Claude acts as the agentic orchestrator — planning, executing, adapting, and reporting your entire pentest engagement without manual intervention.
Requires: A valid Claude API key configured in Settings → AI Configuration. All 60+ scan tools must be installed. Authorization token from the client is mandatory before any active scan.
How Claude Orchestrates Your Pentest
In Automated AI Mode, Claude is not just a report writer — it drives the entire engagement using tool-use (function calling). Claude receives your target, scope, and wizard answers, then autonomously decides which tools to run, in what order, and adapts its strategy based on each result.
Calls tools as functions: run_nuclei, run_sqlmap, run_nmap, add_finding, read_finding…
Evaluates each tool result and decides next action
Chains related findings into attack paths automatically
Re-tests high-severity findings to confirm and gather PoC evidence
Writes professional narrative for each confirmed finding
Generates final report with executive summary and remediation roadmap
Privacy: What Claude Never Sees
Before every API call, the PrivacyFilter anonymizes all sensitive data. Claude only ever receives reference tokens — never actual client targets, IPs, company names, or credentials.
What the Claude API receives (anonymized):
"Found SQL injection at [TARGET_URL_1]/api/users — affects [COMPANY_REF]"
What stays local (reference map, never sent):
[TARGET_URL_1] → https://app.client.com
[COMPANY_REF] → ClientCorp Inc
After response: PrivacyFilter.restore() puts real values back locally.
Claude API key configured and validated in Settings → AI Configuration
Written authorization token from client (paste or upload)
Target URL / IP / scope confirmed and in scope list
Environment type known: Test/Lab, Pre-Production, or Production
All scan tools installed (Settings → Tools → verify 60/60)
1
Select Attack Surface from Home Screen
Click any attack surface card on the Home Screen: Web App, API, Network, Cloud, Mobile, etc. Each card opens the Mission Control Wizard pre-configured for that surface.
💡 You can also run a combined full engagement: Home → Full Pentest → select all surfaces in scope.
2
Complete the Mission Control Wizard (8 Steps)
The wizard collects everything Claude needs to plan your engagement:
Step 1: Environment Type → Test Lab / Pre-Prod / Production
Step 2: Engagement Type → Full Pentest / Vuln Assessment / Red Team
Step 3: Attack Surfaces → Select which surfaces are in scope
Step 4: Target Scope → URLs, IPs, IP ranges, domains
Step 5: Authorization → Paste token or upload ROE document
Step 6: Credentials → App login, API keys, network creds (encrypted)
Step 7: AI Interview → Answer business logic questions
Step 8: Review & Launch → Confirm plan, set intensity, launch
3
Review Claude's Generated Test Plan
Before scanning begins, Claude analyzes your wizard answers and generates a custom test plan. Review the list of planned tests. You can remove specific tests or add custom instructions before launching.
💡 The test plan shows estimated duration, tool list, and risk level for each planned test phase. Claude adapts this plan in real-time as findings emerge.
4
Click "Launch Scan" — Claude Begins Orchestration
Claude starts the agentic loop. Watch the Scan Dashboard for real-time updates. The AI Activity panel shows Claude's current reasoning and tool calls.
Claude: "Starting with passive recon — running subfinder and httpx"
→ Tool: run_subfinder(domain="target.com")
→ Result: 23 subdomains discovered
Claude: "Found api.target.com — testing API endpoints with kiterunner"
→ Tool: run_kiterunner(target="https://api.target.com")
→ Result: 847 routes discovered, 3 returning 200 with sensitive data
5
Monitor the Infrastructure Graph
The Topology tab shows a live network/attack graph built by Claude as it discovers assets and relationships. Critical findings appear as red nodes. Attack paths are highlighted in orange.
6
Review Findings as They Arrive
Each confirmed finding appears in the Findings panel with: CVSS score, EPS (exploitability), PoC evidence, and Claude's AI-written impact narrative. Click any finding for full detail.
7
Generate Report When Scan Completes
When Claude finishes, click Reports → Generate Report. Select report type: Executive, Technical, or Compliance. Claude writes the full narrative. Download as PDF or HTML.
⏱️ Typical duration: 30 minutes (small web app) to 4 hours (full enterprise engagement with network + cloud).
Intensity Levels
Standard : Safe — no exploits, low request rate, no DoS-risk tests
Aggressive: Active exploitation of confirmed vulns, higher rate
Full : All exploits enabled (Metasploit modules), max coverage
⚠ Only use Full on dedicated test environments
Custom Tool Weights
In the wizard's Review step, click Advanced Options to configure tool-specific settings: custom Nuclei template paths, sqlmap tamper scripts, custom ffuf wordlists, nmap NSE scripts, etc.
Pause / Resume
Click Pause on the Scan Dashboard at any time. Claude saves a checkpoint. Click Resume to continue — Claude re-reads the checkpoint and continues exactly where it left off, without re-running completed phases.
AI Activity Log
The AI Activity panel shows every tool call Claude makes, with inputs and outputs (anonymized). This provides full auditability of Claude's decisions. Export the activity log from Reports → Export AI Activity Log.
Privacy Controls
Settings → Privacy:
anonymize_ai_calls : true (default — always recommended)
send_domains_to_ai : false (never send real domains)
send_ips_to_ai : false (never send real IPs)
reference_map_lifetime: session (cleared on app close)
Warning: Never disable anonymize_ai_calls. Real client targets must never be sent to external AI APIs. PhantomYerra enforces this at the API call layer regardless of this setting — this toggle only controls the warning UI.
Common Issues
Claude API calls have a 300-second timeout. If a tool call is hanging, the watchdog will automatically rollback to the last good state and retry. Check the AI Activity Log for the last successful tool call. If the issue persists, pause and resume the scan.
Every tool invocation passes through the scope enforcement gate before execution. If a target is outside the declared scope, the tool call is blocked and logged. Review your scope definition in Wizard Step 4. You can update scope mid-scan from Scan Dashboard → Edit Scope.
Switch to "Full" intensity in the wizard for maximum coverage. Also ensure credentials are provided (Wizard Step 6) — authenticated scanning finds significantly more issues than unauthenticated. Check that all relevant attack surfaces are selected in Wizard Step 3.
This is correct behavior. The AI Activity Log shows what was sent to the Claude API (anonymized). The actual finding details panel shows real values after PrivacyFilter.restore() is applied. This is by design for audit trail security.
Related Topics
🤖 AI Key Setup🔧 Semi-Automated Mode📋 Manual Mode📊 Reports