We build Darkmoon: An Open-Source Autonomous Pentesting Platform

Darkmoon is an open-source autonomous penetration testing platform released under GPLv3.

Before talking about AI, agents or dashboards, it's important to understand that the project was built around a transparent and auditable open-source core.

Over the last few years, we've tested a lot of security products.

Some were excellent scanners.

Some generated decent reports.

Some experimented with AI-assisted workflows.

But when we tried to use them in the environments we actually encounter during professional engagements, the limitations quickly became obvious.

A real assessment rarely consists of a single web application.

More often, the target is a combination of:

• Active Directory
• Kubernetes
• Cloud infrastructure
• APIs
• CMS platforms
• Internal networks
• Legacy systems

That's where we spend most of our time as pentesters.

And that's what eventually led us to build Darkmoon.

---

Why We Built Darkmoon

Darkmoon didn't begin as an AI project.

It started with a practical question:

Could we automate parts of a penetration test without reducing everything to a vulnerability scanner?

Most security tools are already very good at collecting information.

The difficult part is deciding what to do next.

An experienced pentester constantly adapts based on new information.

They change direction.

They prioritize attack paths.

They abandon dead ends.

They focus on technologies that matter.

We wanted to explore whether some of that decision-making process could be reproduced while keeping humans in control of the assessment.

---

Open Source First

One decision was made very early.

Darkmoon had to be open source.

Security teams already have enough black boxes to deal with.

If an autonomous system is going to participate in security assessments, practitioners should be able to understand what it is doing and why.

That's why Darkmoon is released under GPLv3.

The source code is public.

The methodologies are public.

The orchestration logic is public.

The deployment process is public.

If you disagree with how an assessment is performed, you can inspect the methodology and modify it.

For us, transparency matters more than any AI feature.

Today the project includes:

• 18 specialized methodology agents
• 80+ integrated offensive security tools
• Active Directory workflows
• Kubernetes workflows
• Cloud infrastructure assessments
• API security testing
• CMS security testing
• Infrastructure mapping
• Evidence collection
• Automated reporting

GitHub:
https://github.com/ASCIT31/Dark-Moon

Documentation:
https://docs.dark-moon.org/

---

Methodologies Instead of Hidden Prompts

One of the most common questions we receive is:

How do the agents work?

The answer is deliberately simple.

They're Markdown files.

Each methodology describes how Darkmoon approaches a specific technology stack.

They're reviewable.

Version-controlled.

Customizable.

And visible.

Unlike many AI-powered security products, the reasoning process isn't hidden behind proprietary prompts.

A WordPress assessment doesn't follow the same methodology as an Active Directory engagement.

A Kubernetes cluster doesn't trigger the same workflow as a GraphQL API.

The methodologies can be inspected before running an assessment.

For us, that's a critical requirement.

---

Understanding the Target

Darkmoon continuously builds an internal model of the environment it is assessing.

Instead of blindly launching tools, it gathers technical signals from the target:

• Services
• Technologies
• Frameworks
• CMS platforms
• APIs
• Infrastructure components

Those signals are then used to determine which methodologies should be activated.

Different technologies trigger different workflows.

A WordPress deployment doesn't require the same approach as:

• Active Directory
• Kubernetes
• GraphQL
• ASP.NET
• Spring Boot
• Cloud infrastructure

The objective is not to run every tool against every target.

The objective is to select the most relevant methodology based on what is actually discovered.

---

Building Around Existing Security Tools

We didn't try to reinvent twenty years of offensive security tooling.

Darkmoon relies heavily on existing projects such as:

• Nuclei
• SQLMap
• NetExec
• BloodHound
• Impacket
• FFUF
• Hydra
• Kubescape
• Kubeletctl
• WPScan
• CMSeeK
• Naabu
• Masscan

and many others.

The interesting part isn't the tools themselves.

The interesting part is deciding:

• Which tool should run
• When it should run
• Why it should run
• How the results should influence the next step

That's where most of our work has gone.

---

Community Edition and Professional Edition

Darkmoon is built around an open-source GPLv3 core.

The Community Edition contains:

• The autonomous engine
• Methodologies
• Orchestration logic
• Docker deployment
• Assessment workflows
• Reporting capabilities

For organizations running larger engagements, we also maintain a Professional Edition.

The Professional Edition focuses on operational workflows rather than changing the philosophy of the project.

It extends the open-source foundation with:

• Campaign management
• Infrastructure visualization
• Centralized dashboards
• Enhanced reporting
• Operational monitoring
• Team-oriented workflows
• Vulnerability analytics
• Historical campaign tracking

The screenshots below come from the Professional Edition.

The goal is not to replace the open-source edition.

The goal is to provide operational capabilities for teams running Darkmoon at scale.

---

Evidence Matters

One of our biggest frustrations with automated security products is the lack of context.

A finding without evidence is difficult to trust.

Darkmoon attempts to preserve:

• Commands executed
• Outputs collected
• Supporting evidence
• Attack paths
• Severity information

The objective is not simply to produce findings.

The objective is to produce findings that can be understood, validated and acted upon.

---

Deployment

Installation is intentionally simple.

git clone https://github.com/ASCIT31/Dark-Moon.git
cd Dark-Moon

chmod +x install.sh darkmoon.sh

./install.sh

Once installed:

./darkmoon.sh

Or directly against a target:

./darkmoon.sh "TARGET: https://target.example"

Docker handles the environment and dependencies.

---

Bring Your Own Model

Darkmoon does not lock users into a single provider.

Supported options include:

• OpenAI
• Anthropic
• OpenRouter
• Ollama
• llama.cpp
• OpenAI-compatible endpoints

Organizations can choose between:

• Maximum performance
• Maximum privacy
• Fully local deployments

---

What Still Needs Work

Darkmoon is far from finished.

Today:

• Web application assessments are among the most mature workflows
• Active Directory coverage is highly advanced
• Cloud assessments are improving rapidly
• Smaller local models still struggle compared to frontier models on long reasoning loops

We're continuously improving:

• Detection quality
• Methodologies
• Reporting
• False positive reduction
• Cloud coverage

The project is evolving rapidly, but we're still early.

---

Looking Ahead

The long-term vision is not to build another scanner.

It's not even to build another AI wrapper.

What interests us is creating systems that understand:

• Infrastructure
• Security methodology
• Attack paths
• Offensive operations
• Remediation workflows

in a way that is genuinely useful to practitioners.

Today, Darkmoon orchestrates methodologies, tools and workflows.

Tomorrow, we want to push even further into cybersecurity-specific reasoning systems.

Darkmoon is our attempt at exploring that direction in public, in the open, and alongside the community.

---

Links

GitHub

https://github.com/ASCIT31/Dark-Moon

Documentation

https://docs.dark-moon.org/

Website

https://dark-moon.org/

Demo Video

https://youtu.be/1bFRVuMkZzY

We're always interested in feedback from:

• Pentesters
• Security engineers
• DevSecOps teams
• Platform engineers
• Open-source contributors