The AI agent that finds bugs while you sleep.
Point Kestrel at any web app — with or without credentials — and an autonomous swarm of AI agents will reconnoiter, map, exploit, and validate vulnerabilities end-to-end. No click-throughs. No tuning. Audit-ready report in minutes.
$ kestrel --target acme.io --creds creds.json ─── PHASE 1 — RECONNAISSANCE & FINGERPRINT ─── [SYS] Target resolved: acme.io → 104.21.89.12 [SYS] Stack: nginx · django · postgres [behind cloudflare] [AI] Claude analyzing recon signal… [AI] Claude suggested 18 endpoints, 22 params, 1 GraphQL path ─── PHASE 2 — APPLICATION MAPPING ─── [SYS] Authenticating 2 account(s) (rotating residential proxy pool (26 countries)) [SYS] [userA] OK via direct (ok_delta_47213) [SYS] → 147 endpoints discovered ─── PHASE 3 — VULNERABILITY ANALYSIS ─── [SCAN] Tech-aware path bruteforce… [SCAN] SSRF… [SCAN] Cross-account IDOR… ─── PHASE 4 — EXPLOITATION & VALIDATION ─── [AI] Claude triaging candidate findings… [AI] Triage: kept 4, dropped 11 of 15 [EXPLOIT] PoCs 4 · verified 4 · dropped 0 CRITICAL SSRF via ?image_url= → AWS IMDS HIGH Cross-account IDOR on /api/v1/orders/{id} HIGH JWT HS256 weak key brute-forced MEDIUM Reflective CORS+creds on /api/me AUDIT COMPLETE · 1 Critical · 2 High · 1 Medium · 0 FP
Built like a real red team — only faster.
AI Recon
Claude reads the homepage, JS bundles, and tech profile, then proposes the exact endpoints worth attacking — before the bruteforcer even fires.
Stealth Crawler
Stealth-patched headless Chromium with auto-fallback through Privoxy → Tor when WAFs push back. Mandatory login verification, no silent skips.
Stack-aware Testers
13 testers that adapt: NoSQLi only on Node, FreeMarker SSTI on Spring, /actuator on JVM, /wp-json on WordPress. No payload waste.
AI Triager
Every candidate finding goes through Claude before the report — dedup, severity adjustment, FP drop. What ships is what matters.
Cold-session Validator
Each PoC is replayed in a fresh client. If it doesn't fire from cold, it doesn't ship. Zero-FP guarantee starts here.
Audit-ready Reports
Markdown reports with Summary · Impact · Reproduction · Remediation per finding. Drop straight into HackerOne / Bugcrowd / Intigriti.
From URL to validated finding in 5 phases.
- 1
Reconnaissance & Fingerprint
Resolve, port-fingerprint, detect 15+ stacks. AI proposes endpoints from the homepage signal.
- 2
Application Mapping
Stealth Playwright crawl, capture every XHR/GraphQL/form. Auto-fallback through 100 residential proxies across 26 countries on WAF block.
- 3
Vulnerability Analysis
13 testers fan out in parallel. SSRF, IDOR, SQLi, NoSQLi, SSTI, prototype pollution, XSS, GraphQL, and more.
- 4
Exploitation & Validation
AI triage cuts noise. Every PoC is re-fired from cold to confirm reproducibility.
- 5
Patch Suggestions
Claude polishes findings into a tight report with actionable remediation per finding.
Self-hosted. Pay nothing.
This deployment is for internal testing on authorized targets only.