTTP and port 3000:\n\n```bash\n# Scraper configuration for Podman rootless\nSCRAPER_PRIVATE_URL=http:\u002F\u002Fsomeuser:somepass@scraper:3000\u002F\nLOCAL_SCRAPER_USERNAME=someuser\nLOCAL_SCRAPER_PASSWORD=somepass\n```\n\n> [!IMPORTANT]\n> Key changes for Podman:\n> - Use **HTTP** instead of HTTPS for `SCRAPER_PRIVATE_URL`\n> - Use port **3000** instead of 443\n> - Change internal `expose` to `3000\u002Ftcp`\n> - Update port mapping to target `3000` instead of `443`\n\n**3. Recreate containers:**\n\n```bash\npodman-compose down\npodman-compose up -d --force-recreate\n```\n\n**4. Test scraper connectivity:**\n\n```bash\n# Test from within the pentagi container\npodman exec -it pentagi wget -O- \"http:\u002F\u002Fsomeuser:somepass@scraper:3000\u002Fhtml?url=http:\u002F\u002Fexample.com\"\n```\n\nIf you see HTML output, the scraper is working correctly.\n\n#### Podman Rootful Mode\n\nIf you're running Podman in rootful mode (with sudo), you can use the default configuration without modifications. The scraper will work on port 443 as intended.\n\n#### Docker Compatibility\n\nAll Podman configurations remain fully compatible with Docker. The non-privileged port approach works identically on both container runtimes.\n\n### Assistant Configuration\n\nPentAGI allows you to configure default behavior for assistants:\n\n| Variable | Default | Description |\n| ---------------------- | ------- | ----------------------------------------------------------------------- |\n| `ASSISTANT_USE_AGENTS` | `false` | Controls the default value for agent usage when creating new assistants |\n\nThe `ASSISTANT_USE_AGENTS` setting affects the initial state of the \"Use Agents\" toggle when creating a new assistant in the UI:\n- `false` (default): New assistants are created with agent delegation disabled by default\n- `true`: New assistants are created with agent delegation enabled by default\n\nNote that users can always override this setting by toggling the \"Use Agents\" button in the UI when creating or editing an assistant. This environment variable only controls the initial default state.\n\n## API Access\n\nPentAGI provides comprehensive programmatic access through both REST and GraphQL APIs, allowing you to integrate penetration testing workflows into your automation pipelines, CI\u002FCD processes, and custom applications.\n\n### Generating API Tokens\n\nAPI tokens are managed through the PentAGI web interface:\n\n1. Navigate to **Settings** → **API Tokens** in the web UI\n2. Click **Create Token** to generate a new API token\n3. Configure token properties:\n - **Name** (optional): A descriptive name for the token\n - **Expiration Date**: When the token will expire (minimum 1 minute, maximum 3 years)\n4. Click **Create** and **copy the token immediately** - it will only be shown once for security reasons\n5. Use the token as a Bearer token in your API requests\n\nEach token is associated with your user account and inherits your role's permissions.\n\n### Using API Tokens\n\nInclude the API token in the `Authorization` header of your HTTP requests:\n\n```bash\n# GraphQL API example\ncurl -X POST https:\u002F\u002Fyour-pentagi-instance:8443\u002Fapi\u002Fv1\u002Fgraphql \\\n -H \"Authorization: Bearer YOUR_API_TOKEN\" \\\n -H \"Content-Type: application\u002Fjson\" \\\n -d '{\"query\": \"{ flows { id title status } }\"}'\n\n# REST API example\ncurl https:\u002F\u002Fyour-pentagi-instance:8443\u002Fapi\u002Fv1\u002Fflows \\\n -H \"Authorization: Bearer YOUR_API_TOKEN\"\n```\n\n### API Exploration and Testing\n\nPentAGI provides interactive documentation for exploring and testing API endpoints:\n\n#### GraphQL Playground\n\nAccess the GraphQL Playground at `https:\u002F\u002Fyour-pentagi-instance:8443\u002Fapi\u002Fv1\u002Fgraphql\u002Fplayground`\n\n1. Click the **HTTP Headers** tab at the bottom\n2. Add your authorization header:\n ```json\n {\n \"Authorization\": \"Bearer YOUR_API_TOKEN\"\n }\n ```\n3. Explore the schema, run queries, and test mutations interactively\n\n#### Swagger UI\n\nAccess the REST API documentation at `https:\u002F\u002Fyour-pentagi-instance:8443\u002Fapi\u002Fv1\u002Fswagger\u002Findex.html`\n\n1. Click the **Authorize** button\n2. Enter your token in the format: `Bearer YOUR_API_TOKEN`\n3. Click **Authorize** to apply\n4. Test endpoints directly from the Swagger UI\n\n### Generating API Clients\n\nYou can generate type-safe API clients for your preferred programming language using the schema files included with PentAGI:\n\n#### GraphQL Clients\n\nThe GraphQL schema is available at:\n- **Web UI**: Navigate to Settings to download `schema.graphqls`\n- **Direct file**: `backend\u002Fpkg\u002Fgraph\u002Fschema.graphqls` in the repository\n\nGenerate clients using tools like:\n- **GraphQL Code Generator** (JavaScript\u002FTypeScript): [https:\u002F\u002Fthe-guild.dev\u002Fgraphql\u002Fcodegen](https:\u002F\u002Fthe-guild.dev\u002Fgraphql\u002Fcodegen)\n- **genqlient** (Go): [https:\u002F\u002Fgithub.com\u002FKhan\u002Fgenqlient](https:\u002F\u002Fgithub.com\u002FKhan\u002Fgenqlient)\n- **Apollo iOS** (Swift): [https:\u002F\u002Fwww.apollographql.com\u002Fdocs\u002Fios](https:\u002F\u002Fwww.apollographql.com\u002Fdocs\u002Fios)\n\n#### REST API Clients\n\nThe OpenAPI specification is available at:\n- **Swagger JSON**: `https:\u002F\u002Fyour-pentagi-instance:8443\u002Fapi\u002Fv1\u002Fswagger\u002Fdoc.json`\n- **Swagger YAML**: Available in `backend\u002Fpkg\u002Fserver\u002Fdocs\u002Fswagger.yaml`\n\nGenerate clients using:\n- **OpenAPI Generator**: [https:\u002F\u002Fopenapi-generator.tech](https:\u002F\u002Fopenapi-generator.tech)\n ```bash\n openapi-generator-cli generate \\\n -i https:\u002F\u002Fyour-pentagi-instance:8443\u002Fapi\u002Fv1\u002Fswagger\u002Fdoc.json \\\n -g python \\\n -o .\u002Fpentagi-client\n ```\n\n- **Swagger Codegen**: [https:\u002F\u002Fgithub.com\u002Fswagger-api\u002Fswagger-codegen](https:\u002F\u002Fgithub.com\u002Fswagger-api\u002Fswagger-codegen)\n ```bash\n swagger-codegen generate \\\n -i https:\u002F\u002Fyour-pentagi-instance:8443\u002Fapi\u002Fv1\u002Fswagger\u002Fdoc.json \\\n -l typescript-axios \\\n -o .\u002Fpentagi-client\n ```\n\n- **swagger-typescript-api** (TypeScript): [https:\u002F\u002Fgithub.com\u002Facacode\u002Fswagger-typescript-api](https:\u002F\u002Fgithub.com\u002Facacode\u002Fswagger-typescript-api)\n ```bash\n npx swagger-typescript-api \\\n -p https:\u002F\u002Fyour-pentagi-instance:8443\u002Fapi\u002Fv1\u002Fswagger\u002Fdoc.json \\\n -o .\u002Fsrc\u002Fapi \\\n -n pentagi-api.ts\n ```\n\n### API Usage Examples\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Creating a New Flow (GraphQL)\u003C\u002Fb>\u003C\u002Fsummary>\n\n```graphql\nmutation CreateFlow {\n createFlow(\n modelProvider: \"openai\"\n input: \"Test the security of https:\u002F\u002Fexample.com\"\n ) {\n id\n title\n status\n createdAt\n }\n}\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Listing Flows (REST API)\u003C\u002Fb>\u003C\u002Fsummary>\n\n```bash\ncurl https:\u002F\u002Fyour-pentagi-instance:8443\u002Fapi\u002Fv1\u002Fflows \\\n -H \"Authorization: Bearer YOUR_API_TOKEN\" \\\n | jq '.flows[] | {id, title, status}'\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Python Client Example\u003C\u002Fb>\u003C\u002Fsummary>\n\n```python\nimport requests\n\nclass PentAGIClient:\n def __init__(self, base_url, api_token):\n self.base_url = base_url\n self.headers = {\n \"Authorization\": f\"Bearer {api_token}\",\n \"Content-Type\": \"application\u002Fjson\"\n }\n \n def create_flow(self, provider, target):\n query = \"\"\"\n mutation CreateFlow($provider: String!, $input: String!) {\n createFlow(modelProvider: $provider, input: $input) {\n id\n title\n status\n }\n }\n \"\"\"\n response = requests.post(\n f\"{self.base_url}\u002Fapi\u002Fv1\u002Fgraphql\",\n json={\n \"query\": query,\n \"variables\": {\n \"provider\": provider,\n \"input\": target\n }\n },\n headers=self.headers\n )\n return response.json()\n \n def get_flows(self):\n response = requests.get(\n f\"{self.base_url}\u002Fapi\u002Fv1\u002Fflows\",\n headers=self.headers\n )\n return response.json()\n\n# Usage\nclient = PentAGIClient(\n \"https:\u002F\u002Fyour-pentagi-instance:8443\",\n \"your_api_token_here\"\n)\n\n# Create a new flow\nflow = client.create_flow(\"openai\", \"Scan https:\u002F\u002Fexample.com for vulnerabilities\")\nprint(f\"Created flow: {flow}\")\n\n# List all flows\nflows = client.get_flows()\nprint(f\"Total flows: {len(flows['flows'])}\")\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>TypeScript Client Example\u003C\u002Fb>\u003C\u002Fsummary>\n\n```typescript\nimport axios, { AxiosInstance } from 'axios';\n\ninterface Flow {\n id: string;\n title: string;\n status: string;\n createdAt: string;\n}\n\nclass PentAGIClient {\n private client: AxiosInstance;\n\n constructor(baseURL: string, apiToken: string) {\n this.client = axios.create({\n baseURL: `${baseURL}\u002Fapi\u002Fv1`,\n headers: {\n 'Authorization': `Bearer ${apiToken}`,\n 'Content-Type': 'application\u002Fjson',\n },\n });\n }\n\n async createFlow(provider: string, input: string): Promise\u003CFlow> {\n const query = `\n mutation CreateFlow($provider: String!, $input: String!) {\n createFlow(modelProvider: $provider, input: $input) {\n id\n title\n status\n createdAt\n }\n }\n `;\n\n const response = await this.client.post('\u002Fgraphql', {\n query,\n variables: { provider, input },\n });\n\n return response.data.data.createFlow;\n }\n\n async getFlows(): Promise\u003CFlow[]> {\n const response = await this.client.get('\u002Fflows');\n return response.data.flows;\n }\n\n async getFlow(flowId: string): Promise\u003CFlow> {\n const response = await this.client.get(`\u002Fflows\u002F${flowId}`);\n return response.data;\n }\n}\n\n\u002F\u002F Usage\nconst client = new PentAGIClient(\n 'https:\u002F\u002Fyour-pentagi-instance:8443',\n 'your_api_token_here'\n);\n\n\u002F\u002F Create a new flow\nconst flow = await client.createFlow(\n 'openai',\n 'Perform penetration test on https:\u002F\u002Fexample.com'\n);\nconsole.log('Created flow:', flow);\n\n\u002F\u002F List all flows\nconst flows = await client.getFlows();\nconsole.log(`Total flows: ${flows.length}`);\n```\n\n\u003C\u002Fdetails>\n\n### Security Best Practices\n\nWhen working with API tokens:\n\n- **Never commit tokens to version control** - use environment variables or secrets management\n- **Rotate tokens regularly** - set appropriate expiration dates and create new tokens periodically\n- **Use separate tokens for different applications** - makes it easier to revoke access if needed\n- **Monitor token usage** - review API token activity in the Settings page\n- **Revoke unused tokens** - disable or delete tokens that are no longer needed\n- **Use HTTPS only** - never send API tokens over unencrypted connections\n\n### Token Management\n\n- **View tokens**: See all your active tokens in Settings → API Tokens\n- **Edit tokens**: Update token names or revoke tokens\n- **Delete tokens**: Permanently remove tokens (this action cannot be undone)\n- **Token ID**: Each token has a unique ID that can be copied for reference\n\nThe token list shows:\n- Token name (if provided)\n- Token ID (unique identifier)\n- Status (active\u002Frevoked\u002Fexpired)\n- Creation date\n- Expiration date\n\n### Custom LLM Provider Configuration\n\nWhen using custom LLM providers with the `LLM_SERVER_*` variables, you can fine-tune the reasoning format used in requests.\n\n> [!TIP]\n> For production-grade local deployments, consider using **vLLM** with **Qwen3.5-27B-FP8** for optimal performance. See our [comprehensive deployment guide](examples\u002Fguides\u002Fvllm-qwen35-27b-fp8.md) which includes hardware requirements, configuration templates ([thinking mode](examples\u002Fconfigs\u002Fvllm-qwen3.5-27b-fp8.provider.yml) and [non-thinking mode](examples\u002Fconfigs\u002Fvllm-qwen3.5-27b-fp8-no-think.provider.yml)), and performance benchmarks showing 13K TPS prompt processing on 4× RTX 5090 GPUs.\n\n| Variable | Default | Description |\n| ------------------------------- | ------- | --------------------------------------------------------------------------------------- |\n| `LLM_SERVER_URL` | | Base URL for the custom LLM API endpoint |\n| `LLM_SERVER_KEY` | | API key for the custom LLM provider |\n| `LLM_SERVER_MODEL` | | Default model to use (can be overridden in provider config) |\n| `LLM_SERVER_CONFIG_PATH` | | Path to the YAML configuration file for agent-specific models |\n| `LLM_SERVER_PROVIDER` | | Provider name prefix for model names (e.g., `openrouter`, `deepseek` for LiteLLM proxy) |\n| `LLM_SERVER_LEGACY_REASONING` | `false` | Controls reasoning format in API requests |\n| `LLM_SERVER_PRESERVE_REASONING` | `false` | Preserve reasoning content in multi-turn conversations (required by some providers) |\n\nThe `LLM_SERVER_PROVIDER` setting is particularly useful when using **LiteLLM proxy**, which adds a provider prefix to model names. For example, when connecting to Moonshot API through LiteLLM, models like `kimi-2.5` become `moonshot\u002Fkimi-2.5`. By setting `LLM_SERVER_PROVIDER=moonshot`, you can use the same provider configuration file for both direct API access and LiteLLM proxy access without modifications.\n\nThe `LLM_SERVER_LEGACY_REASONING` setting affects how reasoning parameters are sent to the LLM:\n- `false` (default): Uses modern format where reasoning is sent as a structured object with `max_tokens` parameter\n- `true`: Uses legacy format with string-based `reasoning_effort` parameter\n\nThis setting is important when working with different LLM providers as they may expect different reasoning formats in their API requests. If you encounter reasoning-related errors with custom providers, try changing this setting.\n\nThe `LLM_SERVER_PRESERVE_REASONING` setting controls whether reasoning content is preserved in multi-turn conversations:\n- `false` (default): Reasoning content is not preserved in conversation history\n- `true`: Reasoning content is preserved and sent in subsequent API calls\n\nThis setting is required by some LLM providers (e.g., Moonshot) that return errors like \"thinking is enabled but reasoning_content is missing in assistant tool call message\" when reasoning content is not included in multi-turn conversations. Enable this setting if your provider requires reasoning content to be preserved.\n\n### Ollama Provider Configuration\n\nPentAGI supports Ollama for both local LLM inference (zero-cost, enhanced privacy) and Ollama Cloud (managed service with free tier).\n\n#### Configuration Variables\n\n| Variable | Default | Description |\n| ----------------------------------- | ----------- | ----------------------------------------- |\n| `OLLAMA_SERVER_URL` | | URL of your Ollama server or Ollama Cloud |\n| `OLLAMA_SERVER_API_KEY` | | API key for Ollama Cloud authentication |\n| `OLLAMA_SERVER_MODEL` | | Default model for inference |\n| `OLLAMA_SERVER_CONFIG_PATH` | | Path to custom agent configuration file |\n| `OLLAMA_SERVER_PULL_MODELS_TIMEOUT` | `600` | Timeout for model downloads (seconds) |\n| `OLLAMA_SERVER_PULL_MODELS_ENABLED` | `false` | Auto-download models on startup |\n| `OLLAMA_SERVER_LOAD_MODELS_ENABLED` | `false` | Query server for available models |\n\n#### Ollama Cloud Configuration\n\nOllama Cloud provides managed inference with a generous free tier and scalable paid plans.\n\n**Free Tier Setup (Single Model)**\n\n```bash\n# Free tier allows one model at a time\nOLLAMA_SERVER_URL=https:\u002F\u002Follama.com\nOLLAMA_SERVER_API_KEY=your_ollama_cloud_api_key\nOLLAMA_SERVER_MODEL=gpt-oss:120b # Example: OpenAI OSS 120B model\n```\n\n**Paid Tier Setup (Multi-Model with Pre-built Configuration)**\n\nFor paid tiers supporting multiple concurrent models, use the pre-built Ollama Cloud configuration:\n\n```bash\n# Using pre-built Ollama Cloud configuration (included in Docker image)\nOLLAMA_SERVER_URL=https:\u002F\u002Follama.com\nOLLAMA_SERVER_API_KEY=your_ollama_cloud_api_key\nOLLAMA_SERVER_CONFIG_PATH=\u002Fopt\u002Fpentagi\u002Fconf\u002Follama-cloud.provider.yml\n```\n\nThe pre-built `ollama-cloud.provider.yml` configuration includes optimized model assignments for all agent types:\n- **Simple\u002FAssistant**: `nemotron-3-super:cloud` - Fast general-purpose model\n- **Primary Agent**: `qwen3-coder-next:cloud` - Advanced reasoning with high effort mode\n- **Coder\u002FPentester**: `qwen3-coder-next:cloud` - Specialized coding models\n- **Searcher**: `qwen3.5:397b-cloud` - Large context for information gathering\n- **Refiner\u002FRefactor**: `glm-5:cloud` - High-quality text refinement\n- **Adviser\u002FEnricher**: `minimax-m2.7:cloud` - Efficient advisory tasks\n- **Installer**: `devstral-2:123b-cloud` - Installation and setup tasks\n\n**Custom Configuration (Advanced)**\n\nTo create your own agent configuration, mount a custom file from your host filesystem:\n\n```bash\n# Using custom provider configuration\nOLLAMA_SERVER_URL=https:\u002F\u002Follama.com\nOLLAMA_SERVER_API_KEY=your_ollama_cloud_api_key\nOLLAMA_SERVER_CONFIG_PATH=\u002Fopt\u002Fpentagi\u002Fconf\u002Follama.provider.yml\n\n# Mount custom configuration from host filesystem (in .env or docker-compose override)\nPENTAGI_OLLAMA_SERVER_CONFIG_PATH=\u002Fpath\u002Fon\u002Fhost\u002Fmy-ollama-config.yml\n```\n\nThe `PENTAGI_OLLAMA_SERVER_CONFIG_PATH` environment variable maps your host configuration file to `\u002Fopt\u002Fpentagi\u002Fconf\u002Follama.provider.yml` inside the container.\n\n**Example custom configuration** (`my-ollama-config.yml`):\n\n```yaml\nprimary_agent:\n model: \"qwen3-coder-next:cloud\"\n temperature: 1.0\n top_p: 0.9\n max_tokens: 32768\n reasoning:\n effort: high\n\ncoder:\n model: \"qwen3-coder:32b\"\n temperature: 1.0\n max_tokens: 20480\n```\n\n#### Local Ollama Configuration\n\nFor self-hosted Ollama instances:\n\n```bash\n# Basic local Ollama setup\nOLLAMA_SERVER_URL=http:\u002F\u002Flocalhost:11434\nOLLAMA_SERVER_MODEL=llama3.1:8b-instruct-q8_0\n\n# Production setup with auto-pull and model discovery\nOLLAMA_SERVER_URL=http:\u002F\u002Follama-server:11434\nOLLAMA_SERVER_PULL_MODELS_ENABLED=true\nOLLAMA_SERVER_PULL_MODELS_TIMEOUT=900\nOLLAMA_SERVER_LOAD_MODELS_ENABLED=true\n\n# Using pre-built configurations from Docker image\nOLLAMA_SERVER_CONFIG_PATH=\u002Fopt\u002Fpentagi\u002Fconf\u002Follama-llama318b.provider.yml\n# or\nOLLAMA_SERVER_CONFIG_PATH=\u002Fopt\u002Fpentagi\u002Fconf\u002Follama-qwen332b-fp16-tc.provider.yml\n# or\nOLLAMA_SERVER_CONFIG_PATH=\u002Fopt\u002Fpentagi\u002Fconf\u002Follama-qwq32b-fp16-tc.provider.yml\n```\n\n**Performance Considerations:**\n\n- **Model Discovery** (`OLLAMA_SERVER_LOAD_MODELS_ENABLED=true`): Adds 1-2s startup latency querying Ollama API\n- **Auto-pull** (`OLLAMA_SERVER_PULL_MODELS_ENABLED=true`): First startup may take several minutes downloading models\n- **Pull timeout** (`OLLAMA_SERVER_PULL_MODELS_TIMEOUT=900`): 15 minutes in seconds\n- **Static Config**: Disable both flags and specify models in config file for fastest startup\n\n#### Creating Custom Ollama Models with Extended Context\n\nPentAGI requires models with larger context windows than the default Ollama configurations. You need to create custom models with increased `num_ctx` parameter through Modelfiles. While typical agent workflows consume around 64K tokens, PentAGI uses 110K context size for safety margin and handling complex penetration testing scenarios.\n\n**Important**: The `num_ctx` parameter can only be set during model creation via Modelfile - it cannot be changed after model creation or overridden at runtime.\n\n##### Example: Qwen3 32B FP16 with Extended Context\n\nCreate a Modelfile named `Modelfile_qwen3_32b_fp16_tc`:\n\n```dockerfile\nFROM qwen3:32b-fp16\nPARAMETER num_ctx 110000\nPARAMETER temperature 0.3\nPARAMETER top_p 0.8\nPARAMETER min_p 0.0\nPARAMETER top_k 20\nPARAMETER repeat_penalty 1.1\n```\n\nBuild the custom model:\n\n```bash\nollama create qwen3:32b-fp16-tc -f Modelfile_qwen3_32b_fp16_tc\n```\n\n##### Example: QwQ 32B FP16 with Extended Context\n\nCreate a Modelfile named `Modelfile_qwq_32b_fp16_tc`:\n\n```dockerfile\nFROM qwq:32b-fp16\nPARAMETER num_ctx 110000\nPARAMETER temperature 0.2\nPARAMETER top_p 0.7\nPARAMETER min_p 0.0\nPARAMETER top_k 40\nPARAMETER repeat_penalty 1.2\n```\n\nBuild the custom model:\n\n```bash\nollama create qwq:32b-fp16-tc -f Modelfile_qwq_32b_fp16_tc\n```\n\n> **Note**: The QwQ 32B FP16 model requires approximately **71.3 GB VRAM** for inference. Ensure your system has sufficient GPU memory before attempting to use this model.\n\nThese custom models are referenced in the pre-built provider configuration files (`ollama-qwen332b-fp16-tc.provider.yml` and `ollama-qwq32b-fp16-tc.provider.yml`) that are included in the Docker image at `\u002Fopt\u002Fpentagi\u002Fconf\u002F`.\n\n### OpenAI Provider Configuration\n\nPentAGI integrates with OpenAI's comprehensive model lineup, featuring advanced reasoning capabilities with extended chain-of-thought, agentic models with enhanced tool integration, and specialized code models for security engineering.\n\n#### Configuration Variables\n\n| Variable | Default | Description |\n| -------------------- | --------------------------- | --------------------------- |\n| `OPEN_AI_KEY` | | API key for OpenAI services |\n| `OPEN_AI_SERVER_URL` | `https:\u002F\u002Fapi.openai.com\u002Fv1` | OpenAI API endpoint |\n\n#### Configuration Examples\n\n```bash\n# Basic OpenAI setup\nOPEN_AI_KEY=your_openai_api_key\nOPEN_AI_SERVER_URL=https:\u002F\u002Fapi.openai.com\u002Fv1\n\n# Using with proxy for enhanced security\nOPEN_AI_KEY=your_openai_api_key\nPROXY_URL=http:\u002F\u002Fyour-proxy:8080\n```\n\n#### Supported Models\n\nPentAGI supports 31 OpenAI models with tool calling, streaming, reasoning modes, and prompt caching. Models marked with `*` are used in default configuration.\n\n**GPT-5.2 Series - Latest Flagship Agentic (December 2025)**\n\n| Model ID | Thinking | Price (Input\u002FOutput\u002FCache) | Use Case |\n| --------------------- | -------- | -------------------------- | ----------------------------------------------- |\n| `gpt-5.2`* | ✅ | $1.75\u002F$14.00\u002F$0.18 | Latest flagship with enhanced reasoning and tool integration, autonomous security research |\n| `gpt-5.2-pro` | ✅ | $21.00\u002F$168.00\u002F$0.00 | Premium version with superior agentic coding, mission-critical security research, zero-day discovery |\n| `gpt-5.2-codex` | ✅ | $1.75\u002F$14.00\u002F$0.18 | Most advanced code-specialized, context compaction, strong cybersecurity capabilities |\n\n**GPT-5\u002F5.1 Series - Advanced Agentic Models**\n\n| Model ID | Thinking | Price (Input\u002FOutput\u002FCache) | Use Case |\n| --------------------- | -------- | -------------------------- | ----------------------------------------------- |\n| `gpt-5` | ✅ | $1.25\u002F$10.00\u002F$0.13 | Premier agentic with advanced reasoning, autonomous security research, exploit chain development |\n| `gpt-5.1` | ✅ | $1.25\u002F$10.00\u002F$0.13 | Enhanced agentic with adaptive reasoning, balanced penetration testing with strong tool coordination |\n| `gpt-5-pro` | ✅ | $15.00\u002F$120.00\u002F$0.00 | Premium version with major reasoning improvements, reduced hallucinations, critical security operations |\n| `gpt-5-mini` | ✅ | $0.25\u002F$2.00\u002F$0.03 | Efficient balancing speed and intelligence, automated vulnerability analysis, exploit generation |\n| `gpt-5-nano` | ✅ | $0.05\u002F$0.40\u002F$0.01 | Fastest for high-throughput scanning, reconnaissance, bulk vulnerability detection |\n\n**GPT-5\u002F5.1 Codex Series - Code-Specialized**\n\n| Model ID | Thinking | Price (Input\u002FOutput\u002FCache) | Use Case |\n| --------------------- | -------- | -------------------------- | ----------------------------------------------- |\n| `gpt-5.1-codex-max` | ✅ | $1.25\u002F$10.00\u002F$0.13 | Enhanced reasoning for sophisticated coding, proven CVE findings, systematic exploit development |\n| `gpt-5.1-codex` | ✅ | $1.25\u002F$10.00\u002F$0.13 | Standard code-optimized with strong reasoning, exploit generation, vulnerability analysis |\n| `gpt-5-codex` | ✅ | $1.25\u002F$10.00\u002F$0.13 | Foundational code-specialized, vulnerability scanning, basic exploit generation |\n| `gpt-5.1-codex-mini` | ✅ | $0.25\u002F$2.00\u002F$0.03 | Compact high-performance, 4x higher capacity, rapid vulnerability detection |\n| `codex-mini-latest` | ✅ | $1.50\u002F$6.00\u002F$0.38 | Latest compact code model, automated code review, basic vulnerability analysis |\n\n**GPT-4.1 Series - Enhanced Intelligence**\n\n| Model ID | Thinking | Price (Input\u002FOutput\u002FCache) | Use Case |\n| --------------------- | -------- | -------------------------- | ----------------------------------------------- |\n| `gpt-4.1` | ❌ | $2.00\u002F$8.00\u002F$0.50 | Enhanced flagship with superior function calling, complex threat analysis, sophisticated exploit development |\n| `gpt-4.1-mini`* | ❌ | $0.40\u002F$1.60\u002F$0.10 | Balanced performance with improved efficiency, routine security assessments, automated code analysis |\n| `gpt-4.1-nano` | ❌ | $0.10\u002F$0.40\u002F$0.03 | Ultra-fast lightweight, bulk security scanning, rapid reconnaissance, continuous monitoring |\n\n**GPT-4o Series - Multimodal Flagship**\n\n| Model ID | Thinking | Price (Input\u002FOutput\u002FCache) | Use Case |\n| --------------------- | -------- | -------------------------- | ----------------------------------------------- |\n| `gpt-4o` | ❌ | $2.50\u002F$10.00\u002F$1.25 | Multimodal flagship with vision, image analysis, web UI assessment, multi-tool orchestration |\n| `gpt-4o-mini` | ❌ | $0.15\u002F$0.60\u002F$0.08 | Compact multimodal with strong function calling, high-frequency scanning, cost-effective bulk operations |\n\n**o-Series - Advanced Reasoning Models**\n\n| Model ID | Thinking | Price (Input\u002FOutput\u002FCache) | Use Case |\n| --------------------- | -------- | -------------------------- | ----------------------------------------------- |\n| `o4-mini`* | ✅ | $1.10\u002F$4.40\u002F$0.28 | Next-gen reasoning with e","PentAGI 是一个能够执行复杂渗透测试任务的全自主AI代理系统。该项目利用先进的人工智能技术,通过Go语言实现,具备完全自主的渗透测试能力,能够在沙箱化的Docker环境中安全且隔离地运行所有操作。它支持多种LLM提供商配置,包括Ollama、OpenAI、Anthropic等,确保了高度的灵活性和可扩展性。PentAGI适合信息安全专业人士、研究人员以及对自动化安全测试感兴趣的爱好者使用,在需要进行高效且深入的安全评估场景下尤为适用。",2,"2026-06-11 03:01:10","top_language"]