The autonomous offensive security platform.

80+ integrated tools — every one coordinated by AI

Why Darkmoon

Not a scanner. An autonomous security conductor.

Core engine

Multi-agent dispatch14 signals

The master agent detects 14 technology signals and routes the campaign to the right specialists — sequential or parallel, with cascade depth capped at three levels so there is never runaway recursion.

#recon#web#k8s#ad
Streaming

Live SSE streamrealtime

Every finding, infrastructure node and agent event streams to the dashboard the instant it happens.

#sse#events
Export

Publication-ready reportsISO 27001

ISO 27001, HackerOne and Bugcrowd formats — Markdown and branded, password-protected PDF with CVSS 3.1 scoring and MITRE ATT&CK mapping.

#pdf#cvss#mitre
Sealed

Hardened runtimeAES-256

Sealed storage, hardware-bound licensing and a continuous integrity watchdog.

#seccomp

Pricing

Open source at the core. One licence to run the full autonomous platform.

MonthlyYearly

Community

Open source — self-host it forever

Free

Free forever — GPLv3

  • Full autonomous engine on GitHub
  • GPLv3 — audit & modify freely
  • 18 AI agents + 80 integrated tools
  • MCP-gatekept tool execution
  • Community support

Pro

For professional pentesters & teams

€149

Billed €1788 annually

Everything in Community, and:

  • Hardened, sealed runtime
  • Managed live command center
  • All report formats & branded PDF
  • Hardware-bound licence
  • Priority email support

Custom

For enterprises, MSSPs & resellers

Let's talk

Tailored to your scope

Everything in Pro, and:

  • Multi-seat shared workspace
  • Custom report branding
  • Partner / reseller program
  • Dedicated onboarding & SLA
AI agents

18 specialists. One orchestrator. Zero manual pivoting.

11 classes

Full-stack exploitationWeb & API

SQLi, XSS, SSRF, IDOR, RCE, SSTI, deserialization, JWT abuse, file upload and path traversal — validated with real payloads, not signatures.

#sqli#xss#rce
14 phases

Kubernetes attack chainInfrastructure

RBAC escalation, DIND exploitation, node escape, etcd SSRF, privileged container breakout, crypto-miner detection and CIS benchmarking.

#rbac#etcd#cis
8 phases

Active Directory takeoverIdentity

AS-REP roasting, Kerberoasting, BloodHound, NTLM relay, LSASS dump, DCSync and ADCS ESC1–ESC8, Golden & Silver tickets.

#kerberos#ntlm#adcs
Runtime security

Built like a vault.
Runs like a weapon.

30s reseal

AES-256-GCM sealed storageat rest

Agents and workflows are encrypted at rest. Keys derive from your licence and hardware fingerprint, resealed every 30 seconds.

#aes-256
SHA-256

Hardware-bound licensingmachine code

Machine code derives from MAC address and CPU model. No deployment ID to spoof, no env var to manipulate.

#fingerprint
2s checks

Binary integrity watchdogcontinuous

SHA-256 hashes of critical binaries are re-verified every 2 seconds. Any tampering triggers an immediate zeroize.

#watchdog
Live scan

Debugger & tracer detectionanti-tamper

Continuous scanning for gdb, strace, ltrace, frida and lldb. Any tracer triggers a breach and full state zeroize.

#frida#gdb
UID 10001

Read-only rootfs + seccompsandbox

Read-only filesystem, tmpfs writable paths, seccomp and no-new-privileges. The process runs unprivileged.

#seccomp
Scrubbed

Secret redaction in logsstdout/stderr

Every model API key and the licence key are scrubbed from stdout and stderr before any log output.

#redaction
Open source

The model plans. It never gets a shell.

Darkmoon's architecture is its security guarantee — and it's fully auditable. The AI reasons and writes the plan. An MCP gateway gatekeeps every tool call. Read it, then run it yourself.

# clone the open-source engine
$ git clone github.com/ASCIT31/Dark-Moon
$ cd Dark-Moon
# launch a campaign
$ ./darkmoon.sh "TARGET: acme.test"
✓ recon complete · 14 tech signals
✓ 6 agents dispatched · streaming live
Get started

Three ways to run Darkmoon.

Licence

Get the Darkmoon licenceself-hosted

Run the full platform on your own infrastructure. Hardware-bound licence, Docker install, monthly or annual.

#docker#self-host
Service

Pentest on Demandmanaged

Describe your target, sign the framework online, pay a flat rate. Our experts run it and deliver a debriefed report.

#managed
Partner

Partner Programresellers

Resell Darkmoon under your own commercial wrapper. One dashboard, every licence, Stripe-powered billing built in.

#reseller#mssp
Pentest on DemandManaged
€799/ engagement
  • Legal framework & authorizations included
  • Run end to end by our security experts
  • Debriefed report in a secure client space
Managed service

Don't self-host? We run the pentest for you.

Describe your target, sign the framework online, pay a flat rate — our experts run the full offensive engagement and deliver a debriefed, evidence-backed report to your secure client space.

FAQ

Questions security teams ask first.

How is Darkmoon different from a vulnerability scanner?Platform

Darkmoon orchestrates an end-to-end offensive campaign — it reasons about the target, dispatches domain specialists, validates findings with real payloads, builds an infrastructure graph and produces a structured report. A scanner runs one-pass signatures. Darkmoon runs a pentest.

Why does the AI never get shell access?Architecture

By design. The model plans and reasons, but every tool invocation passes through an MCP gateway that validates and gatekeeps the call. The model never executes a shell directly — which keeps the engagement auditable, bounded and safe. The whole architecture is open source.

Is Darkmoon really open source?Open source

Yes. The engine is published on GitHub at ASCIT31/Dark-Moon under the GPLv3 licence. You can read the orchestration logic, the agent playbooks and the MCP layer, and self-host it. The commercial licence adds the hardened runtime, the managed dashboard and support.

What report formats does Darkmoon produce?Reporting

ISO 27001 standard, HackerOne, Bugcrowd (VRT / P1–P5) and a custom format. Every report includes CVSS 3.1 scoring, MITRE ATT&CK mapping, ISO 27001 controls, raw evidence and remediation guidance. PDF export is branded and password-protected.

How does licensing work?Licensing

Darkmoon uses hardware-bound licensing. Your licence key is tied to a machine fingerprint derived from your hardware (MAC address, CPU model) — it cannot be cloned or moved to another machine by changing an environment variable.

Is it safe to run against production environments?Safety

Darkmoon includes configurable noise levels (stealth, low, moderate), safe-harbor mode, out-of-scope enforcement and per-agent scope propagation. The runtime is hardened with a read-only filesystem, seccomp, no-new-privileges and continuous watchdog checks.

Replace static pentests with autonomous security testing.

Live visibility, validated evidence and a report your team can act on the same day.