PhantomRed: An Autonomous AI-Powered Penetration Testing Platform with a Consent-First Ethical Framework

Penetration testing remains a cornerstone of modern cybersecurity practice, yet its adoption is hindered by high cost, scarce expertise, and time-intensive manual workflows. We present PhantomRed, an autonomous penetration testing platform that combines a ReAct-based AI agent loop, a multi-tool reconnaissance and vulnerability scanning pipeline, and an AI-driven analysis layer to deliver end-to-end security assessments with minimal human effort. PhantomRed integrates industry-standard open-source tools—Nmap, Nuclei, FFUF, and SQLMap—with a locally hosted Llama 3 8B language model to reason over findings and dispatch targeted follow-up probes. A central design principle is a consent-first ethical framework: every scan requires explicit target pre-authorization via a scope.json manifest, a hard confirmation gate, and a blocklist preventing scans of critical infrastructure. Evaluation on the publicly authorized target scanme.nmap.org demonstrates that PhantomRed surfaces six distinct findings—including CVE-2023-48795 (CVSS 5.9)—in approximately four minutes, compared to an estimated 30–45 minutes for an experienced manual tester. PhantomRed is publicly accessible at phantomred.com under a free tier requiring no payment information.