VulnClaw: the autonomous pentester is becoming a category
Two days ago strix showed up here, a 26k-star open-source pentest swarm. Today VulnClaw is trending: another autonomous offensive-security agent, fresh v0.3.2 from June 28, 1.1k stars and climbing. When the second well-built autonomous attacker surges inside a week, it stops being a one-off and starts being a category.
What VulnClaw does: you describe a target in plain English and it runs the full chain itself, recon to vulnerability discovery to exploitation to report, with no human handoff between stages. The interesting architecture is a target-driven solver built on a blackboard state model rather than fixed-round loops, so it stops when the objective is actually met instead of grinding through arbitrary rounds. It also has an evidence-level hallucination gate that checks the AI's claims against real tool output before believing them, 21 built-in pentest skills, and works across 13 LLM providers.
That hallucination gate is the tell. The whole problem with an LLM doing security work is that it will confidently claim a vuln that isn't there; VulnClaw makes the model prove it with tool evidence. Same validate-with-real-output discipline strix leans on.
Step back and the picture is clear. Offensive security is going autonomous at the same moment frontier labs are getting their cyber-capable models gated by governments. The attack side isn't waiting, it's shipping open-source on GitHub. Link: github.com/Unclecheng-li/VulnClaw
← Back to all articles
What VulnClaw does: you describe a target in plain English and it runs the full chain itself, recon to vulnerability discovery to exploitation to report, with no human handoff between stages. The interesting architecture is a target-driven solver built on a blackboard state model rather than fixed-round loops, so it stops when the objective is actually met instead of grinding through arbitrary rounds. It also has an evidence-level hallucination gate that checks the AI's claims against real tool output before believing them, 21 built-in pentest skills, and works across 13 LLM providers.
That hallucination gate is the tell. The whole problem with an LLM doing security work is that it will confidently claim a vuln that isn't there; VulnClaw makes the model prove it with tool evidence. Same validate-with-real-output discipline strix leans on.
Step back and the picture is clear. Offensive security is going autonomous at the same moment frontier labs are getting their cyber-capable models gated by governments. The attack side isn't waiting, it's shipping open-source on GitHub. Link: github.com/Unclecheng-li/VulnClaw
Comments