SpectreWeb AI is an interactive, AI-assisted penetration testing assistant designed to augment manual testing efforts. It emphasizes human-driven experimentation over blind automation, providing a suite of MCP tools that help you analyze targets, mutate and adapt payloads, bypass WAFs, test for IDORs, auth bypass, and privilege escalation, while tracking findings and learning over time. The server exposes capabilities such as ai_status, ai_train, ai_auto_train, ai_insights, ai_classify_secret, and a collection of core action helpers (waf_bypass, mutate_payload, generate_idor_tests, generate_auth_bypass, generate_privesc_tests, analyze_error_response, extract_secrets, etc.). Use these tools to guide your testing workflow, validate results, and build a structured history that the AI can reference to improve future assessments. Typical usage involves starting the MCP server, launching your preferred client, and issuing commands to perform context-aware testing, review results, and feed feedback back into the learning loop for better prioritization and fewer false positives.

Prerequisites:

• Python 3.8+ and a virtual environment tool (venv or conda)
• Git
• Optional: Kali Linux or similar penetration testing distribution for recommended tooling

Step-by-step:

1. Clone the repository: git clone https://github.com/your-repo/spectreweb-ai.git cd spectreweb-ai

2. Create and activate a virtual environment: python3 -m venv venv source venv/bin/activate # On Windows use: venv\Scripts\activate.bat

3. Install dependencies: pip install -r requirements.txt

4. Run the MCP server (as configured in mcp_config):

   If using the suggested module entrypoint

   python -m spectreweb_ai

5. Optional: Install external security tooling as recommended by the project (e.g., httpx, subfinder, etc.)

   Example (commands may vary by environment):

   go install github.com/projectdiscovery/httpx/cmd/httpx@latest go install github.com/projectdiscovery/subfinder/cmd/subfinder@latest

6. Verify the server starts and is reachable via your MCP client and the defined command set.

Tips and considerations:

• The server is designed for manual testing augmented by AI, not a full auto-scanner. Use AI-guided suggestions to inform your tests rather than replacing human judgment.
• Typical environment variables are related to AI model backends, logging, and data stores (e.g., learning store paths, SQL store, or remote AI endpoints). If your deployment supports a learning store, configure the connection string and credentials accordingly.
• If you encounter WAF-related blocks, rely on waf_bypass and payload_mutation workflows rather than brute force attempts; the system generates multiple bypass variants and context-aware payloads.
• Maintain unit and integration tests for your target endpoints, and periodically export learning data for backup and analysis via learning_export.
• Ensure you activate and manage virtual environments per project to avoid dependency conflicts.
• Review permissions and data handling policies when enabling learning or remote AI features to avoid accidental leakage of sensitive test data.