{"id":"bhavsec-autopentest-ai","name":"autopentest-ai","af_score":49.5,"security_score":29.8,"reliability_score":33.8,"what_it_does":"AutoPentest is an agentic pentesting MCP server for web applications. It orchestrates multiple role-specialized agents (Scout/Analyzer/Exploiter/Reporter) across a structured multi-phase workflow that crawls and maps an application, then performs OWASP WSTG-aligned testing and PortSwigger technique-based exploitation attempts, producing evidence-backed reports and doing quality-gated verification. It also bundles security tooling in Docker and includes browser-based testing via a Playwright MCP component (per README).","best_when":"You need structured, evidence-based web app security testing with OWASP/PortSwigger coverage and can run it in an isolated environment with appropriate authorization.","avoid_when":"You cannot control the tool’s runtime behavior (e.g., untrusted networks/targets), lack permission/scope, or need a purely passive scanner with no active probing/exploitation.","last_evaluated":"2026-03-30T15:23:53.565248+00:00","has_mcp":true,"has_api":false,"auth_methods":["README implies it can be run offline (Ollama) or with Claude Code; no explicit auth method described for the MCP server API in provided README excerpt"],"has_free_tier":false,"known_gotchas":["Tooling is designed for active security testing; agents may generate high request volume (crawler/scanners). Ensure strict rate limiting/scope controls in your environment.","Because it orchestrates multiple phases and subagents, failures mid-phase may require resume/checkpointing; verify that checkpoints are correctly persisted in your runtime.","The README describes evidence/quality gates, but the excerpt does not show concrete MCP error schemas or retry/idempotency guarantees; agent implementations should treat operations as potentially non-idempotent."],"error_quality":0.0}