Holistic Application Security — Offensive & Defensive Open Source Tooling

A complete open-source ecosystem for application security. From AI-powered pentesting to LLM guardrails and structured assessment methodologies.

View on GitHub Explore Projects
Scroll

What We Do

Full-spectrum application
security, open source.

$ nmap -sV scanning... Offensive Security

A pentest agent that actually thinks.

Most AI “pentesters” are chatbots wrapped around a script library. Agent-Smith flips the model—skills teach the methodology, the LLM invents the attack. Self-chaining across 25+ disciplines: web, cloud, AD, AI red-team, white-box review. Nothing else in open source comes close.

Defensive Security

The LLM firewall built on semantic intent.

Seraph isn’t another blocklist. A two-tier proxy runs a semantic allow-list (NeMo + embeddings) that decides what users are even allowed to ask, then hands edge cases to an LLM-as-judge. A defense designed for prompts you haven’t seen yet. Drop-in for OpenAI, Anthropic, Azure, Ollama—zero code changes.

? Methodology

Skills as pattern teachings, not scripts.

25+ chainable slash-command skills covering the full lifecycle—recon, exploit, defend, remediate. Aligned to OWASP ASVS 5.0, LLM Top 10, MITRE ATT&CK, PASTA, STRIDE. Built by the community, pluggable into any AI agent.

Open Source Arsenal

Built to break. Built to protect.

Three projects. One mission: security that moves at the speed of AI—so your defense does too.

Offensive AI Pentest Agent

The AI that thinks like an attacker.

The new way: skills as pattern teachings.

Point it at a target. Get back a full pentest—findings, Burp-ready PoCs, code patches, GitHub issues, and CVE submission packages. Autonomously.

  • 25+ specialized skills. Web, network, cloud, AD, AI red-team, white-box review, threat modeling—one brain, every attack surface.
  • Self-chaining skills. Detects SQLi, pivots to exploitation, writes the PoC. No manual stitching—the LLM decides what to run next.
  • Sandboxed by default. Every scanner runs in an ephemeral Docker container with hard cost, time, and call-count limits enforced server-side.
  • Bring your own LLM. Claude, GPT, Gemini, Ollama—the methodology ships with the skill. The model does the thinking.
Python FastAPI Docker MCP Kali Metasploit
Deploy Agent-Smith
Agent-Smith autonomously pentesting a target Agent-Smith performing white-box source code review Agent-Smith AI red-teaming an LLM application Agent-Smith generating auto-remediation patches
Seraph Defensive

LLM Guardrail Proxy

The firewall your LLM apps forgot they needed.

A drop-in proxy that stops prompt injection, jailbreaks, and data leaks before they ever reach your model. Point your OpenAI or Anthropic SDK at Seraph and you're protected—zero code changes.

  • Two-tier defense: NeMo semantic allow-list + LLM-as-judge
  • Works with OpenAI, Anthropic, Azure, Ollama, vLLM
  • Single YAML config. Hot reload. Streaming support.
  • Deployable in minutes via Docker or pip
Python FastAPI NeMo Guardrails LangGraph
View Repository
Skills Knowledge

Slash-Command Security Library

A red team in your Claude Code sidebar.

25+ battle-tested slash-command skills covering the full offensive and defensive lifecycle—recon through remediation. OWASP-aligned, MITRE-mapped, community-driven. No install, no setup.

  • /pentester → /web-exploit → /remediate. The full loop.
  • ASVS 5.0, OWASP LLM Top 10, PASTA, STRIDE—built in
  • Skills chain themselves. One command, complete coverage.
  • MCP-ready. Works anywhere Claude Code does.
AI Red Team OSINT K8s Threat Model
View Repository

The Ecosystem

A continuous security lifecycle.

Every tool feeds the next. Methodology informs testing, testing reveals what to defend, defense generates knowledge, and knowledge refines the methodology.

Skills Learn & share
Agent-Smith Attack & discover
Seraph Defend & protect

Learn. Break. Defend. Repeat.

Community

Build with us.

NullPointer is fully open source and community-driven. Whether you're a pentester, security engineer, or developer—there's a place for you. Contribute code, share knowledge, or just hang out.

Join Discord GitHub Org