ENNAENNA
|ENNA

Week 5: 16 New Tools, the AI Pentester Wave, and Real-Time Intelligence Dashboards

weekly-updatenew-toolsai-securityosintcloud-security

We are a day late this week. No excuse, just life. But we brought 16 new tools to make up for it, and the theme this week is unmistakable: AI is eating security tooling.

The AI Pentester Wave

Let us talk about what just happened. In the last six months, a new category of security tool has exploded onto GitHub and it is not just another scanner with a chatbot bolted on. These are autonomous agents that reason about code, plan multi-step attacks, and prove vulnerabilities by exploiting them.

Shannon (41,380 stars) is the headline. Built by Keygraph, it is a white-box AI pentester that reads your source code, identifies attack vectors through semantic understanding, and then executes real exploits to prove they work. Not theoretical findings. Not "this might be vulnerable." Actual proof-of-exploitation. It scored 96% on the XBOW benchmark and it is open source under AGPL-3.0. This is our Tool of the Week and honestly it might be Tool of the Year.

HexStrike AI (8,578 stars) takes a different approach. Instead of being a standalone scanner, it is an MCP server that gives AI coding assistants (Claude, GPT, Copilot) access to 150+ security tools. Your AI agent can now autonomously run Nmap, Nuclei, SQLMap, and dozens more through a unified interface. Think of it as the bridge between AI reasoning and security tool execution.

Decepticon (3,500 stars) from PurpleAI Lab is an autonomous red team agent that executes full kill chains. Recon through C2, every step mapped to MITRE ATT&CK, with a Neo4j knowledge graph tracking the attack surface as it discovers assets. It has configurable rules of engagement so it will not go out of scope, and produces detailed attack narratives explaining each decision.

RedAmon (1,800 stars) uses LangGraph for agent orchestration with 70+ integrated tools. Unique feature: when it finds a vulnerability, it automatically generates a fix PR for your repo. Offensive discovery, defensive remediation, one tool.

DeepAudit (5,900 stars) is the one that made us sit up. A multi-agent code auditing system from Tsinghua that has discovered 49 confirmed CVEs across 17 major open-source projects. When it finds something, it generates and executes a PoC in a sandbox to verify exploitability. Not pattern matching. Reasoning.

We are watching a category being born in real time. These are not toys. Shannon has more stars than Metasploit.

Real-Time Intelligence Dashboards

The other trend we could not ignore: GEOINT and situational awareness tools are having a moment.

WorldMonitor (53,643 stars) is a real-time global intelligence dashboard that aggregates 500+ feeds - news, satellite data, 92 market exchanges, flight tracking, maritime AIS, infrastructure monitors - onto an interactive 3D globe. AI-powered categorization via local Ollama models. Zero cloud dependencies. Over 53,000 stars makes it one of the highest-starred security-adjacent tools on all of GitHub.

Crucix (9,500 stars) is the personal version. 27 real-time feeds including satellite imagery, flight tracking, radiation monitoring, conflict data, and seismic activity on a single local dashboard. LLM integration for natural language querying across all sources. Completely local, no cloud.

ShadowBroker (6,000 stars) goes deep on geospatial: aircraft tracking, ship monitoring, satellite passes, 11,000+ public CCTV streams, and SAR anomaly detection. If you do any GEOINT work, this integrates feeds that used to require separate dashboards for each.

These three tools represent a shift in how OSINT practitioners work. Instead of jumping between flight trackers, ship maps, news aggregators, and satellite viewers, you get everything correlated in one place. We added all three.

16 New Tools (442 Total)

Here is everything we added this week by category. (Some tools we planned to add were already in the index under slightly different slugs - we caught that during validation.)

Web Scanning (2)

Shannon - autonomous AI pentester described above.

Lonkero (790 stars) is a Rust-based web app scanner focused on one thing: not wasting your time with false positives. ML-powered classification reduces false positive rate to about 5%. Proof-based XSS detection generates working payloads. The OOBZero engine handles blind SQLi. If you are tired of triaging hundreds of "possible" findings from other scanners, Lonkero is worth trying.

OSINT (6)

WorldMonitor, Crucix, and ShadowBroker - the GEOINT dashboards described above.

GHunt (18,900 stars) is an offensive Google framework that gathers intelligence from Google services. Maps reviews, Calendar events, Photos albums - given a Google account identifier, it maps their entire Google ecosystem presence. Has been around for a while but we somehow missed it until now.

User-Scanner (1,500 stars) combines email and username OSINT into one tool. 195+ scanning vectors (95 email checks, 100+ username sites) with bulk scanning and cross-referencing against infostealer logs. Faster than running Holehe and Sherlock separately.

Device Activity Tracker (4,900 stars) is a research PoC that exploits WhatsApp and Signal delivery receipt timing. By measuring RTT variations in delivery confirmations, it detects when a target device becomes active and when it changes networks. Academic research turned practical tool for understanding metadata leakage in encrypted messengers.

Offensive Ops (5)

HexStrike AI and Decepticon and RedAmon - the AI red team tools described above.

NetExec (5,500 stars) is the actively maintained successor to CrackMapExec. If you do AD pentesting, you already know about this one - SMB, WinRM, LDAP, SSH, MSSQL, RDP credential testing, hash passing, Kerberos, secret dumping. The BC-Security community took over when CME development stalled and it has only gotten better.

pspy (6,000 stars) is the unprivileged Linux process monitor that belongs in every pentester's toolkit. No root needed. It uses inotify and procfs scanning to show you cron jobs, systemd timers, and scheduled tasks executing in real time. Essential for privilege escalation enumeration in CTF and engagements.

Vulnerability (3)

DeepAudit - the multi-agent AI auditor described above.

Titus (539 stars) from Praetorian is a high-performance secrets scanner with Hyperscan acceleration, 487 detection rules, and ships as CLI + Go library + Burp extension + Chrome extension. The Burp extension catches leaked secrets in API responses during web app assessments. The Chrome extension finds them while browsing.

garak (3,200 stars) from NVIDIA scans LLMs for vulnerabilities. Prompt injection, jailbreaks, data leakage, hallucination, toxicity. 50+ attack probes with hundreds of prompt variants. If you deploy LLMs in production, this is your pre-flight safety check.

Cloud Recon (2)

Prowler (13,700 stars) is the multi-cloud security scanner with 595+ checks across AWS, Azure, GCP, and Kubernetes mapped to 43 compliance frameworks. Attack path analysis and ThreatScore prioritization make it useful for offensive testing too, not just compliance checkbox exercises.

CloudFox (2,400 stars) from BishopFox is the offensive counterpart. While Prowler tells you what is misconfigured, CloudFox tells you what you can actually exploit. 34 AWS commands and 60 GCP commands focused on privilege escalation, secrets in environment variables, and lateral movement paths.

Exploitation (2)

Commix (5,700 stars) is the SQLMap equivalent for OS command injection. Results-based, blind (time and file), and out-of-band techniques. Interactive pseudo-terminal once exploitation succeeds. Updated this month.

DllShimmer (741 stars) automates DLL hijacking exploitation. Feed it a target DLL, get a ready-to-compile proxy DLL with matching exports and C++ backdoor boilerplate. Turns a DLL hijack finding into a working payload in seconds.

Network Recon (1)

Sniffnet (37,274 stars) is a cross-platform network traffic monitor written in Rust. 6000+ protocol identification, PCAP export, IP geolocation, ASN lookup, and custom threshold notifications. The GUI is clean enough for non-technical users but the protocol depth satisfies professionals. 37k stars for good reason.

Dual Use (2)

Infisical (26,657 stars) is the open-source secrets management platform that replaces HashiCorp Vault for teams that want a modern UI without the complexity. Certificate lifecycle, dynamic secrets, RBAC, audit logging, Kubernetes and CI/CD integrations.

Tirith (2,300 stars) is terminal security for the AI agent era. It intercepts homograph URLs, pipe-to-shell attacks, ANSI injection, and obfuscated payloads in terminal output. 80+ detection rules updated daily. Particularly relevant now that AI coding agents execute terminal commands autonomously - Tirith prevents them from being tricked.

Threat Intel (1)

OpenCTI (9,200 stars) is the threat intelligence platform we should have added weeks ago. STIX2 native, knowledge graph visualization, 100+ connectors for automated feed ingestion, and integration with MISP, TheHive, and detection tools. The enterprise-grade CTI platform that is actually open source.

Site Improvements

Beyond tools, we made some changes to the site itself:

  • -Tool count updated across all pages - hero section, stats, metadata all reflect 442
  • -New "AI Security" tag applied to Shannon, HexStrike AI, Decepticon, RedAmon, DeepAudit, and garak
  • -GEOINT tools cross-linked - WorldMonitor, Crucix, and ShadowBroker reference each other as alternatives
  • -Cloud tools properly connected - Prowler, CloudFox, ScoutSuite, and Pacu now form a complete alternatives network

Stats

  • -442 tools across 19 categories
  • -17 workflows with step-by-step guidance
  • -12 tool chains for common pipelines
  • -10 cheat sheets for quick reference
  • -5 new tools with 10k+ stars added this week alone

What We Are Watching

The AI pentester space is moving fast. We expect to see more MCP-integrated security tools in the coming weeks as the protocol becomes standard for AI agent tool access. We are also tracking the emergence of defensive tools specifically designed to protect AI agents from manipulation (Tirith is the first, more are coming).

We are also looking at adding an "AI Security" category. Right now these tools are spread across web-scanning, offensive-ops, vulnerability, and dual-use. They might deserve their own home.

See you next Monday. For real this time.

Tool of the Week

Shannon

TypeScript · 41.4k stars · web-scanning

Shannon rewrites what a vulnerability scanner can be. Instead of matching patterns or fuzzing inputs, it reads your source code, understands application logic, identifies attack vectors, and then executes real exploits to prove the vulnerability exists. It scored 96% on the XBOW benchmark, outperforming every traditional scanner on complex multi-step chains. 41,000 stars in under 8 months tells you the industry agrees - this is the future of application security testing. If you ship web apps, Shannon should be in your CI pipeline yesterday.

View Shannon on ENNA

Weekly Newsletter

New tools, updates, and changes delivered every Monday morning.

Subscribe on Substack