We build Darkmoon: An Open-Source Autonomous Pentesting Platform

Mehdi BOUTAYEB — Thu, 18 Jun 2026 13:20:08 +0000

Darkmoon is an open-source autonomous penetration testing platform released under GPLv3.

Before talking about AI, agents or dashboards, it's important to understand that the project was built around a transparent and auditable open-source core.

Over the last few years, we've tested a lot of security products.

Some were excellent scanners.

Some generated decent reports.

Some experimented with AI-assisted workflows.

But when we tried to use them in the environments we actually encounter during professional engagements, the limitations quickly became obvious.

A real assessment rarely consists of a single web application.

More often, the target is a combination of:

Active Directory
Kubernetes
Cloud infrastructure
APIs
CMS platforms
Internal networks
Legacy systems

That's where we spend most of our time as pentesters.

And that's what eventually led us to build Darkmoon.

Why We Built Darkmoon

Darkmoon didn't begin as an AI project.

It started with a practical question:

Could we automate parts of a penetration test without reducing everything to a vulnerability scanner?

Most security tools are already very good at collecting information.

The difficult part is deciding what to do next.

An experienced pentester constantly adapts based on new information.

They change direction.

They prioritize attack paths.

They abandon dead ends.

They focus on technologies that matter.

We wanted to explore whether some of that decision-making process could be reproduced while keeping humans in control of the assessment.

Open Source First

One decision was made very early.

Darkmoon had to be open source.

Security teams already have enough black boxes to deal with.

If an autonomous system is going to participate in security assessments, practitioners should be able to understand what it is doing and why.

That's why Darkmoon is released under GPLv3.

The source code is public.

The methodologies are public.

The orchestration logic is public.

The deployment process is public.

If you disagree with how an assessment is performed, you can inspect the methodology and modify it.

For us, transparency matters more than any AI feature.

Today the project includes:

18 specialized methodology agents
80+ integrated offensive security tools
Active Directory workflows
Kubernetes workflows
Cloud infrastructure assessments
API security testing
CMS security testing
Infrastructure mapping
Evidence collection
Automated reporting

GitHub:
https://github.com/ASCIT31/Dark-Moon

Documentation:
https://docs.dark-moon.org/

Methodologies Instead of Hidden Prompts

One of the most common questions we receive is:

How do the agents work?

The answer is deliberately simple.

They're Markdown files.

Each methodology describes how Darkmoon approaches a specific technology stack.

They're reviewable.

Version-controlled.

Customizable.

And visible.

Unlike many AI-powered security products, the reasoning process isn't hidden behind proprietary prompts.

A WordPress assessment doesn't follow the same methodology as an Active Directory engagement.

A Kubernetes cluster doesn't trigger the same workflow as a GraphQL API.

The methodologies can be inspected before running an assessment.

For us, that's a critical requirement.

Understanding the Target

Darkmoon continuously builds an internal model of the environment it is assessing.

Instead of blindly launching tools, it gathers technical signals from the target:

Services
Technologies
Frameworks
CMS platforms
APIs
Infrastructure components

Those signals are then used to determine which methodologies should be activated.

Different technologies trigger different workflows.

A WordPress deployment doesn't require the same approach as:

Active Directory
Kubernetes
GraphQL
ASP.NET
Spring Boot
Cloud infrastructure

The objective is not to run every tool against every target.

The objective is to select the most relevant methodology based on what is actually discovered.

Building Around Existing Security Tools

We didn't try to reinvent twenty years of offensive security tooling.

Darkmoon relies heavily on existing projects such as:

Nuclei
SQLMap
NetExec
BloodHound
Impacket
FFUF
Hydra
Kubescape
Kubeletctl
WPScan
CMSeeK
Naabu
Masscan

and many others.

The interesting part isn't the tools themselves.

The interesting part is deciding:

Which tool should run
When it should run
Why it should run
How the results should influence the next step

That's where most of our work has gone.

Community Edition and Professional Edition

Darkmoon is built around an open-source GPLv3 core.

The Community Edition contains:

The autonomous engine
Methodologies
Orchestration logic
Docker deployment
Assessment workflows
Reporting capabilities

For organizations running larger engagements, we also maintain a Professional Edition.

The Professional Edition focuses on operational workflows rather than changing the philosophy of the project.

It extends the open-source foundation with:

Campaign management
Infrastructure visualization
Centralized dashboards
Enhanced reporting
Operational monitoring
Team-oriented workflows
Vulnerability analytics
Historical campaign tracking

The screenshots below come from the Professional Edition.

The goal is not to replace the open-source edition.

The goal is to provide operational capabilities for teams running Darkmoon at scale.

Evidence Matters

One of our biggest frustrations with automated security products is the lack of context.

A finding without evidence is difficult to trust.

Darkmoon attempts to preserve:

Commands executed
Outputs collected
Supporting evidence
Attack paths
Severity information

The objective is not simply to produce findings.

The objective is to produce findings that can be understood, validated and acted upon.

Deployment

Installation is intentionally simple.

git clone https://github.com/ASCIT31/Dark-Moon.git
cd Dark-Moon

chmod +x install.sh darkmoon.sh

./install.sh

Once installed:

./darkmoon.sh

Or directly against a target:

./darkmoon.sh "TARGET: https://target.example"

Docker handles the environment and dependencies.

Bring Your Own Model

Darkmoon does not lock users into a single provider.

Supported options include:

OpenAI
Anthropic
OpenRouter
Ollama
llama.cpp
OpenAI-compatible endpoints

Organizations can choose between:

Maximum performance
Maximum privacy
Fully local deployments

What Still Needs Work

Darkmoon is far from finished.

Today:

Web application assessments are among the most mature workflows
Active Directory coverage is highly advanced
Cloud assessments are improving rapidly
Smaller local models still struggle compared to frontier models on long reasoning loops

We're continuously improving:

Detection quality
Methodologies
Reporting
False positive reduction
Cloud coverage

The project is evolving rapidly, but we're still early.

Looking Ahead

The long-term vision is not to build another scanner.

It's not even to build another AI wrapper.

What interests us is creating systems that understand:

Infrastructure
Security methodology
Attack paths
Offensive operations
Remediation workflows

in a way that is genuinely useful to practitioners.

Today, Darkmoon orchestrates methodologies, tools and workflows.

Tomorrow, we want to push even further into cybersecurity-specific reasoning systems.

Darkmoon is our attempt at exploring that direction in public, in the open, and alongside the community.

DEV Community: Mehdi BOUTAYEB