- User guide (FR): docs/guide-utilisateur-fr.md
- User guide (EN): docs/guide-utilisateur.md
- Templates: core/templates/README.md
- Lab setup: core/governance/conventions/onboarding-existing-project.md
- Investigation lifecycle: core/governance/conventions/change-lifecycle.md
- Kali tooling matrix: core/governance/conventions/kali-tooling-matrix.md
- Agents & commands: core/governance/conventions/opencode-agents-and-commands-guide.md
Samourai Kali is an AI Cybersecurity Operating System that transforms a Kali Linux environment into a structured investigation platform, driven by specialized AI agents.
It provides a comprehensive methodological framework for:
-
Bug hunting and vulnerability research
-
Vulnerability analysis and CVE research
-
Forensic-grade evidence collection
-
CVE-ready report generation
-
Remediation planning
AI-assisted vulnerability research suffers from:
- lack of structured methodology
- non-reproducible results
- missing evidence traceability
- unmanaged ethical and legal risks
Samourai Kali delivers:
- A deterministic investigation workflow
- Specialized, orchestrated cyber agents
- Built-in ethical and legal guardrails
- Standardization via blueprints and reporting templates
1. Scoping → /investigate <target>
2. Recon → /recon <target> (@attack-surface-agent: nmap, amass, whatweb)
3. Bug Hunting → /hunt <target> (@bug-hunting-agent: nikto, sqlmap, nuclei, ffuf)
4. Analysis → /analyze-vuln <vuln-id> (@vulnerability-analysis-agent: burpsuite, semgrep)
5. CVE Research → /cve-lookup <cve-id> (@cve-intelligence-agent: searchsploit, NVD API)
6. Exploitability → /score <vuln-id> (@exploitability-agent: CVSS, EPSS)
7. Safe POC → /poc <vuln-id> (@safe-poc-agent: curl, msfconsole, python3)
8. Evidence → /collect-evidence (@evidence-agent: sha256sum, tcpdump, tshark)
9. CVE Report → /cve-report <vuln-id> (@cve-report-agent: CVE JSON 5.0)
10. Remediation → /remediate <vuln-id> (@remediation-agent: nmap, nuclei)
11. Status → /status (@pm: investigation progress tracking)
| Agent | Role | Kali Tools |
|---|---|---|
@attack-surface-agent |
Attack surface mapping | nmap, masscan, amass, subfinder, whatweb, gobuster, nikto |
@bug-hunting-agent |
Active vulnerability discovery | sqlmap, nuclei, ffuf, nikto, hydra, semgrep, sslscan |
@vulnerability-analysis-agent |
In-depth technical analysis | burpsuite, zaproxy, tcpdump, strace, semgrep |
@cve-intelligence-agent |
CVE research and intelligence | searchsploit, NVD API, EPSS API, exploit-db |
@exploitability-agent |
CVSS/EPSS scoring | CVSS calculators, EPSS API, ATT&CK |
@safe-poc-agent |
Minimal, secure POC | curl, netcat, msfconsole, python3, nmap NSE |
@evidence-agent |
Evidence collection | sha256sum, tcpdump, tshark, script, scrot |
@cve-report-agent |
CVE-ready report | Writing only (no execution) |
@remediation-agent |
Fixes and verification | nmap, nikto, nuclei, sqlmap, semgrep |
| Agent | Role |
|---|---|
@pm |
Mission Control — orchestrates the investigation |
@architect |
Threat Modeling — STRIDE/DREAD, attack trees |
@reviewer |
Peer review of findings and reports |
@runner |
Command execution and log capture |
@committer |
Conventional Commit commits |
@pr-manager |
Report publication |
@external-researcher |
Security intelligence via MCP |
@editor |
Technical security writing |
@fixer |
Debugging and resolution |
@toolsmith |
Agent/skill/command creation |
| Skill | Capability | Primary Tool |
|---|---|---|
attack-surface-analysis |
Methodical mapping | nmap, amass, whatweb |
bug-hunting-analysis |
Structured OWASP hunting | sqlmap, nuclei, ffuf |
vulnerability-analysis |
Root cause analysis | burpsuite, semgrep, tcpdump |
cve-research |
CVE correlation | searchsploit, NVD API |
exploitability-assessment |
CVSS/EPSS scoring | CVSS calculator, EPSS API |
safe-poc-generation |
Minimal secure POC | curl, msfconsole, python3 |
poc-validation |
Reproducibility validation | tcpdump, sha256sum |
evidence-collection |
Forensic-grade evidence | sha256sum, tshark, script |
cve-reporting |
CVE JSON 5.0 report | Writing only |
remediation-plan |
Remediation plan | nmap, nuclei, semgrep |
| Category | Tools |
|---|---|
| Passive recon | whois, dig, amass, subfinder, theHarvester, wafw00f |
| Active recon | nmap, masscan, whatweb, nikto, gobuster, dirsearch |
| Injection | sqlmap, commix, XSStrike, dalfox |
| Web scanning | nuclei, ffuf, wfuzz |
| Auth/brute | hydra, john, hashcat |
| SAST | semgrep, bandit, trufflehog |
| TLS | sslscan, testssl.sh |
| Dynamic | burpsuite, zaproxy, curl |
| Network | tcpdump, tshark, hping3, netcat |
| Binary | gdb, strace, ltrace, binwalk |
| Exploitation (lab) | msfconsole, msfvenom |
| Forensic | sha256sum, script, scrot |
| Research | searchsploit |
Samourai Kali integrates with security data sources via MCP (Model Context Protocol):
| API | Purpose | Authentication |
|---|---|---|
| NVD API | CVE data retrieval | NVD_API_KEY env var (optional) |
| EPSS API | Exploit probability scoring | No auth required |
# Get your free API key: https://nvd.nist.gov/developers/request-an-api-key
export NVD_API_KEY="your-api-key"
# Add to ~/.bashrc or ~/.zshrc for persistence
echo 'export NVD_API_KEY="your-api-key"' >> ~/.bashrcCommands degrade gracefully when NVD_API_KEY is not set.
Blueprints standardize:
- investigation workflows
- vulnerability reports
- POC validation
- security review
Automatically used by:
/bootstrap(lab setup)/write-spec(vuln specification)/review(findings review)/pr(publication)@toolsmith
- Interaction (human + agents)
- Orchestration (PM / Mission Control)
- Specialized cyber agents
- Skills / Kali Tools
- Context / Memory / Evidence
- Governance & Safety Guardrails
Every agent and skill enforces mandatory guardrails:
-
LAB-ONLY: all exploitation in isolated environments only
-
RESPONSIBLE DISCLOSURE: responsible disclosure process
-
AUTHORIZATION: written authorization required before any active testing
-
SCOPE: never exceed the authorized perimeter
-
DATA PROTECTION: no exfiltration of sensitive data
-
LOGGING: all actions logged and timestamped
-
LEGAL COMPLIANCE: compliance with applicable laws
curl -fsSL https://raw.githubusercontent.com/FR-PAR-SAMOUR-AI/samourai-kali/main/scripts/install-remote.sh | bash -s -- --target /path/to/projectgit clone https://github.com/FR-PAR-SAMOUR-AI/samourai-kali.git
cd samourai-kali
./scripts/install-samourai.sh --target /chemin/vers/mon-lab # path to your lab./scripts/install-samourai.sh --target /chemin/lab --dry-run # dry run
./scripts/install-samourai.sh --target /chemin/lab --force # force overwrite
./scripts/install-samourai.sh --target /chemin/lab --editor opencode # default
./scripts/install-samourai.sh --target /chemin/lab --editor claude # Claude Code
./scripts/install-samourai.sh --target /chemin/lab --editor cursor # Cursor
./scripts/install-samourai.sh --target /chemin/lab --editor vscode # VS Code
./scripts/install-samourai.sh --list-editors # list available editors- OpenCode (default)
- VS Code
- Claude Code
- Cursor
- Install the kit on a Kali Linux environment
- Open the project in your preferred editor (OpenCode, VS Code, Claude Code, or Cursor)
- Configure the lab:
/bootstrap- Launch an investigation:
/investigate <target>Or use sub-commands directly:
/recon <target> # reconnaissance
/hunt <target> # vulnerability hunting
/cve-lookup <cve-id> # CVE intelligence
/score <vuln-id> # exploitability scoring
/poc <vuln-id> # safe PoC generation- Or delegate to Mission Control:
@pm investigate <target>Before:
- Ad hoc pentesting
- Unstructured results
- Untraceable evidence
- Manual reports
After:
- Methodical investigation
- Specialized agents per phase
- Forensic-grade evidence chain
- Automated CVE-ready reports
- Built-in ethical guardrails
- Agent permissions (least-privilege)
- Side-effect control
- Validation before publication
- Full auditability
- Integrated responsible disclosure
- User guide
- Investigation lifecycle
- Templates
- Install then run
/bootstrap