Pentit v2

The execution engine of the RootVector offensive security platform. Pentit automates the full penetration testing lifecycle — from passive reconnaissance through active scanning to AI-driven exploit recommendation — using an OODA-loop workflow engine that autonomously decides what to attack next.

Pentit is not a wrapper around Nmap. It's an orchestration framework that chains 15+ specialized modules together, uses LLM-powered reasoning to analyze results in real time, and produces actionable reports with CVE references, Metasploit module suggestions, and full AI reasoning traces.

The RootVector Platform

Pentit is one half of a two-tool offensive security ecosystem:

Mapit continuously maps the external attack surface — subdomains, exposed ports, forgotten assets. When it finds something exploitable, it feeds the target directly into Pentit, which fires the OODA loop and validates whether the vulnerability is actually exploitable.

This is the same architecture used by enterprise offensive platforms like Horizon3.ai's NodeZero and Buguard's Dark Atlas.

OODA Loop — The Decision Engine

The core differentiator. After each scan phase, the AI doesn't just dump results — it makes decisions:

text
    ┌──────────┐
    │ OBSERVE  │  Collect scan data (ports, banners, CVEs)
    └────┬─────┘
         │
    ┌────▼─────┐
    │  ORIENT  │  AI analyzes context and compares data
    └────┬─────┘
         │
    ┌────▼─────┐
    │  DECIDE  │  AI determines the best attack vector
    └────┬─────┘
         │
    ┌────▼─────┐
    │   ACT    │  Fires targeted exploit, loops back
    └──────────┘

The reasoning engine (ai/reasoning_engine.py) maintains full context across the entire scan session. When it's analyzing port 443, it remembers what it found on port 80. This cross-correlation is what separates intelligent automation from blind scanning.

Module Architecture

pentit/
├── ai/                    # LLM-powered reasoning layer
│   ├── reasoning_engine.py    # OODA-loop decision engine
│   ├── prompt_engineering.py  # Structured vulnerability prompts
│   ├── context_manager.py     # Cross-phase state persistence
│   ├── providers.py           # OpenAI + Anthropic API support
│   └── tool_calling.py        # LLM function-calling interface
│
├── core/                  # Pipeline orchestration
│   ├── orchestrator.py        # Main pipeline controller
│   ├── planner.py             # Scan sequence planning
│   ├── decision_engine.py     # Escalate / pivot / report logic
│   ├── session_manager.py     # Save and resume interrupted scans
│   └── memory.py              # Cross-session learning persistence
│
├── recon/
│   ├── passive/           # WHOIS, DNS, subdomain enumeration
│   └── active/            # Service probing, banner grabbing
│
├── scanning/              # Port scanning, OS fingerprinting
├── vulns/                 # CVE matching engine
├── web_vulns/             # Web application vulnerability checks
├── network_vulns/         # Network-level vulnerability assessment
├── enum/                  # Service enumeration modules
├── exploit/               # Exploit suggestion and validation
├── reports/               # Markdown + PDF report generation
├── cli/                   # Command-line interface
├── config/                # YAML-based scan profiles
├── tools/                 # Nmap, WHOIS, DNS wrapper utilities
└── utils/                 # Shared helpers

AI Integration

The AI layer is built on structured prompt engineering with function-calling capabilities:

Provider Support: Both OpenAI and Anthropic APIs. The providers.py module abstracts the API differences so the reasoning engine works identically with GPT-4 or Claude.

Context Management: The context_manager.py maintains a sliding window of scan results. Each new finding is injected into the AI's context alongside all previous discoveries. This enables reasoning like: "The web server on port 80 redirects to HTTPS on 443 using a self-signed certificate. Combined with the outdated Apache version, this suggests a staging server that was never properly hardened."

Tool Calling: The tool_calling.py implements LLM function-calling so the AI can autonomously select which Pentit module to run next. Instead of following a rigid scan sequence, the AI adapts its approach based on what it finds.

python
import concurrent.futures
import threading

class PentitScanner:
    """Threaded scanner with lock-safe result aggregation."""
    def __init__(self, targets, ports):
        self.targets = targets
        self.ports = ports
        self.results = []
        self.lock = threading.Lock()

    def _scan_target(self, ip):
        output = NmapWrapper.execute(ip, self.ports, stealth_mode=True)
        with self.lock:
            self.results.append(output)

    def run(self):
        with concurrent.futures.ThreadPoolExecutor(max_workers=20) as pool:
            pool.map(self._scan_target, self.targets)

Report Generation

All results export to structured Markdown reports with:

• CVE references linked to NVD entries
• Metasploit module suggestions for validated vulnerabilities
• AI reasoning traces showing why each decision was made
• Risk severity ratings (Critical / High / Medium / Low / Info)
• Remediation steps generated by the AI based on the specific finding

The -it Ecosystem Vision

Pentit is part of a larger product family built on a consistent naming convention:

This follows the HashiCorp model (Terraform, Vault, Consul) — a recognizable ecosystem where each tool does one thing extremely well, but they integrate seamlessly under the RootVector platform umbrella.

Tech Stack

Pentit is intended for authorized penetration testing and educational purposes only.