Holistic Application Security — Offensive & Defensive Open Source Tooling

A complete open-source ecosystem for application security. From AI-powered pentesting to LLM guardrails and structured assessment methodologies.

Scroll

Full-spectrum application
security, open source.

$ nmap -sV scanning... Offensive Security

A pentest agent that actually thinks.

Most AI “pentesters” are chatbots wrapped around a script library. Agent-Smith flips the model—skills teach the methodology, the LLM invents the attack. Self-chaining across 25+ disciplines: web, cloud, AD, AI red-team, white-box review. Nothing else in open source comes close.

Defensive Security

The LLM firewall built on semantic intent.

Seraph isn’t another blocklist. A two-tier proxy runs a semantic allow-list (NeMo + embeddings) that decides what users are even allowed to ask, then hands edge cases to an LLM-as-judge. A defense designed for prompts you haven’t seen yet. Drop-in for OpenAI, Anthropic, Azure, Ollama—zero code changes.

? Methodology

Skills as pattern teachings, not scripts.

25+ chainable slash-command skills covering the full lifecycle—recon, exploit, defend, remediate. Aligned to OWASP ASVS 5.0, LLM Top 10, MITRE ATT&CK, PASTA, STRIDE. Built by the community, pluggable into any AI agent.

Built to break. Built to protect.

Three projects. One mission: security that moves at the speed of AI—so your defense does too.

OffensiveAI Pentest Agent

The AI that thinks like an attacker.

Point it at a target and watch a full pentest run itself—findings, PoCs, patches, and reports. It builds a live world model of everything it discovers.

25+
Skills
50+
Tools in parallel
100%
Sandboxed
Explore Agent-Smith
agent-smith · world model LIVE
Target Host Endpoint Vuln
Click a node to inspect it.
seraph · llm gateway GUARDING
Prompt in
Tier 1 · semantic allow-list BLOCK
Tier 2 · LLM-as-judge
Upstream model
DefensiveLLM Guardrail Proxy

A firewall that can’t be talked out of its job.

A positive-security allow-list defines what users are even allowed to ask—so there’s nothing to jailbreak past.

2
Defense tiers
0
Blocklists
5+
LLM providers
Explore Seraph
MethodologySlash-Command Library

Security expertise, one slash command away.

25+ chainable commands that turn any MCP-capable agent into a red-teamer. One git clone. No SaaS.

25
Commands
427
ASVS checks
0
Lock-in
Explore Skills
claude code · /skills 25+ commands
/pentester
/codebase
/ai-redteam
/threat-model
/remediate

A continuous security lifecycle.

Every tool feeds the next. Methodology informs testing, testing reveals what to defend, defense generates knowledge, and knowledge refines the methodology.

Skills Learn & share
Agent-Smith Attack & discover
Seraph Defend & protect

Learn. Break. Defend. Repeat.

Notes from the frontier.

Deep dives on offensive tooling, LLM defense, and the methodology behind the ecosystem.

Build with us.

NullPointer is fully open source and community-driven. Whether you're a pentester, security engineer, or developer—there's a place for you. Contribute code, share knowledge, or just hang out.