The autonomous offensive security platform.

18AI agents
80+Tools
LiveSSE dashboard
AES-256Sealed runtime
camp_20260426_3d2f · 172.19.0.3
Running
Projects
0
Targets
0
Campaigns
0
Vulns
0
Vulnerabilities · by severity57 total
Critical
014.0%
High
042.1%
Medium
036.8%
Low
07.0%
Last 6 campaigns · vulnsavg 39
02957
3d2f
a1b2
e5f6
c9d0
a3b4
f1e2
Agent event streamlive

80+ integrated tools — every one coordinated by AI

subfinder
httpx
naabu
katana
nuclei
ffuf
wpscan
sqlmap
hydra
hashcat
netexec
bloodhound
impacket
mimikatz
kubectl
kubescape
whatweb
wafw00f
arjun
playwright
Why Darkmoon

      Not a scanner. An autonomous security conductor.

Core engine

Multi-agent dispatch14 signals

The master agent detects 14 technology signals and routes the campaign to the right specialists — sequential or parallel, with cascade depth capped at three levels so there is never runaway recursion.

#recon#web#k8s#ad
Explore →
Streaming

Live SSE streamrealtime

Every finding, infrastructure node and agent event streams to the dashboard the instant it happens.

#sse#events
Explore →
Export

Publication-ready reportsISO 27001

ISO 27001, HackerOne and Bugcrowd formats — Markdown and branded, password-protected PDF with CVSS 3.1 scoring and MITRE ATT&CK mapping.

#pdf#cvss#mitre
Explore →
Sealed

Hardened runtimeAES-256

Sealed storage, hardware-bound licensing and a continuous integrity watchdog.

#seccomp
Explore →

Infrastructure Map

Campaign · camp_20260426_3d2f… · 26 Apr 2026

11Nodes
10Connections
57Vulnerabilities
8critical
24high
21medium
4low
🎯acme.test🛡edge-fw🖥172.19.0.331🖥172.19.0.8:443 nginx🗄:6379 redis4🔑:88 kerberos3🏛DC016🌍/login9🌍/search5</>api v23
+

Severity

critical
high
medium
low
info

· Infra graph

Every host, every path, every vuln mapped.

Pricing

Open source at the core. One licence to run the full autonomous platform.

MonthlyYearly

Community

Open source — self-host it forever

Free

Free forever — GPLv3

  • Full autonomous engine on GitHub
  • GPLv3 — audit & modify freely
  • 18 AI agents + 80 integrated tools
  • MCP-gatekept tool execution
  • Community support
Star on GitHub

Pro

For professional pentesters & teams

€149

Billed €1788 annually

Everything in Community, and:

  • Hardened, sealed runtime
  • Managed live command center
  • All report formats & branded PDF
  • Hardware-bound licence
  • Priority email support
Get Darkmoon

Custom

For enterprises, MSSPs & resellers

Let's talk

Tailored to your scope

Everything in Pro, and:

  • Multi-seat shared workspace
  • Custom report branding
  • Partner / reseller program
  • Dedicated onboarding & SLA
Contact sales
AI agents

      18 specialists. One orchestrator. Zero manual pivoting.

pentest · orchestrator
wordpress
graphql
headless-browser
node · express
nestjs · nextjs
flask · django
aspnet · blazor
spring boot
ruby on rails
php · laravel
drupal
joomla
moodle
magento
prestashop
kubernetes
active directory
11 classes

Full-stack exploitationWeb & API

SQLi, XSS, SSRF, IDOR, RCE, SSTI, deserialization, JWT abuse, file upload and path traversal — validated with real payloads, not signatures.

#sqli#xss#rce
Explore →
14 phases

Kubernetes attack chainInfrastructure

RBAC escalation, DIND exploitation, node escape, etcd SSRF, privileged container breakout, crypto-miner detection and CIS benchmarking.

#rbac#etcd#cis
Explore →
8 phases

Active Directory takeoverIdentity

AS-REP roasting, Kerberoasting, BloodHound, NTLM relay, LSASS dump, DCSync and ADCS ESC1–ESC8, Golden & Silver tickets.

#kerberos#ntlm#adcs
Explore →
Runtime security

Built like a vault.
Runs like a weapon.

30s reseal

AES-256-GCM sealed storageat rest

Agents and workflows are encrypted at rest. Keys derive from your licence and hardware fingerprint, resealed every 30 seconds.

#aes-256
Explore →
SHA-256

Hardware-bound licensingmachine code

Machine code derives from MAC address and CPU model. No deployment ID to spoof, no env var to manipulate.

#fingerprint
Explore →
2s checks

Binary integrity watchdogcontinuous

SHA-256 hashes of critical binaries are re-verified every 2 seconds. Any tampering triggers an immediate zeroize.

#watchdog
Explore →
Live scan

Debugger & tracer detectionanti-tamper

Continuous scanning for gdb, strace, ltrace, frida and lldb. Any tracer triggers a breach and full state zeroize.

#frida#gdb
Explore →
UID 10001

Read-only rootfs + seccompsandbox

Read-only filesystem, tmpfs writable paths, seccomp and no-new-privileges. The process runs unprivileged.

#seccomp
Explore →
Scrubbed

Secret redaction in logsstdout/stderr

Every model API key and the licence key are scrubbed from stdout and stderr before any log output.

#redaction
Explore →

Dashboard

statistics

projects

0

targets

0

campaigns

0

vulnerabilities

0

Vulnerabilities by severity

critical

0

14.04 %

high

0

42.11 %

medium

0

36.84 %

low

0

7.02 %

Last campaigns

#targetdatedurationriskvulnerabilitiesstatus
camp_20260426_3d2f172.19.0.3Apr 26, 202628.5 mincritical57completed
camp_20260419_a1b2172.19.0.3Apr 19, 202632 mincritical49completed
camp_20260412_e5f6172.19.0.3Apr 12, 202625.6 minhigh44completed
camp_20260405_c9d0172.19.0.3Apr 5, 202622 minhigh38completed

· Overview

Every campaign at a glance.

Open source

The model plans. It never gets a shell.

Darkmoon's architecture is its security guarantee — and it's fully auditable. The AI reasons and writes the plan. An MCP gateway gatekeeps every tool call. Read it, then run it yourself.

# clone the open-source engine
$ git clone github.com/ASCIT31/Dark-Moon
$ cd Dark-Moon
# launch a campaign
$ ./darkmoon.sh "TARGET: acme.test"
✓ recon complete · 14 tech signals
✓ 6 agents dispatched · streaming live
Get started

    Three ways to run Darkmoon.

Licence

Get the Darkmoon licenceself-hosted

Run the full platform on your own infrastructure. Hardware-bound licence, Docker install, monthly or annual.

#docker#self-host
Get Darkmoon →
Service

Pentest on Demandmanaged

Describe your target, sign the framework online, pay a flat rate. Our experts run it and deliver a debriefed report.

#managed
Explore the service →
Partner

Partner Programresellers

Resell Darkmoon under your own commercial wrapper. One dashboard, every licence, Stripe-powered billing built in.

#reseller#mssp
Become a partner →
Pentest on DemandManaged
€799/ engagement
  • Legal framework & authorizations included
  • Run end to end by our security experts
  • Debriefed report in a secure client space
Managed service

Don't self-host? We run the pentest for you.

Describe your target, sign the framework online, pay a flat rate — our experts run the full offensive engagement and deliver a debriefed, evidence-backed report to your secure client space.

FAQ

    Questions security teams ask first.

Darkmoon orchestrates an end-to-end offensive campaign — it reasons about the target, dispatches domain specialists, validates findings with real payloads, builds an infrastructure graph and produces a structured report. A scanner runs one-pass signatures. Darkmoon runs a pentest.

Replace static pentests with autonomous security testing.

Live visibility, validated evidence and a report your team can act on the same day.