Darkmoon

Product Introduction

1. Definition: Darkmoon is an autonomous penetration testing platform that leverages a multi-agent AI architecture to conduct full-scope offensive security campaigns. It is a self-hosted, open-source security tool (under GPLv3) that operates beyond traditional web scanners, integrating 18 specialized AI agents and over 80 tools to assess complex infrastructure including Active Directory, Kubernetes, cloud environments, APIs, and networks.
2. Core Value Proposition: Darkmoon exists to automate the entire offensive security lifecycle, from reconnaissance to reporting, providing security teams with validated, evidence-backed findings, clear attack paths, and publication-ready reports. It replaces manual, time-intensive penetration testing workflows with a continuous, autonomous security testing platform.

Main Features

1. Multi-Agent Orchestration Engine: The core engine uses a master agent to detect 14 technology signals (e.g., WordPress, Kubernetes, Active Directory) and intelligently dispatches a cascade of up to 18 domain-specialist AI agents. This orchestrator manages sequential and parallel workflows with a controlled recursion depth (capped at three levels) to prevent runaway processes, ensuring coordinated and efficient campaign execution.
2. Integrated Toolchain and Live Dashboard: Darkmoon incorporates 80+ integrated offensive security tools (e.g., subfinder, sqlmap, BloodHound, kubectl, Mimikatz) orchestrated by the AI agents. A real-time Server-Sent Events (SSE) streaming dashboard provides live visibility into every agent event, finding, and infrastructure node as it is discovered, offering immediate insight into the campaign's progress.
3. MITRE ATT&CK Mapped, Publication-Ready Reporting: The platform automatically generates comprehensive reports in multiple formats, including Markdown and branded, password-protected PDFs. Reports are structured with CVSS 3.1 scoring and are explicitly mapped to the MITRE ATT&CK framework, making them suitable for compliance (ISO 27001), bug bounty submissions (HackerOne, Bugcrowd), and executive briefings.
4. Hardened, Sealed Runtime Security: Darkmoon's runtime is built with a vault-like security model. It employs AES-256-GCM sealed storage for agents and workflows, with keys resealed every 30 seconds. Execution is confined within a read-only root filesystem, seccomp filters, and no-new-privileges settings. A continuous integrity watchdog verifies critical binary hashes every 2 seconds and scans for debugging/analysis tools (e.g., Frida, GDB) to trigger a secure zeroize state upon tampering detection.

Problems Solved

1. Pain Point: Traditional vulnerability scanners and manual pentests are often siloed, slow, and produce non-actionable, signature-based results. They struggle to map complex attack paths across hybrid environments like Active Directory and Kubernetes, leaving critical business logic and infrastructure-level vulnerabilities undetected.
2. Target Audience: The primary users are security engineers, red team operators, penetration testers, and MSSPs (Managed Security Service Providers) who need to scale offensive testing. Secondary audiences include DevSecOps teams responsible for proactive security validation and enterprises seeking to replace static, periodic pentests with continuous security assurance.
3. Use Cases: Darkmoon is essential for comprehensive security audits of enterprise networks, automated compliance validation against frameworks like CIS benchmarks, continuous offensive testing in CI/CD pipelines, generating audit-ready evidence for ISO 27001 certification, and conducting full-scope attack simulations for red team exercises without the overhead of manual pivoting.

Unique Advantages

1. Differentiation: Unlike conventional vulnerability scanners that perform one-pass signature checks, Darkmoon is an autonomous security conductor. It reasons about the target's technology stack, models the attack surface, and orchestrates a full offensive campaign with validated exploits—not just potential findings. It goes beyond web-layer testing to include deep Active Directory takeover and Kubernetes attack chains.
2. Key Innovation: The core innovation is the multi-agent dispatch system coupled with a hardened, self-contained runtime. The AI never directly accesses the target; instead, it generates plans executed via a secure MCP (Model Context Protocol) gateway that controls every tool call. This "plan then execute" architecture, combined with hardware-bound licensing and sealed storage, provides both unprecedented automation and robust operational security.

Frequently Asked Questions (FAQ)

1. How is Darkmoon different from a traditional vulnerability scanner? Darkmoon orchestrates an end-to-end autonomous penetration test, not a scan. It reasons about the target, dispatches specialized agents to validate findings with real exploits, builds a comprehensive infrastructure graph, and produces structured reports. A scanner relies on pre-defined signatures and often reports false positives, whereas Darkmoon executes a verified attack campaign and delivers evidence-backed results.

2. Is Darkmoon really open source, and can I self-host it? Yes, Darkmoon's core autonomous engine is open source and licensed under GPLv3. You can freely clone, audit, modify, and self-host the platform on your own infrastructure using a Docker installation. The open-source version includes the full multi-agent AI engine and integrated toolset, with community support.

3. What specific types of infrastructure and applications can Darkmoon test? Darkmoon is designed for full-stack assessment. It includes specialized agents and tools for web applications and APIs (SQLi, XSS, SSRF), Active Directory (Kerberoasting, DCSync, ADCS ESC1-8 exploitation), Kubernetes (RBAC escalation, node escape, etcd SSRF), and cloud infrastructure. It automatically detects the technology stack (14 signal classes) and dispatches the appropriate specialist agents.

4. How does licensing and runtime security work for the self-hosted version? The self-hosted "Pro" license is hardware-bound, deriving a machine code from the MAC address and CPU model to prevent spoofing. The runtime security is enforced at the container level, featuring AES-256-GCM encrypted storage resealed every 30 seconds, a read-only filesystem with seccomp sandboxing, continuous binary integrity checks, and automatic secret redaction in logs.

5. Is it safe to run Darkmoon against production environments? While Darkmoon is designed with safety controls (like cascade depth limiting) and validation using real payloads, autonomous offensive testing carries inherent risk. It is strongly recommended to first run campaigns against non-production, staging environments or isolated networks. For production testing, use the managed "Pentest on Demand" service where experts control the engagement within a legal framework.