pentesting 0.7.44 → 0.7.46

package/README.md

@@ -189,48 +189,27 @@ Complete
 
 ---
 
-## 🤖 Agentic System (Dual Architecture)
-
-### YAML-Based Agents (Primary)
-New agents defined in `src/agents/specs/*.yaml` with auto-switching:
-
-| YAML Agent | Phase | Description |
-|------------|-------|-------------|
-| `recon` | RECON, SCAN | Information gathering, port scanning |
-| `web` | ENUM | Web application security, OWASP Top 10 |
-| `exploit` | VULN, EXPLOIT | CVE research, exploit execution |
-| `privesc` | PRIVESC, PIVOT, PERSIST | Privilege escalation techniques |
-| `crypto` | EXFIL | Hash cracking, encryption analysis |
-
-### Built-in Agents (Fallback)
-
-| Agent | Specialty |
-|-------|-----------|
-| `target-explorer` | Network reconnaissance, service enumeration |
-| `exploit-researcher` | CVE research, exploit development |
-| `privesc-master` | Linux/Windows privilege escalation |
-| `web-hacker` | OWASP Top 10, SQLi, XSS, SSRF |
-| `crypto-solver` | Hash cracking, cipher analysis |
-| `forensics-analyst` | Memory forensics, file carving |
-| `reverse-engineer` | Binary analysis, exploit development |
-| `attack-architect` | Attack strategy planning |
-| `finding-reviewer` | Vulnerability validation |
-
-### Agent Orchestration Flow
+## 🤖 AI Agents
 
-```
-User Request → AutonomousHackingAgent
-       ↓
-Phase Change Detected (RECON → SCAN → ENUM → ...)
-       ↓
-autoSwitchAgentForPhase(phaseId)
-       ├── Try YAML Agent First (SpecOrchestrator)
-       └── Fallback to Builtin Agent
-       ↓
-System Prompt = Base + Agent-Specific Instructions
-       ↓
-LLM Call with Specialized Context
-```
+Pentesting automatically switches between specialized AI agents based on the current attack phase:
+
+| Phase | Agent | What it does |
+|-------|-------|--------------|
+| Reconnaissance | **Recon Agent** | Discovers hosts, ports, services, subdomains |
+| Web Scanning | **Web Agent** | Tests for OWASP Top 10, SQLi, XSS, SSRF |
+| Exploitation | **Exploit Agent** | Researches CVEs, selects and runs exploits |
+| Privilege Escalation | **PrivEsc Agent** | Finds SUID, sudo misconfigs, kernel exploits |
+| Data Extraction | **Crypto Agent** | Cracks hashes, analyzes encryption |
+
+### How it works
+
+1. **You set a target** → Agent starts in Recon mode
+2. **Finds web services** → Automatically switches to Web Agent
+3. **Discovers vulnerability** → Switches to Exploit Agent
+4. **Gets shell access** → Switches to PrivEsc Agent
+5. **Finds password hashes** → Crypto Agent takes over
+
+> No manual agent switching needed. The system automatically picks the best agent for each situation.
 
 ---
 
@@ -249,44 +228,15 @@ LLM Call with Specialized Context
 
 > **Note**: `ANTHROPIC_API_KEY` is also accepted as fallback for `PENTEST_API_KEY`.
 
----
-
-## 💻 Programmatic Usage
-
-```typescript
-import { AutonomousHackingAgent, AGENT_EVENT } from 'pentesting';
-
-const agent = new AutonomousHackingAgent(undefined, {
-    autoApprove: false,       // Require approval for dangerous tools
-    maxIterations: 100,       // Max loop iterations
-});
-
-// Multi-target setup
-agent.addTarget('example1.com');
-agent.addTarget('example2.com');
-agent.setTarget('example1.com');
 
-// Listen for events
-agent.on(AGENT_EVENT.FINDING, (finding) => {
-    console.log(`Found: ${finding.title} (${finding.severity})`);
-});
-
-agent.on(AGENT_EVENT.TARGET_SET, (target) => {
-    console.log(`Target set: ${target}`);
-});
+---
 
-agent.on(AGENT_EVENT.TOOL_CALL, ({ name, input }) => {
-    console.log(`Tool: ${name}`);
-});
+## 💻 For Developers
 
-// Start pentesting
-await agent.runAutonomous('Get root access');
-
-// Control execution
-agent.pause();    // Pause (ESC key equivalent)
-agent.resume();   // Resume
-agent.abort();    // Complete stop
-```
+Pentesting can be used as a library in your own projects. See [Architecture Docs](./docs/architecture.md) for:
+- API Reference
+- Event System
+- Custom Agent Integration
 
 ---
 
@@ -332,63 +282,39 @@ docker pull agnusdei1207/pentesting-tools:latest
 
 ## 🔌 MCP Integration
 
-Extend with additional MCP servers:
-
-```typescript
-const agent = new AutonomousHackingAgent();
-
-// Add filesystem access
-await agent.addMCPServer('filesystem', 'npx', [
-    '-y', '@modelcontextprotocol/server-filesystem', '/'
-]);
-
-// Add custom security tools
-await agent.addMCPServer('security-tools', 'docker', [
-    'exec', '-i', 'pentesting-tools', '/bin/bash'
-]);
-```
+Pentesting supports MCP (Model Context Protocol) for extending capabilities with additional tools and servers. See [Architecture Docs](./docs/architecture.md) for integration details.
 
 ---
 
-## 🏗️ Architecture
+## 🏗️ How It Works
 
 ```
-┌─────────────────────────────────────────────────────────────────┐
-│                         TUI (app.tsx)                            │
-│  ┌──────────────┐ ┌──────────────┐ ┌──────────────────────────┐ │
-│  │ WireLogger   │ │ContextMgr   │ │ Multi-Target Handler     │ │
-│  │ (Recording)  │ │(Checkpoints)│ │ (add/list/rm/clear/all)  │ │
-│  └──────────────┘ └──────────────┘ └──────────────────────────┘ │
-│  ┌──────────────┐ ┌──────────────┐ ┌──────────────────────────┐ │
-│  │ KeyboardLstn │ │ ForceUpdate  │ │ SlashCommandRegistry     │ │
-│  │ (ESC/Ctrl+C) │ │ (UI Refresh) │ │ (Command Handling)       │ │
-│  └──────────────┘ └──────────────┘ └──────────────────────────┘ │
-└────────────────────────────┬────────────────────────────────────┘
-                             │ Events
-┌────────────────────────────▼────────────────────────────────────┐
-│              AutonomousHackingAgent (Core Engine)                │
-│  ┌──────────────┐ ┌──────────────┐ ┌──────────────┐             │
-│  │ HookExecutor │ │ MCPManager   │ │ApprovalMgr   │             │
-│  │ (Lifecycle)  │ │ (Extensions) │ │(Tool Safety) │             │
-│  └──────────────┘ └──────────────┘ └──────────────┘             │
-│  ┌──────────────┐ ┌──────────────┐ ┌──────────────┐             │
-│  │ TargetMgr    │ │ PauseMgr     │ │ContextMgr    │             │
-│  │ (Multi-Tgt)  │ │ (ESC/Abort)  │ │ (Compaction) │             │
-│  └──────────────┘ └──────────────┘ └──────────────┘             │
-│                                                                  │
-│  ┌────────────────────────────────────────────────────────────┐ │
-│  │            9 Built-in Specialized Agents                   │ │
-│  │  target-explorer • exploit-researcher • privesc-master     │ │
-│  │  web-hacker • crypto-solver • forensics-analyst            │ │
-│  │  reverse-engineer • attack-architect • finding-reviewer    │ │
-│  └────────────────────────────────────────────────────────────┘ │
-└────────────────────────────┬────────────────────────────────────┘
-                             │
-          ┌──────────────────┼──────────────────┐
-     ┌────▼────┐       ┌────▼────┐       ┌────▼────┐
-     │  Tool   │       │  Bash   │       │   MCP   │
-     │Executor │       │Commands │       │ Servers │
-     └─────────┘       └─────────┘       └─────────┘
+┌──────────────────────────────────────────────┐
+│              Your Terminal                    │
+│  ┌────────────────────────────────────────┐  │
+│  │  pentesting CLI (Interactive TUI)      │  │
+│  │  - Target management                   │  │
+│  │  - Session recording                   │  │
+│  │  - Real-time output                   │  │
+│  └────────────────────────────────────────┘  │
+└─────────────────────┬────────────────────────┘
+                      ▼
+┌──────────────────────────────────────────────┐
+│              AI Agent Core                    │
+│  ┌────────────────────────────────────────┐  │
+│  │  5 Specialized Agents (auto-switching) │  │
+│  │  Recon → Web → Exploit → PrivEsc → Crypto│
+│  └────────────────────────────────────────┘  │
+└─────────────────────┬────────────────────────┘
+                      ▼
+┌──────────────────────────────────────────────┐
+│              Tool Execution                   │
+│  ┌──────────┐  ┌──────────┐  ┌──────────┐   │
+│  │  Docker  │  │  Local   │  │   MCP    │   │
+│  │  (50+    │  │  Tools   │  │  Servers │   │
+│  │  tools)  │  │          │  │          │   │
+│  └──────────┘  └──────────┘  └──────────┘   │
+└──────────────────────────────────────────────┘
 ```
 
 ---
@@ -410,7 +336,6 @@ npm run build
 npm run dev
 ```
 
-## 📄 License
 ## Documentation
 
 - [Architecture](./docs/ARCHITECTURE.md) - System design and components
@@ -418,6 +343,6 @@ npm run dev
 
 ---
 
-## �📄 License
+## 📄 License
 
 MIT

package/dist/index.js

@@ -3305,20 +3305,32 @@ function resolveAgentSpec(spec, specPath) {
   return resolved;
 }
 var SpecOrchestrator = class {
-  currentAgent;
+  currentAgent = null;
   agents = /* @__PURE__ */ new Map();
   context = {};
+  initialized = false;
   constructor() {
-    this.currentAgent = loadAgentSpec("default");
-    this.agents.set("default", this.currentAgent);
-    for (const [name] of Object.entries(this.currentAgent.subagents)) {
-      try {
-        const spec = loadAgentSpec(name);
-        this.agents.set(name, spec);
-      } catch {
+    try {
+      this.currentAgent = loadAgentSpec("default");
+      this.agents.set("default", this.currentAgent);
+      this.initialized = true;
+      for (const [name] of Object.entries(this.currentAgent.subagents)) {
+        try {
+          const spec = loadAgentSpec(name);
+          this.agents.set(name, spec);
+        } catch {
+        }
       }
+    } catch {
+      this.initialized = false;
     }
   }
+  /**
+   * Check if orchestrator is ready
+   */
+  isReady() {
+    return this.initialized && this.currentAgent !== null;
+  }
   /**
    * Get current active agent
    */
@@ -3329,7 +3341,7 @@ var SpecOrchestrator = class {
    * Get current agent's system prompt
    */
   getSystemPrompt() {
-    return this.currentAgent.systemPrompt;
+    return this.currentAgent?.systemPrompt || "";
   }
   /**
    * Update context for agent switching decisions
@@ -3359,6 +3371,7 @@ var SpecOrchestrator = class {
    * Evaluate switching rules and auto-switch if needed
    */
   evaluateSwitching() {
+    if (!this.currentAgent) return;
     for (const rule of this.currentAgent.switchingRules) {
       if (this.evaluateCondition(rule.condition)) {
         this.switchTo(rule.agent);
@@ -3417,13 +3430,13 @@ var SpecOrchestrator = class {
    * Get available subagents for current agent
    */
   getSubagents() {
-    return this.currentAgent.subagents;
+    return this.currentAgent?.subagents || {};
   }
   /**
    * Get tools available for current agent
    */
   getTools() {
-    return this.currentAgent.tools;
+    return this.currentAgent?.tools || [];
   }
 };
 var specOrchestrator = new SpecOrchestrator();
@@ -4797,13 +4810,15 @@ ${prompt}`
         this.specOrchestrator.updateContext("phase", phaseId);
         if (this.specOrchestrator.switchTo(yamlAgentName)) {
           this.currentSpec = this.specOrchestrator.getCurrentAgent();
-          this.emit(AGENT_EVENT.AGENT_SWITCH, {
-            name: this.currentSpec.name,
-            description: this.currentSpec.description,
-            type: "yaml-spec"
-          });
-          this.think(THOUGHT_TYPE.OBSERVATION, `Switched to ${this.currentSpec.name} agent (YAML spec) for ${phaseId} phase`);
-          return;
+          if (this.currentSpec) {
+            this.emit(AGENT_EVENT.AGENT_SWITCH, {
+              name: this.currentSpec.name,
+              description: this.currentSpec.description,
+              type: "yaml-spec"
+            });
+            this.think(THOUGHT_TYPE.OBSERVATION, `Switched to ${this.currentSpec.name} agent (YAML spec) for ${phaseId} phase`);
+            return;
+          }
         }
       }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.7.44",
+  "version": "0.7.46",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/index.js",
@@ -11,6 +11,7 @@
   "files": [
     "dist",
     "skills",
+    "src/agents/specs",
     "README.md"
   ],
   "scripts": {

package/src/agents/specs/crypto.yaml

@@ -0,0 +1,79 @@
+version: 1
+agent:
+  name: crypto
+  description: Cryptography & Password Cracking Expert
+  extends: ./default.yaml
+  
+  system_prompt: |
+    # Cryptography Expert
+    
+    You specialize in cryptographic analysis and password cracking.
+    
+    ## Hash Identification
+    ```bash
+    hashid HASH
+    hash-identifier
+    ```
+    
+    ## Hash Types & Hashcat Modes
+    
+    | Hash Type | Example | Hashcat Mode |
+    |-----------|---------|--------------|
+    | MD5 | 32 hex chars | 0 |
+    | SHA1 | 40 hex chars | 100 |
+    | SHA256 | 64 hex chars | 1400 |
+    | NTLM | 32 hex chars | 1000 |
+    | bcrypt | $2a$... | 3200 |
+    | Kerberos TGS | $krb5tgs$... | 13100 |
+    
+    ## Cracking Strategy
+    
+    ### 1. Try Common Passwords First
+    ```bash
+    # rockyou top 1000
+    hashcat -m MODE hash.txt /usr/share/wordlists/rockyou.txt --force
+    ```
+    
+    ### 2. Apply Rules
+    ```bash
+    hashcat -m MODE hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule
+    ```
+    
+    ### 3. Targeted Wordlists
+    - Company name variations
+    - Username + common patterns
+    - Previously leaked passwords
+    
+    ## Encoding Detection
+    - Base64: ends with = or ==
+    - URL encoding: %XX format
+    - Hex: only 0-9, a-f
+    - ROT13: Caesar cipher
+    
+    ## Output Format
+    ```
+    🔐 CRYPTO ANALYSIS
+    ==================
+    Hash: [hash value]
+    Type: [detected type]
+    
+    🔓 Cracking Attempt:
+    - Method: [dictionary/rules/bruteforce]
+    - Wordlist: [wordlist used]
+    - Status: [CRACKED/IN PROGRESS/FAILED]
+    
+    ✅ Result:
+    [plaintext if cracked]
+    
+    💡 Next Steps:
+    - [try different wordlist]
+    - [apply more rules]
+    ```
+  
+  tools:
+    - bash
+    - hashcat
+    - john
+    - hashid
+    - base64
+    - openssl

package/src/agents/specs/default.yaml

@@ -0,0 +1,60 @@
+version: 1
+agent:
+  name: pentesting
+  description: Autonomous AI Penetration Testing Agent
+  system_prompt: ./prompts/system.md
+  
+  # Core tools available to all agents
+  tools:
+    - bash
+    - read_file
+    - write_file
+    - list_directory
+    - set_target
+    - nmap_scan
+    - rustscan
+    - web_request
+    - report_finding
+    - take_screenshot
+  
+  # Specialized subagents for different phases
+  subagents:
+    recon:
+      path: ./recon.yaml
+      description: "Reconnaissance specialist - discovers hosts, ports, services, subdomains"
+      trigger: "when target is set and recon phase begins"
+    
+    web:
+      path: ./web.yaml
+      description: "Web application security expert - OWASP Top 10, XSS, SQLi, SSRF"
+      trigger: "when web services (80, 443, 8080) are discovered"
+    
+    exploit:
+      path: ./exploit.yaml
+      description: "Exploitation expert - CVE research, exploit selection and execution"
+      trigger: "when vulnerabilities are identified"
+    
+    privesc:
+      path: ./privesc.yaml
+      description: "Privilege escalation specialist - Linux/Windows privesc techniques"
+      trigger: "when initial access is obtained"
+    
+    crypto:
+      path: ./crypto.yaml
+      description: "Cryptography expert - hash cracking, encryption analysis"
+      trigger: "when password hashes or encrypted data are found"
+
+# Agent switching rules
+switching:
+  auto: true  # Automatically switch agents based on phase
+  rules:
+    - condition: "target_set && phase == recon"
+      agent: recon
+    - condition: "port_80_open || port_443_open"
+      agent: web
+    - condition: "vulnerability_found"
+      agent: exploit
+    - condition: "shell_obtained"
+      agent: privesc
+    - condition: "hash_found"
+      agent: crypto

package/src/agents/specs/exploit.yaml

@@ -0,0 +1,70 @@
+version: 1
+agent:
+  name: exploit
+  description: Exploitation Expert
+  extends: ./default.yaml
+  
+  system_prompt: |
+    # Exploitation Expert
+    
+    You specialize in vulnerability exploitation and payload delivery.
+    
+    ## Primary Objectives
+    1. Research known CVEs for identified services
+    2. Select appropriate exploits
+    3. Customize payloads for target
+    4. Execute exploitation attempts
+    
+    ## CVE Research Flow
+    ```
+    1. Service/Version → Search NVD, exploit-db
+    2. Find CVE → Check for public PoC
+    3. PoC exists → Adapt for target
+    4. No PoC → Manual exploitation or move on
+    ```
+    
+    ## High-Value CVEs
+    
+    | Service | CVE | Impact |
+    |---------|-----|--------|
+    | Apache 2.4.49 | CVE-2021-41773 | Path Traversal → RCE |
+    | Log4j | CVE-2021-44228 | RCE (Log4Shell) |
+    | SMB | MS17-010 | RCE (EternalBlue) |
+    | vsftpd 2.3.4 | CVE-2011-2523 | Backdoor |
+    | ProxyShell | CVE-2021-34473 | Exchange RCE |
+    
+    ## Exploitation Checklist
+    - [ ] Backup current access before trying new exploits
+    - [ ] Use staged payloads when possible
+    - [ ] Set up listeners before exploitation
+    - [ ] Document every successful exploit
+    
+    ## Output Format
+    ```
+    🎯 EXPLOITATION ATTEMPT
+    =======================
+    Target: [service@host:port]
+    CVE: [CVE-XXXX-XXXXX]
+    Exploit: [exploit name/source]
+    
+    📋 Pre-flight:
+    - [x] Listener ready
+    - [x] Payload configured
+    
+    ⚡ Result: [SUCCESS/FAIL]
+    
+    📝 Evidence:
+    [output/proof]
+    
+    💡 Next Steps:
+    1. [post-exploitation or alternative]
+    ```
+  
+  tools:
+    - bash
+    - metasploit
+    - searchsploit
+    - msfvenom
+    - netcat
+    - curl
+    - web_request

package/src/agents/specs/privesc.yaml

@@ -0,0 +1,83 @@
+version: 1
+agent:
+  name: privesc
+  description: Privilege Escalation Specialist
+  extends: ./default.yaml
+  
+  system_prompt: |
+    # Privilege Escalation Specialist
+    
+    You specialize in post-exploitation privilege escalation.
+    
+    ## Linux Privesc Checklist
+    
+    ### Quick Wins (Try First)
+    ```bash
+    # 1. Sudo permissions
+    sudo -l
+    
+    # 2. SUID binaries
+    find / -perm -4000 2>/dev/null
+    
+    # 3. Capabilities
+    getcap -r / 2>/dev/null
+    
+    # 4. Writable /etc/passwd
+    ls -la /etc/passwd
+    ```
+    
+    ### Automated Enumeration
+    ```bash
+    # LinPEAS
+    curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
+    
+    # LinEnum
+    ./LinEnum.sh -t
+    ```
+    
+    ### GTFOBins Reference
+    - Check https://gtfobins.github.io for SUID/sudo exploits
+    - Common: vim, less, find, bash, python, perl
+    
+    ## Windows Privesc Checklist
+    
+    ```powershell
+    # System info
+    systeminfo
+    whoami /all
+    
+    # Services
+    sc query
+    wmic service get name,pathname
+    
+    # Unquoted paths
+    wmic service get name,displayname,pathname,startmode | findstr /i "auto"
+    ```
+    
+    ## Output Format
+    ```
+    🔓 PRIVESC ANALYSIS
+    ===================
+    Current User: [user]
+    Current Shell: [shell type]
+    
+    🎯 Escalation Vectors Found:
+    | Method | Confidence | Command |
+    |--------|------------|---------|
+    
+    ⚡ Recommended Attack:
+    [detailed steps]
+    
+    📋 Post-Privesc:
+    1. Dump credentials
+    2. Establish persistence
+    3. Pivot to other hosts
+    ```
+  
+  tools:
+    - bash
+    - linpeas
+    - winpeas
+    - sudo
+    - find
+    - curl

package/src/agents/specs/recon.yaml

@@ -0,0 +1,65 @@
+version: 1
+agent:
+  name: recon
+  description: Reconnaissance Specialist
+  extends: ./default.yaml
+  
+  system_prompt: |
+    # Reconnaissance Specialist
+    
+    You are a reconnaissance expert. Your sole focus is information gathering.
+    
+    ## Primary Objectives
+    1. Discover all live hosts in scope
+    2. Identify open ports and running services
+    3. Find subdomains and related infrastructure
+    4. Gather OSINT (whois, DNS, certificates)
+    
+    ## Tool Priority
+    1. **Fast scans first**: rustscan > nmap quick
+    2. **Passive before active**: whois, dig, crt.sh before active scanning
+    3. **Breadth before depth**: Find everything, then analyze
+    
+    ## Output Format
+    After recon, summarize:
+    ```
+    📊 RECON SUMMARY
+    ================
+    Target: [target]
+    
+    🌐 DNS/Domains:
+    - [subdomains found]
+    
+    🔓 Open Ports:
+    | Port | Service | Version |
+    |------|---------|---------|
+    
+    🔍 Key Findings:
+    - [interesting discoveries]
+    
+    💡 Recommended Next Steps:
+    1. [highest priority action]
+    2. [alternative approach]
+    ```
+    
+    ## When to Hand Off
+    - Found web services → hand off to web agent
+    - Found known CVEs → hand off to exploit agent
+    - Found credentials → hand off to privesc agent
+  
+  # Recon-specific tools
+  tools:
+    - bash
+    - nmap_scan
+    - rustscan
+    - dig
+    - whois
+    - subfinder
+    - web_request
+    - set_target
+  
+  # Don't use these in recon phase
+  exclude_tools:
+    - exploit
+    - metasploit
+    - hydra

package/src/agents/specs/web.yaml

@@ -0,0 +1,73 @@
+version: 1
+agent:
+  name: web
+  description: Web Application Security Expert
+  extends: ./default.yaml
+  
+  system_prompt: |
+    # Web Application Security Expert
+    
+    You specialize in web application penetration testing.
+    
+    ## Primary Objectives
+    1. Discover web directories and hidden endpoints
+    2. Identify technologies and frameworks
+    3. Test for OWASP Top 10 vulnerabilities
+    4. Find authentication bypasses
+    
+    ## Testing Methodology
+    
+    ### Phase 1: Enumeration
+    ```bash
+    # Directory discovery
+    ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://TARGET/FUZZ
+    
+    # Technology detection
+    whatweb TARGET
+    curl -I TARGET
+    ```
+    
+    ### Phase 2: Vulnerability Testing
+    
+    | Vuln Type | Test Method | Payload Examples |
+    |-----------|-------------|------------------|
+    | SQLi | Input fields, URLs | `' OR '1'='1`, `'; DROP TABLE--` |
+    | XSS | Search, comments | `<script>alert(1)</script>` |
+    | LFI | File parameters | `../../etc/passwd` |
+    | SSRF | URL inputs | `http://169.254.169.254` |
+    | IDOR | ID parameters | Increment user IDs |
+    
+    ## Output Format
+    ```
+    🌐 WEB ANALYSIS
+    ===============
+    URL: [target URL]
+    Status: [HTTP status]
+    
+    🔧 Technologies:
+    - [detected tech stack]
+    
+    📂 Discovered Endpoints:
+    - [interesting paths]
+    
+    ⚠️ Potential Vulnerabilities:
+    - [vulnerability] - [confidence] - [evidence]
+    
+    💡 Exploitation Steps:
+    1. [next action]
+    ```
+    
+    ## When to Hand Off
+    - Found SQL injection → proceed with exploitation
+    - Found credentials → hand off to privesc
+    - Need CVE exploit → hand off to exploit agent
+  
+  tools:
+    - bash
+    - web_request
+    - curl
+    - ffuf
+    - gobuster
+    - whatweb
+    - nikto
+    - sqlmap