aiscan

Agentic Security Scanner — AI-driven reconnaissance meets deterministic scanning

Preview — APIs and features may change between releases

中文文档

---

aiscan combines LLM agents with traditional security scanning engines. Three modes: Scan (deterministic pipeline, optional AI assist), Agent (natural-language autonomous assessment), IOA (multi-agent distributed collaboration).

Use only on explicitly authorized targets. Unauthorized use is illegal.

Quick Start

# No LLM needed — one-line scan
aiscan scan -i 192.168.1.0/24

# With LLM — one-line agent
aiscan agent --base-url "https://api.deepseek.com" --api-key "sk-..." --model deepseek-chat \
  -p "scan targets and check for high-risk vulnerabilities" -i 192.168.1.0/24

Install

Download Binary

From GitHub Releases:

Edition	Description
aiscan	Standard — scan/agent/gogo/spray/zombie/neutron/arsenal
aiscan-full	Full — adds playwright browser, passive recon, katana crawler
aiscan-agent	Lightweight agent runtime, ideal for remote worker deployment

OS	Arch	Standard	Full	Agent
Linux	amd64 / arm64	aiscan_linux_amd64	aiscan-full_linux_amd64	aiscan-agent_linux_amd64
macOS	Intel / Apple Silicon	aiscan_darwin_amd64	aiscan-full_darwin_arm64	aiscan-agent_darwin_arm64
Windows	amd64	aiscan_windows_amd64.exe	aiscan-full_windows_amd64.exe	aiscan-agent_windows_amd64.exe

# Linux
curl -L -o aiscan https://github.com/chainreactors/aiscan/releases/latest/download/aiscan_linux_amd64
chmod +x aiscan && sudo mv aiscan /usr/local/bin/

# macOS
curl -L -o aiscan https://github.com/chainreactors/aiscan/releases/latest/download/aiscan_darwin_arm64
chmod +x aiscan && sudo mv aiscan /usr/local/bin/

# Windows (PowerShell)
Invoke-WebRequest "https://github.com/chainreactors/aiscan/releases/latest/download/aiscan_windows_amd64.exe" -OutFile aiscan.exe

Build from Source

git clone https://github.com/chainreactors/aiscan.git && cd aiscan

go build -o aiscan ./cmd/aiscan                          # standard
go build -tags full -o aiscan-full ./cmd/aiscan           # full (playwright/katana/passive)

---

Features

Design

• Single binary, zero dependencies — statically-linked, drop-in deployment
• Minimal agent core — composable ~160-line loop; tools, retries, evaluation are plugged in, not hardcoded
• Plugin architecture — adding a new tool is one file; heavy dependencies (playwright, katana) are compile-time optional
• Embedded skills — each tool carries its own usage docs and tactical guidance, loaded by the agent on demand
• Scan + Agent unified — the same engines drive both the deterministic pipeline and the autonomous agent

Scan — Deterministic Pipeline

• Multi-stage auto-chaining: port discovery → web probing → weak credentials → POC detection — no LLM required
• Optional AI-driven result verification, public CVE correlation, and dynamic testing
• Quick mode for fast exposure mapping, full mode for deep crawl and extended coverage

Agent — Autonomous Security Assessment

• Natural language tasks — the agent plans, scans, analyzes, and reports autonomously
• Goal evaluation — an independent evaluator judges task completion and drives automatic retry
• Interactive REPL with direct command execution
• Multi-provider fallback for resilience

IOA — Multi-Agent Collaboration

• Shared message spaces for distributed agent coordination
• Worker mode for persistent task listening
• Built-in IOA server with token authentication
• See: Design | CLI | Extension

Built-in Toolset

Scanners

• gogo — port, service, and banner discovery
• spray — web probing, fingerprinting, path fuzzing
• zombie — credential testing
• neutron — template-based POC execution
• cyberhub — fingerprint and POC association query

Browser & Recon (full edition)

• playwright — headless Chromium sessions, screenshots, network capture
• katana — web crawler with standard/headless/hybrid engines
• passive — cyberspace search (FOFA, Hunter, Shodan)

Utilities

• tmux — background task sessions with incremental output delivery
• arsenal — security tool package manager (crtm), one-command install
• proxy — multi-protocol proxy chain (trojan/vless/anytls/hy2/ss)
• web_search / fetch — CVE search and URL fetching

---

Usage

Scan Mode

aiscan scan -i 192.168.1.0/24                                    # quick scan
aiscan scan -i 192.168.1.0/24 --mode full                        # full scan
aiscan scan -i http://target.example --verify=high --sniper       # AI-enhanced
aiscan scan -i http://target.example --mode full --deep --report  # full + deep + report

Agent Mode

# One-shot task
aiscan agent -p "scan and find web vulnerabilities" -i 192.168.1.0/24

# With goal evaluation
aiscan agent -p "full scan" -i http://target.example -e "find all open ports with service fingerprints"

# Interactive REPL
aiscan agent

IOA Mode

# Start IOA server
aiscan ioa serve --ioa-url http://0.0.0.0:8765

# Start IOA worker
aiscan agent --ioa-url http://127.0.0.1:8765 --space pentest-project \
  -p "scan assigned targets and report findings"

LLM Configuration

# Environment variable
export OPENAI_API_KEY="sk-..."

# CLI arguments
aiscan agent --provider deepseek --base-url https://api.deepseek.com --api-key sk-... --model deepseek-chat

Config file ~/.config/aiscan/config.yaml:

llm:
  provider: openai
  api_key: sk-...
  model: gpt-4o

---

Documentation

Doc	Description
Scan Mode	Pipeline, AI enhancements, output formats
Agent Mode	Toolset, Goal Evaluation, REPL
IOA	Multi-agent architecture, Space/Node/Message model
Reference	Configuration, providers, flags, scanner usage, FAQ
Changelog	Version history

Contributing

1. Fork this repository
2. Create a feature branch (git checkout -b feature/xxx)
3. Commit your changes (git commit -m 'feat: add xxx')
4. Push to the branch (git push origin feature/xxx)
5. Create a Pull Request

Disclaimer

1. This tool is intended for authorized security testing and research purposes only. If you need to test its capabilities, please set up your own lab environment.
2. Before using this tool for any scanning, you must ensure compliance with local laws and regulations and obtain sufficient authorization. Do not scan unauthorized targets.
3. If you engage in any illegal activity while using this tool, you shall bear all consequences yourself. We assume no legal or joint liability.
4. Before installing and using this tool, please carefully read and fully understand all terms. Limitation and disclaimer clauses may be highlighted for your attention.
5. Unless you have fully read, understood, and accepted all terms of this agreement, please do not install or use this tool. Your use or any other express or implied acceptance constitutes your agreement to be bound by these terms.

License

This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0).

Links

• chainreactors — Organization
• IOA — Internet of Agents
• gogo — Port & service discovery
• spray — Web probing & fingerprinting
• zombie — Credential testing
• neutron — Template-based POC engine
• fingers — Fingerprint rule engine
• sdk — Scanner SDK (gogo/spray/zombie core)
• proxyclient — Multi-protocol proxy client
• crtm — Security tool package registry
• utils — Shared utilities & PTY manager
• parsers — Protocol & data parsers

---