AIRecon: Open-Source Autonomous Penetration Testing Agent Runs Fully Offline with Local LLM and Kali Sandbox

Researcher pikpikcu has released AIRecon, an autonomous penetration testing agent that runs entirely offline by combining a self-hosted Ollama large language model with a Kali Linux Docker sandbox. Unlike commercial AI security tools that send target intelligence to external servers and require ongoing API subscriptions, AIRecon keeps all tool output, vulnerability reports, and session data on the operator's machine. This makes it particularly well-suited for bug bounty hunters and red teamers who operate under strict data-handling policies.

AIRecon structures every engagement through four automated phases, each with defined objectives, recommended tools, and automatic transition criteria. Phase enforcement is intentionally soft; the agent is guided but never blocked, and checkpoints fire every 5 iterations for phase evaluation, every 10 for self-evaluation, and every 15 for context compression. The full stack includes the Kali sandbox, browser automation, a custom fuzzer, Schemathesis API fuzzing, and Semgrep SAST for static source analysis.

One of AIRecon's standout features is its optional airecon-dataset companion, which indexes approximately 1.09 million security records into local SQLite FTS5 databases including CVEs, red team techniques, CTF writeups, Nuclei templates, and bug bounty payloads — all completely offline. The LLM autonomously calls dataset_search before attempting unfamiliar techniques, grounding its decisions in real indexed data rather than pure hallucination. Session memory persists in ~/.airecon/memory/airecon.db, storing findings, WAF bypass patterns, tool reliability scores, and per-target attack chain discoveries that shape future behavior.

AIRecon requires a model with native tool-calling support and extended thinking. Models below 8B parameters are strongly discouraged due to frequent hallucinations, invented CVEs, and unreliable tool calls. Recommended configurations include Qwen3.5 122B (48+ GB VRAM) for best quality, Qwen3.5 35B (20 GB) for most users, and Qwen3.5 9B (6 GB) as a minimum viable setup. The tool ships with 57 built-in skill files and 289 keyword-to-skill auto-mappings covering common offensive techniques, plus a community repository with 57 additional CLI-based playbooks for CTF, bug bounty, and penetration testing engagements.

Installation from GitHub requires Python 3.12+, Docker 20.10+, and a running Ollama instance, and can be completed in a single command. For operators without sufficient local VRAM, AIRecon supports a Google Colab T4 GPU tunnel setup via Cloudflare, allowing a free-tier Colab session to serve the model while AIRecon's TUI runs locally. The free T4 GPU (15 GB VRAM) supports qwen3.5:9b, though sessions are capped at 12 hours and are not suited for deep autonomous recon that exceeds that window.

AIRecon integrates natively with Caido proxy, offering five built-in tools: list, replay, automate (using §FUZZ§ markers), findings, and scope management. MCP server integration is also supported via ~/.airecon/mcp.json, allowing the agent to dynamically expose external tooling such as custom XSS generators or proprietary API scanners as first-class agent tools. The tool is designed to eliminate the prohibitive cost of commercial API-based models like GPT-4 or Claude for recursive recon workflows that can demand thousands of LLM calls per session.

The release of AIRecon represents a significant shift in the penetration testing landscape, offering a fully offline, open-source alternative to commercial AI-powered security tools. By keeping all data local and leveraging open-weight models, it addresses both cost and data sovereignty concerns that have limited adoption of AI in security assessments. As AI-driven red teaming tools continue to proliferate, AIRecon's approach of combining local LLMs with structured automation and offline datasets may set a new standard for privacy-conscious security testing.