Xploit47
Xploit47 is an AI-powered penetration testing reasoning MCP server that helps plan and analyze attack paths for CTF/HTB challenges and authorized pentests — without actually executing exploits.
Attack Path Planning: Uses Beam Search (methodical, fixed-width exploration) or Monte Carlo Tree Search (MCTS) (simulation-based, for uncertain/complex scenarios) to explore and score attack steps.
Step Scoring: Provides deterministic scores with explainable breakdowns for each attack step.
Kill-Chain Classification: Auto-classifies steps into phases — recon, enumeration, vulnerability assessment, exploitation, privilege escalation, and post-exploitation.
Tool Recommendations: Suggests appropriate tools (e.g., nmap, enum4linux, searchsploit, metasploit, linpeas/winPEAS) with confidence levels.
Asset Extraction: Automatically extracts IPs/hostnames from step text when not explicitly provided.
Path Chaining: Links sequential steps automatically and returns the full attack path with an aggregate path score.
Critical Path Highlighting: Flags high-impact steps (e.g., CVE exploitation, privilege escalation).
Next-Step Hints: Provides phase-aware planning suggestions for what to do next.
MCP Integration: Works as a Model Context Protocol server with clients like Claude Desktop, Cursor, and Grok for interactive pentest planning.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Xploit47Next step after SMB enum on 10.10.10.10?"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Xploit47
Systematic, AI-powered penetration testing reasoning engine (MCP server) for attack path planning, CTF/HTB solving, and authorized pentest workflows.
Features Beam Search, Monte Carlo Tree Search (MCTS), attack step scoring, tool recommendations, and critical-path highlighting.
What is Xploit47?
Xploit47 is a Model Context Protocol (MCP) server that turns an LLM into a structured, methodical pentest planner and advisor. It does not run exploits against targets — it reasons about attack chains, scores steps, and recommends next actions and tools.
Capability | Description |
Beam Search | Fixed-width exploration of the most promising attack paths |
MCTS | Simulation-based exploration for uncertain / complex scenarios |
Deterministic scoring | Same input → same score; explainable breakdown (no randomness) |
Kill-chain phase | Auto-classifies recon → enum → vuln → exploit → privesc → post-ex |
Tool recommendation | Auto-suggests tools (nmap, enum4linux, searchsploit, …) with confidence |
Asset extraction | Pulls IP/hostname from step text when not provided |
Path chaining | Auto-links sequential steps; returns full path + pathScore |
Critical path | Auto-flags high-impact steps (CVE exploit, privesc, …) |
Next-step hints | Phase-aware planning suggestions |
MCP-native | Works with Claude Desktop, Cursor, Grok, and other MCP clients |
Related MCP server: PentestThinkingMCP
How it works
Input — You (or your AI) provide the current attack step/state
e.g."Enumerate SMB on 10.10.10.10"Reasoning — Xploit47 uses Beam Search or MCTS to score and track the path
Output — Returns step metadata, score, strategy used, and tree statistics
Example HTB-style workflow
# | Input step | Suggested direction | Tool |
1 | Start recon on target | Full port scan | nmap |
2 | nmap complete | Enumerate SMB on 445 | enum4linux |
3 | SMB enum done | Search public SMB CVEs | searchsploit |
4 | CVE found | Authorized exploit path | metasploit |
5 | Shell as user | Priv-esc enumeration | winPEAS / linpeas |
6 | Need root | Check common misconfigs | manual |
Installation
git clone https://github.com/aloc999/Xploit47.git
cd Xploit47
npm install
npm run buildRequirements: Node.js ≥ 18
Usage (MCP client config)
Add to your MCP client (Claude Desktop, Cursor, Grok, etc.):
{
"mcpServers": {
"Xploit47": {
"command": "node",
"args": ["/absolute/path/to/Xploit47/dist/index.js"]
}
}
}Or run directly:
npm start
# equivalent: node dist/index.jsTool: xploit47
Parameter | Type | Required | Description |
| string | yes | Current attack step description |
| integer ≥ 1 | yes | Current step number |
| integer ≥ 1 | yes | Estimated total steps |
| boolean | yes | Whether another step is needed |
|
| no | Search strategy (default: beam_search) |
| string | no | Target asset (auto-extracted if omitted) |
| string | no | Tool (auto-recommended if omitted) |
| boolean | no | Critical flag (auto-detected if omitted) |
| string | no | Explicit parent node (auto-links sequential steps) |
Search strategies
Beam Search (beam_search)
Keeps a fixed-width set of the best attack paths
Best for methodical exploit chaining and known patterns
Use for: enumeration sequences, CVE chaining, linear CTF paths
Monte Carlo Tree Search (mcts)
Simulation-based exploration with UCB1 selection
Balances exploring new vectors vs exploiting known weaknesses
Use for: complex networks, uncertain outcomes, multi-stage APT-style planning
Ethics & legal
Xploit47 is a reasoning / planning tool only. Use it only on systems you are authorized to test (your own labs, CTF platforms, or programs with written permission / safe harbor). Unauthorized access is illegal.
Development
npm run dev # tsx src/index.ts
npm run build # tsc → dist/
npm start # node dist/index.jsProject layout
Xploit47/
├── src/
│ ├── index.ts # MCP server entry (stdio)
│ ├── reasoner.ts # Strategy orchestration + auto parent links
│ ├── scoring.ts # Deterministic score + kill-chain phase
│ ├── recommend.ts # Tool / asset inference + next-step hints
│ ├── engine.ts # Lightweight beam engine
│ ├── state.ts # Node cache / path state
│ ├── types.ts # Shared types & config
│ └── strategies/
│ ├── base.ts # Shared evaluation + response builder
│ ├── beam-search.ts # Beam Search
│ ├── mcts.ts # Monte Carlo Tree Search
│ └── factory.ts # Strategy factory
├── scripts/smoke-test.mjs # Accuracy + MCP integration tests
├── tot-engine.js # Standalone Tree-of-Thought helper
├── state-manager.js # Standalone session helper
├── package.json
└── README.mdLicense
MIT — see LICENSE.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Tools
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/aloc999/Xploit47'
If you have feedback or need assistance with the MCP directory API, please join our Discord server