From a Snort alert to a blocked IP in under 60 seconds. No cloud. No vendor lock-in. Full human control Validated on NVIDIA DGX Spark.
There are plenty of tools that help you run a pentest. You launch nmap, feed the output to an LLM, get some suggestions. Useful — but fundamentally reactive. You still need a human in front of a terminal to make anything happen.
I wanted something different. I wanted a system that watches your infrastructure continuously, understands what it sees, decides what to do, and acts — while still keeping a human in the loop for every critical decision.
After months of work, that system exists. I call it AI-Pentest Suite.
The Problem with Existing Tools
Most AI security tools today fall into one of two categories.
The first is the AI assistant model — CLI tools where you give a target, recon tools run, the LLM analyzes the output, and you get a report. Genuinely useful for a security analyst doing manual assessments. But they are fundamentally CLI wrappers with an LLM on top. They don’t watch anything. They don’t respond to anything. They wait for you to ask.
The second is the enterprise SIEM/XDR model — powerful platforms that require dedicated teams to operate, whose AI is a black box you cannot inspect, modify, or run offline.
Neither category solved my problem: an automated, event-driven, AI-powered security pipeline that runs on your own infrastructure, uses a local LLM so your data never leaves your premises, and keeps humans in control of every irreversible action.
What I Built
AI-Pentest Suite is a cloud-native security platform that runs on Kubernetes — including virtual machines. It combines three layers:
Detection — Snort3 IDS runs as a DaemonSet on every node of the cluster, monitoring network traffic in real time. A PyTorch autoencoder pre-filters anomalies before they even reach the AI layer, cutting noise and false positives.
Analysis — When Snort generates an alert, it flows through Kafka into an AI pipeline running on Apache OpenServerless. A local Mistral LLM analyzes the alert in context, assigns a threat score from 0 to 100, categorizes the attack type, correlates it with the MITRE ATT&CK framework via a RAG knowledge base of 1,290 documents, and recommends an action. The platform has been tested and is fully operational on NVIDIA DGX Spark — enterprise-class GPU hardware that brings AI inference to millisecond latency even under heavy load. This is not a proof of concept running on a laptop: it is a pipeline validated on real GPU hardware.
Response — A policy engine checks the IP’s history in Redis, determines severity and recidivism, and routes to a human approval step. The operator has 30 seconds to approve or modify the recommended action. If no response comes, the system auto-decides. A firewall agent running on each node executes the iptables block. Everything is logged to PostgreSQL for audit.
The entire cycle — from alert to blocked IP — takes under 60 seconds.
The Architecture That Makes It Different
The platform runs on Kubernetes, which means it works on bare metal, VMs, or cloud IaaS. You don’t need dedicated hardware to get started.
The AI pipeline is built on Apache OpenServerless — an open-source serverless platform based on Apache OpenWhisk. This means the analysis functions scale automatically with load. When your infrastructure is quiet, they consume zero resources. When you are under a port scan or brute force attack, they spin up in parallel.
The scanning layer — Nuclei with 9,000+ templates and Metasploit integration — runs as Kubernetes workloads too, triggered on demand or scheduled. A full pentest pipeline from recon to exploit verification to PDF report can run end-to-end without a human touching a keyboard.
The LLM runs entirely on local hardware. The platform has been tested and validated on the NVIDIA DGX Spark, NVIDIA’s personal AI supercomputer based on the Blackwell architecture. No data is sent to external services. Your network traffic, your alerts, your findings — they stay in your environment.
Human-in-the-Loop, by Design
The most important architectural decision I made was making human approval mandatory for every high-impact action.
The system can recommend blocking an IP. It can recommend running an exploit. It will not do either without explicit operator approval. This is not a safety limitation — it is a feature. In security, a false positive that blocks legitimate traffic can be as damaging as the attack itself. The AI is fast and accurate. The human is accountable.
This principle — the system recommends, the operator decides — runs through every layer of the architecture.
What It Actually Looks Like
When an attack hits, the operator sees something like this in the pipeline output:
{
"src_ip": "10.x.x.x",
"attack_category": "reconnaissance",
"threat_score": 85,
"confidence": 0.93,
"recommended_action": "block_ip",
"reason": "Systematic port scan across 1000 ports, SYN flood pattern, repeat offender",
"audit_id": "a3be821f"
}
That output is the result of a real scan hitting the cluster, Snort catching it, the autoencoder filtering it, Mistral analyzing it, the policy engine checking Redis history, and the firewall agent executing the block. No human typed a command. The analyst approved the block in the human-loop step and the rest was automatic.
What Is Coming Next
The platform is actively developed. The next phases include Nuclei scanning as a distributed Kubernetes workload, full CVE correlation integrated into the detection pipeline, Metasploit execution via a dedicated cluster deployment, and a unified pentest orchestration pipeline that goes from recon to exploitation to PDF report in a single command.
The longer-term goal is to bring RAG-powered AI analysis to every component of the pipeline — not just anomaly detection, but CVE lookup, exploit selection, and remediation recommendations, all running on local models with no external dependencies.
Closing Thought
Security tooling should not require a dedicated team to operate. The building blocks — Kubernetes, Kafka, open-source LLMs, Snort, Metasploit — are all available. What was missing was an architecture that connected them into a coherent, automated, human-supervised pipeline.
That is what I built.
Get in Touch
If you are a security team that wants to explore what this looks like in a real environment, or you are simply curious about the platform, feel free to reach out directly:
LinkedIn: https://www.linkedin.com/in/alessio-marinelli-b302042a/
Email: marinelli_alessio@yahoo.it
Architecture diagrams and demo materials available on request. The codebase is proprietary.
Top comments (0)