Autonomous offensive security AI for guiding pentest processes
EVA is an AI penetration testing agent that guides users through complete pentest engagements with AI-powered attack strategy, autonomous command generation, and real-time vulnerability analysis based on outputs. The goal is not to replace the pentest professional but to guide and assist and provide faster results.
- ๐ Intelligent Reasoning: Advanced AI-driven analysis and attack path identification depending on query.
- โตข Automated Enumeration: Systematic target reconnaissance and information gathering based on provided target.
- ๊ Vulnerability Assessment: AI-powered vulnerability identification and exploitation strategies, suggesting next steps for vulnerability or OSINT.
- โ Multiple AI Backends: Support for Ollama, OpenAI GPT, G4F.dev and custom API endpoints
- ใ Session Management: Persistent sessions and chats
- โ Interactive Interface: Real-time command execution and analysis of output in multi-stage.
graph TD
A[๐ EVA Launch] --> B{๐ขง Session Selection}
B -->|Existing Session| C[๐ขง Load Session Data]
B -->|New Session| D[฿ญ Initialize Session]
C --> E[ใ Select AI Backend]
D --> E
E --> F[๐ฆ Ollama Local]
E --> G[โฌก OpenAI GPT]
E --> H[โ
Custom API]
E --> I[๐
G4F.dev Provider]
F --> J[Pentest Shell]
G --> J
H --> J
I --> J
J --> K[โ Target Definition]
K --> L[๐ง AI Pentest Strategy]
L --> M[๐ฏ Reconnaissance Phase]
M --> N[โค_ Execute Commands]
N --> O[๊ Analyze Results]
O --> P{แ Vulnerabilities Found?}
P -->|Yes| Q[๐ง Exploitation Planning]
P -->|No| R[โญฏ More Enumeration]
R --> L
Q --> S[โก Exploitation Phase]
Q --> T[Export graphs and mapped networks
- IN DEVELOPMENT -]
S --> U[โค_ Execute Exploit]
U --> V{๐ Access Gained?}
V -->|Yes| W[๐ฑ Privilege Escalation]
V -->|Failed| X[โญฏ Alternative Methods]
X --> Q
W --> Y[๐ฆ Post-Exploitation]
Y --> Z{๐ Objectives Met?}
Z -->|Generate Report| AA[๐ Generate Report
- IN DEVELOPMENT -]
Z -->|Exit and Save| AB[๐พ Save & Exit]
Z -->|No| AC[๐ Continue Pentest]
AC --> L
AA --> AB
subgraph "๐ EVA "
AD[โฏ Attack Strategy AI]
AE[๐ต Session Memory]
AF[แฎ Vulnerability Analysis]
AG[CVE DATABASE SEARCH
- IN DEVELOPMENT -]
AH[๐ฐฌ Output Processing]
end
L --> AD
AD --> AE
O --> AF
AF --> AG
AG --> AH
AH --> L
# Ollama for local endpoint (optional)
curl -fsSL https://ollama.ai/install.sh | shr
# EVA installation
git clone https://github.com/ARCANGEL0/EVA.git
cd EVA
chmod +x eva.py
./eva.py
# Adding it to PATH to be acessible anywhere
sudo mv eva.py /usr/local/bin/evaWhen starting EVA, it will automatically handle:
- โ OpenAI API key setup (if using GPT backend)
- โ Ollama model download (WhiteRabbit-Neo, feel free to change to any other desired model)
- โ Session directory creation
- โ Dependencies installation
If you wish to modify endpoints, ollama models or other: you can find these options in the config section at eva.py
Also, YES. I am aware it is a one-file only script and it ain't good coding practices, I've heard complaints about why not splitting into modules. i PURPOSELY made as one file only to be run as a single run easier on path, if you want to split, just fork it and copy paste to different .py files and set EVA as modular rather than one-file.
~/.config/eva/
โโโ sessions/ # Session storage
โ โโโ session1.json
โ โโโ session2.json
โ โโโ ...
โโโ eva.py # original file
โโโ .env # API keys (auto-generated)
# Key Configuration Options
API_ENDPOINT = "" # This is the custom API URL.
G4F_MODEL = "gpt-5-1-instant"
OLLAMA_MODEL = "jimscard/whiterabbit-neo:latest" # change ollama model as you wish, most recommended one is whiterabbit
CONFIG_DIR = Path.home() / ".config" / "eva" # config folder for EVA
SESSIONS_DIR = CONFIG_DIR / "sessions" # where to store EVA sessionspython3 eva.py- Select Session: Choose existing session or create new one
- Choose AI Backend:
- Ollama (Recommended): Local AI with WhiteRabbit-Neo model
- GPT-5: OpenAI's latest model (requires API key)
- G4F: Uses g4f.dev endpoints with model GPT 5-1, feel free to change model used.
- Custom API: Your own API endpoint if desired
- In the input field of chat, type in your request or what you need assistance with for EVA to help you!
USER > i need help with a CTF machine, ip is 10.10.16.81
After making a request, commands will be provided and the pentest workflow will start, use commands below as reference.
| Command | Description |
|---|---|
/exit / /quit |
Exit EVA and save session |
/model |
Change AI backend |
/menu |
Return to session menu |
R |
Run suggested command |
S |
Skip command |
A |
Ask for next step |
Q |
Quit session |
demonstration video.
USER > I'm on a Windows target at IP 10.10.11.95, what should I enumerate first?
[ANALYSIS]
Based on the Windows environment, I need to perform comprehensive
enumeration focusing on:
1. System Information (OS version, patches, architecture)
2. Network Services (ports, services, listening processes)
3. User Context (current user, groups, privileges)
4. Security Controls (AV, firewall, UAC settings)
5. Potential Attack Vectors (SMB, RDP, IIS, etc.)
Let me start with basic system reconnaissance to understand the target better...
> execute: nmap -sC -sV -O 10.10.10.10
| [R]un | [S]kip | [A]sk | [Q]uit |
> R
- Model:
jimscard/whiterabbit-neo:latest(best one for OffSec)- โ Complete offline operation
- โ No API costs
- โ Privacy-focused
- โ Higher CPU/GPU usage, recommended for machines above 16GB VRAM/RAM
- โ Heavier model, ~9.8gb model
- Models: GPT-5, GPT-4.1 (fallback)
- About:
- โ Faster reasoning
- โ Extensive knowledge base
- โ Continuous updates
- โ Paid, requires apikey
- Models: GPT-5-1
- About:
- โ Updated information in real-time (usually)
- โ Quick responses
- โ Might be unstable or down sometimes, low stability.
- Endpoint: Configurable in
API_ENDPOINTto use your own as you wish. - About:
- โ Custom model integration
- โ Modifiable as you wish
- โฌข OpenAI integration: Integrated OpenAI into EVA
- โฌข G4F.DEV: Added G4F endpoints to free GPT5 usage.
- โฌข Custom API: Add custom endpoint besides ollama and OpenAI
- โฌก Automated Reporting: PDF/HTML report generation
- โฌก Cloud Integration: AWS/GCP deployment ready
- โฌก CVE Database Integration: Real-time vulnerability data
- โฌก Web Interface: Browser-based EVA dashboard
- โฌก Visual Attack Maps: Interactive network diagrams such as connections or such, like Kerberos domains and AD devices.
CTF (Capture The Flag) competitions
Authorized penetration testing
Security research and laboratory environments
Systems you own or have explicit permission to test
Unauthorized access to any system
Illegal or malicious activities
Production systems without explicit authorization
Networks you do not own or control
I take no responsibility for misuse, illegal activity, or unauthorized use.
Any and all consequences are the sole responsibility of the user.
MIT License
Copyright (c) 2025 EVA - Exploit Vector Agent
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Hack the world. Byte by Byte. โ
๐บ๐ฟ๐ฐ๐ฎ๐ป๐ด๐ฒ๐น๐ผ @ 2025