pentool is a free, open-source command-line pentest toolkit — 5 subcommands, 17 modules, a scriptable engine for external scans, code audits, and Claude-assisted review. pentoolui is an optional local UI that drives it from your browser when the terminal isn't enough.
# the toolkit is just a command — scriptable, CI-friendly $ pentool scan -t https://app.example.com $ pentool audit ./src $ pentool review external.json internal.json --audience developer findings, severity-sorted: CRITICAL Auth bypass on /api/admin/reset HIGH Reflected XSS in search?q= …prioritized by Claude
The core project · 100% free
Everything the project does lives in the CLI. It's free, open source, and works standalone — no UI, no license, no account required. Clone it, build it, script it into your pipeline.
pentool scan probes a live target — recon, fuzzing, and vulnerability checks across 17 modules.
pentool audit walks a local source tree and runs baseline checks, optionally Claude-assisted.
pentool review turns raw findings into a prioritized, audience-tuned report. Use a metered API key or your Pro/Max subscription.
Plain CLI with JSON output and a self-describing flag manifest. Drop it straight into your automation.
Severity-tagged JSON reports you can diff, archive, or feed back into the review step.
Runs on your machine. Nothing is sent anywhere except the Claude calls you explicitly opt into.
Optional add-on
The CLI has 130+ flags. ptui is a single Go binary that wraps it in a local web app, so you can drive long engagements from a form instead of memorizing flags. It's entirely optional — the toolkit works fine without it.
A thin wrapper, not a re-implementation: ptui shells out to pentool and parses its output. The form is auto-generated from the CLI's own manifest, so the UI is always in sync.
# full assessment — one job, three phases ▸ scan https://app.example.com done ▸ audit ./src done ▸ review external + internal done live SSE progress · per-job log tail report viewer with severity badges
Auto-generated from pentool describe. Mode-conditional fields, path validation on blur — no memorizing flags.
Watch each phase stream in real time over Server-Sent Events, with a per-job log tail that auto-refreshes.
Chain scan → audit → review in one job; each step's report feeds the next, phase transitions stamped into the stream.
Drive a real Chromium browser through CSRF / OIDC / JS logins; cookies + auth headers pre-fill into the scan form.
Browse, search, and re-render past reports with severity badges and a Claude-prioritized banner on review reports.
Embedded assets, opens in your browser, binds 127.0.0.1 only. No phone-home — license verification is fully offline.
Whether you run them as raw CLI commands or pick them from the UI, each mode maps to one or more pentool invocations.
pentool scan -t <url> — black-box scan of a live target.pentool audit <source-dir> — code audit of a local source tree.scan → audit → review chained sequentially, each report injected into the next step.pentool review <report.json> — re-run Claude review over reports you already have.Local-first by design — suitable for airgapped work, whether you use the CLI alone or with the UI.
127.0.0.1, never 0.0.0.0. Your traffic never leaves the box.The CLI is, and always will be, free and open source. The optional UI is a one-time $30 — no subscription, portable across your machines.
A single self-contained binary — run it and it opens in your browser at http://127.0.0.1:7842. You'll also need the free pentool CLI on your PATH.
Prefer the free CLI only? github.com/pjmdevelopment/pentool