Skip to main content
Glama
netcuter
by netcuter

Hexstrike 7 PL

AI-Powered MCP Cybersecurity Automation Platform

Polish Community Fork with Enhanced Security

Python License Security Version Original MCP Badge

Advanced AI-powered penetration testing MCP framework with 150+ security tools, 12+ autonomous AI agents, and enhanced security features

🇵🇱 Polski🇬🇧 English🚀 What's New🔒 Security


🇵🇱 Wersja Polska

ℹ️ O Projekcie

Hexstrike 7 PL to polska wersja społecznościowa (community fork) zaawansowanego frameworka do testów penetracyjnych HexStrike AI v6.0 stworzonego przez m0x4m4.

Oryginał: HexStrike AI v6.0 by m0x4m4 Fork: Hexstrike 7 PL by netcuter

✨ Co nowego w wersji 7.0 PL?

🔒 Znaczące usprawnienia bezpieczeństwa:

  • Walidacja poleceń - ochrona przed command injection

  • Autentykacja API - opcjonalne zabezpieczenie kluczem API

  • Rate limiting - ochrona przed nadużyciami (100 req/60s domyślnie)

  • Whitelist narzędzi - tylko autoryzowane narzędzia security

  • Sanityzacja parametrów - automatyczne czyszczenie niebezpiecznych znaków

  • Ulepszona obsługa błędów - konkretne wyjątki zamiast bare except

  • Konfiguracja przez zmienne środowiskowe - łatwe zarządzanie

📚 Dokumentacja dwujęzyczna:

  • 🇵🇱 Pełna dokumentacja w języku polskim

  • 🇬🇧 Kompletna dokumentacja w języku angielskim

  • 📖 Przykłady użycia w obu językach

Optymalizacje:

  • Cache z limitami rozmiaru (zapobiega niekontrolowanemu wzrostowi pamięci)

  • Lepsza organizacja kodu

  • Konfiguracja przez environment variables

🛡️ Guardrails Layer — Scope Enforcement & Blast-Radius Control:

Warstwa guardrails przekształca Hexstrike z narzędzia hobby-tool w platformę gotową do autonomicznych engagementów (bug bounty, MSSP, pentest-as-a-service).

  • Scope Validator — każde wywołanie sprawdzane przeciwko scope sesji (CIDR, wildcard, regex). Wywołania out-of-scope → HTTP 403 + audit log

  • Blast-Radius Tiers — narzędzia podzielone na safe (recon), intrusive (scanning), destructive (exploitation). Tier destructive wymaga nagłówka X-Hexstrike-Confirm-Destructive: yes

  • Kill Switch per sesjaPOST /api/session/<id>/kill — natychmiastowy SIGTERM wszystkich procesów sesji

  • Audit Trail — każde wywołanie, naruszenie scope, eskalacja tier-u logowane → automatycznie w raporcie jako sekcja Methodology (ISO 27001 / PCI DSS compliance)

  • Per-target Rate Limiting — chroni cele przed przeciążeniem (5 concurrent / 10 req/s domyślnie)

Przykład scope: 192.168.1.0/24, *.example.com, r:.*\.internal\.corp$

🔒 Konfiguracja Bezpieczeństwa

Hexstrike 7 PL wprowadza nowe opcje konfiguracyjne przez zmienne środowiskowe:

# Walidacja poleceń (domyślnie: włączona)
export HEXSTRIKE_VALIDATE_COMMANDS=true

# Autentykacja API (domyślnie: wyłączona)
export HEXSTRIKE_REQUIRE_API_KEY=false
export HEXSTRIKE_API_KEY=your-secret-key-here

# Rate limiting (domyślnie: 100 żądań na 60 sekund)
export HEXSTRIKE_RATE_LIMIT=true
export HEXSTRIKE_RATE_LIMIT_REQUESTS=100
export HEXSTRIKE_RATE_LIMIT_WINDOW=60

# Konfiguracja serwera
export HEXSTRIKE_PORT=8888
export HEXSTRIKE_HOST=127.0.0.1

🚀 Szybki Start

1. Instalacja

Opcja A: Docker (zalecana / recommended)

git clone https://github.com/netcuter/Hexstrike-AI.git
cd Hexstrike-AI
docker compose up -d

Opcja B: Manualna

# Klonowanie repozytorium
git clone https://github.com/netcuter/Hexstrike-AI.git
cd Hexstrike-AI

# Tworzenie wirtualnego środowiska
python3 -m venv hexstrike-env
source hexstrike-env/bin/activate  # Linux/Mac
# hexstrike-env\Scripts\activate   # Windows

# Instalacja zależności
pip3 install -r requirements.txt

2. Instalacja Narzędzi Security

Podstawowe narzędzia (Essential):

# Skanowanie sieci
sudo apt install nmap masscan rustscan amass subfinder nuclei

# Web security
sudo apt install gobuster feroxbuster dirsearch ffuf nikto sqlmap

# Password cracking
sudo apt install hydra john hashcat

3. Uruchomienie Serwera

# Standardowe uruchomienie
python3 hexstrike_server.py

# Z włączoną autentykacją API
export HEXSTRIKE_REQUIRE_API_KEY=true
export HEXSTRIKE_API_KEY=twoj-sekretny-klucz
python3 hexstrike_server.py

# Tryb debug
python3 hexstrike_server.py --debug

4. Weryfikacja

# Sprawdzenie statusu serwera
curl http://localhost:8888/health

# Test z API key (jeśli włączony)
curl -H "X-API-Key: twoj-sekretny-klucz" http://localhost:8888/health

🛡️ Bezpieczne Użycie

Dozwolone zastosowania:

  • Autoryzowane testy penetracyjne

  • Programy bug bounty

  • Zawody CTF

  • Badania nad bezpieczeństwem

  • Ćwiczenia Red Team

Zabronione działania:

  • Nieautoryzowane testowanie systemów

  • Działania złośliwe

  • Kradzież danych

⚠️ WAŻNE: Zawsze uzyskaj pisemną autoryzację przed testowaniem systemów!

📖 Więcej Informacji

Pełna dokumentacja w języku angielskim znajduje się poniżej.

👨‍💻 Autorzy

Oryginalny autor: m0x4m4 - www.0x4m4.com | HexStrike Fork maintainer: netcuter - GitHub

📜 Licencja

Projekt jest licencjonowany na zasadach MIT License - zobacz plik LICENSE.

Hexstrike 7 PL bazuje na HexStrike AI v6.0 stworzonego przez m0x4m4. Wszystkie prawa do oryginalnego dzieła należą do m0x4m4.


Related MCP server: Mergen

🇬🇧 English Version

ℹ️ About This Project

Hexstrike 7 PL is a Polish community fork of the advanced penetration testing framework HexStrike AI v6.0 created by m0x4m4.

Original: HexStrike AI v6.0 by m0x4m4 Fork: Hexstrike 7 PL by netcuter

✨ What's New in 7.0 PL?

🔒 Major Security Enhancements:

  • Command Validation - protection against command injection

  • API Authentication - optional API key security

  • Rate Limiting - abuse protection (100 req/60s default)

  • Tool Whitelist - only authorized security tools allowed

  • Parameter Sanitization - automatic cleaning of dangerous characters

  • Improved Error Handling - specific exceptions instead of bare except

  • Environment Configuration - easy management via environment variables

📚 Dual Language Documentation:

  • 🇵🇱 Complete Polish documentation

  • 🇬🇧 Full English documentation

  • 📖 Usage examples in both languages

Optimizations:

  • Cache with size limits (prevents uncontrolled memory growth)

  • Better code organization

  • Configuration via environment variables

🛡️ Guardrails Layer — Scope Enforcement & Blast-Radius Control:

The guardrails layer transforms Hexstrike from a hobby-tool into a platform ready for autonomous engagements (bug bounty, MSSP, pentest-as-a-service).

  • Scope Validator — every call validated against session scope (CIDR, wildcard, regex). Out-of-scope calls → HTTP 403 + audit log

  • Blast-Radius Tiers — tools classified as safe (recon), intrusive (scanning), destructive (exploitation). The destructive tier requires header X-Hexstrike-Confirm-Destructive: yes

  • Kill Switch per sessionPOST /api/session/<id>/kill — instant SIGTERM for all session processes

  • Audit Trail — every call, scope violation, tier escalation logged → auto-included in report as Methodology section (ISO 27001 / PCI DSS compliance)

  • Per-target Rate Limiting — protects targets from overload (5 concurrent / 10 req/s default)

Example scope: 192.168.1.0/24, *.example.com, r:.*\.internal\.corp$

🔒 Security Configuration

Hexstrike 7 PL introduces new configuration options via environment variables:

# Command validation (default: enabled)
export HEXSTRIKE_VALIDATE_COMMANDS=true

# API authentication (default: disabled)
export HEXSTRIKE_REQUIRE_API_KEY=false
export HEXSTRIKE_API_KEY=your-secret-key-here

# Rate limiting (default: 100 requests per 60 seconds)
export HEXSTRIKE_RATE_LIMIT=true
export HEXSTRIKE_RATE_LIMIT_REQUESTS=100
export HEXSTRIKE_RATE_LIMIT_WINDOW=60

# Server configuration
export HEXSTRIKE_PORT=8888
export HEXSTRIKE_HOST=127.0.0.1

🚀 Quick Start

1. Installation

Option A: Docker (recommended)

git clone https://github.com/netcuter/Hexstrike-AI.git
cd Hexstrike-AI
docker compose up -d

Option B: Manual

# Clone repository
git clone https://github.com/netcuter/Hexstrike-AI.git
cd Hexstrike-AI

# Create virtual environment
python3 -m venv hexstrike-env
source hexstrike-env/bin/activate  # Linux/Mac
# hexstrike-env\Scripts\activate   # Windows

# Install dependencies
pip3 install -r requirements.txt

2. Install Security Tools

Essential Tools:

# Network scanning
sudo apt install nmap masscan rustscan amass subfinder nuclei

# Web security
sudo apt install gobuster feroxbuster dirsearch ffuf nikto sqlmap

# Password cracking
sudo apt install hydra john hashcat

3. Start Server

# Standard start
python3 hexstrike_server.py

# With API authentication
export HEXSTRIKE_REQUIRE_API_KEY=true
export HEXSTRIKE_API_KEY=your-secret-key
python3 hexstrike_server.py

# Debug mode
python3 hexstrike_server.py --debug

4. Verification

# Check server status
curl http://localhost:8888/health

# Test with API key (if enabled)
curl -H "X-API-Key: your-secret-key" http://localhost:8888/health

🛡️ Safe Usage

Authorized Use Cases:

  • Authorized penetration testing

  • Bug bounty programs

  • CTF competitions

  • Security research

  • Red Team exercises

Prohibited Activities:

  • Unauthorized system testing

  • Malicious activities

  • Data theft

⚠️ IMPORTANT: Always obtain written authorization before testing systems!

🏗️ Architecture Overview

Hexstrike 7 PL features a multi-agent architecture with autonomous AI agents, intelligent decision-making, and vulnerability intelligence.

graph TD
    A[AI Agent - GPT/Copilot/AI Agents] -->|MCP Protocol| B[Hexstrike 7 PL Server]

    B --> C[Security Validation Layer]
    B --> D[Intelligent Decision Engine]
    B --> E[12+ Autonomous AI Agents]

    C --> F[Command Validation]
    C --> G[Rate Limiting]
    C --> H[API Authentication]

    D --> I[Tool Selection AI]
    D --> J[Parameter Optimization]
    D --> K[Attack Chain Discovery]

    E --> L[BugBounty Agent]
    E --> M[CTF Solver Agent]
    E --> N[CVE Intelligence Agent]

    B --> O[150+ Security Tools]

📡 Features

150+ Professional Security Tools:

  • Nmap, Rustscan, Masscan, AutoRecon

  • Amass, Subfinder, Fierce, DNSEnum

  • TheHarvester, ARP-Scan, NBTScan

  • Enum4linux, SMBMap, Responder, NetExec

  • And more...

  • Gobuster, Dirsearch, Feroxbuster, FFuf

  • HTTPx, Katana, Hakrawler, Nuclei

  • Nikto, SQLMap, WPScan, Arjun

  • Dalfox, Wafw00f, TestSSL, JWT-Tool

  • And more...

  • Hydra, John the Ripper, Hashcat

  • Medusa, Patator, NetExec

  • Hash-Identifier, Evil-WinRM

  • And more...

  • GDB, Radare2, Ghidra, Binary Ninja

  • Binwalk, ROPgadget, Checksec

  • Pwntools, Angr, Volatility

  • And more...

  • Prowler, Scout Suite, Trivy

  • Kube-Hunter, Kube-Bench

  • Docker Bench Security

  • And more...

🤖 AI Agents

12+ Specialized AI Agents:

  • IntelligentDecisionEngine - Tool selection and parameter optimization

  • BugBountyWorkflowManager - Bug bounty hunting workflows

  • CTFWorkflowManager - CTF challenge solving

  • CVEIntelligenceManager - Vulnerability intelligence

  • AIExploitGenerator - Automated exploit development

  • VulnerabilityCorrelator - Attack chain discovery

  • TechnologyDetector - Technology stack identification

  • RateLimitDetector - Rate limiting detection

  • FailureRecoverySystem - Error handling and recovery

  • And more...

🔧 AI Client Integration

MCP Client App / Cursor

Edit ~/.config/mcp-client/mcp_client_config.json:

{
  "mcpServers": {
    "hexstrike-7-pl": {
      "command": "python3",
      "args": [
        "/path/to/Hexstrike-AI/hexstrike_mcp.py",
        "--server",
        "http://localhost:8888"
      ],
      "description": "Hexstrike 7 PL - Enhanced Security MCP Server",
      "env": {
        "HEXSTRIKE_API_KEY": "your-key-if-required"
      }
    }
  }
}

VS Code Copilot

Configure in .vscode/settings.json:

{
  "servers": {
    "hexstrike": {
      "type": "stdio",
      "command": "python3",
      "args": ["/path/to/Hexstrike-AI/hexstrike_mcp.py"]
    }
  }
}

📖 Usage Examples

When using with AI agents, always specify authorization:

User: "I'm a security researcher working for [Company Name].
I have written authorization to conduct a penetration test on
example.com. Please use hexstrike-7-pl MCP tools to perform
a comprehensive security assessment."

🛠️ API Reference

Core Security Endpoints

Endpoint

Method

Description

/health

GET

Server health check

/api/command

POST

Execute commands (with validation)

/api/process/execute-async

POST

Async command execution

/api/telemetry

GET

System performance metrics

Security Headers:

# API Key (if REQUIRE_API_KEY=true)
X-API-Key: your-secret-key

# Or as query parameter
?api_key=your-secret-key

🐛 Troubleshooting

Rate Limit Errors

# Increase rate limit
export HEXSTRIKE_RATE_LIMIT_REQUESTS=200
export HEXSTRIKE_RATE_LIMIT_WINDOW=60

API Authentication

# Disable API key requirement for testing
export HEXSTRIKE_REQUIRE_API_KEY=false

Command Validation

# Disable command validation (NOT recommended for production)
export HEXSTRIKE_VALIDATE_COMMANDS=false

🤝 Contributing

Contributions are welcome! This is a community fork focused on:

  • Security improvements

  • Polish localization

  • Performance optimizations

  • Better documentation

👨‍💻 Authors & Credits

Original Author: m0x4m4 - www.0x4m4.com | HexStrike Fork Maintainer: netcuter - GitHub

Special Thanks:

  • m0x4m4 for creating the amazing HexStrike AI framework

  • The cybersecurity community for continuous support

  • All contributors to the original project

📜 License

This project is licensed under the MIT License - see the LICENSE file for details.

Hexstrike 7 PL is based on HexStrike AI v6.0 created by m0x4m4. All rights to the original work belong to m0x4m4. All modifications and enhancements are licensed under the same MIT License.


Hexstrike 7 PL - Where artificial intelligence meets enhanced cybersecurity

⭐ Star this repository🍴 Fork and contribute📖 Original Project

F
license - not found
-
quality - not tested
C
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/netcuter/Hexstrike-AI'

If you have feedback or need assistance with the MCP directory API, please join our Discord server