AIRecon Brings Offline AI Penetration Testing to a Kali Linux Sandbox

AIRecon is an open-source, AI-powered penetration testing agent that runs with a self-hosted Ollama model, a Kali Linux Docker sandbox, and a terminal-based interface. Its main pitch is simple: security teams can automate reconnaissance and testing without sending target data or assessment output to a cloud AI service.

The tool is designed for authorized security assessments, bug bounty work, and red-team research. It combines local model reasoning with sandboxed security tooling, which gives operators more control over data handling, session storage, and recurring assessment costs.

AIRecon also supports models from the Qwen 3.5 family, with the project recommending larger models for reliable tool calling. Smaller models can run, but the project warns that they may produce more hallucinated findings, invented CVE references, and unreliable tool calls.

Why AIRecon matters

Many AI security tools rely on commercial cloud APIs. That can create two problems for penetration testers: sensitive target intelligence may leave the local environment, and long recursive recon sessions can become expensive because they may require thousands of model calls.

AIRecon takes the opposite approach. It runs locally where possible, stores sessions on disk, and uses a Kali Linux Docker sandbox to execute security tools in a controlled environment. Operators still need to understand the tool output and follow program scope, but the workflow reduces dependence on cloud-hosted LLMs.

The project also integrates with Caido, giving users access to request replay, automation, findings, and scope workflows from a modern web security testing proxy. This makes AIRecon more relevant for web application testing than a simple chatbot wrapper around command-line tools.

Feature	What it does	Why it matters
Local LLM support	Uses a self-hosted Ollama model instead of a paid cloud API	Helps reduce recurring model costs and keeps assessment data closer to the operator
Kali Linux sandbox	Runs security tooling inside a Docker-based Kali environment	Separates testing tools from the host system and keeps output organized
Caido integration	Supports request listing, replay, automation, findings, and scope management	Connects AIRecon to practical web application testing workflows
API and code testing	Includes Schemathesis API fuzzing and Semgrep SAST support	Expands the workflow beyond basic recon into API and source-code checks

How the AIRecon workflow is structured

AIRecon organizes each engagement around four phases: RECON, ANALYSIS, EXPLOIT, and REPORT. Each phase has objectives and recommended tools, but the project uses soft enforcement rather than hard blocking. The agent can move through the workflow while still giving operators room to intervene.

The tool also includes scheduled internal checks. According to the project documentation, phase evaluation runs every five iterations, self-evaluation runs every 10 iterations, and context compression runs every 15 iterations. This structure is meant to keep long sessions focused without forcing a rigid script.

AIRecon does not fine-tune the local model. Instead, it stores local telemetry such as session details, findings, tool reliability, target intelligence, WAF bypass patterns, and attack-chain discoveries. That memory can then influence future tool choices and prevent the agent from repeating failed paths.

Offline knowledge base and security tooling

One of AIRecon’s more notable add-ons is its optional local security knowledge base. The companion dataset indexes about 1.09 million security records into local SQLite FTS5 databases, including CVE material, red-team techniques, CTF writeups, Nuclei templates, and bug bounty payload references.

The agent can call a dataset search tool before attempting unfamiliar techniques. This does not guarantee accurate results, but it gives the model a local reference source instead of relying only on its built-in training data.

AIRecon’s broader tool stack includes browser automation, a custom fuzzer, schema-based API testing through Schemathesis, and static code scanning through Semgrep. The mix shows that the project aims to cover more than passive discovery, although any active testing still needs explicit authorization.

Model and hardware requirements

AIRecon depends heavily on reliable tool calling. The project says the selected model must support native function calling and extended thinking blocks, otherwise the agent cannot execute tools properly.

The recommended path starts with models in the 8B to 9B parameter range, but the documentation warns that this is only a minimum viable setup. Larger models should perform better in full recon pipelines because they make fewer tool-calling mistakes and handle multi-step reasoning more reliably.

Model option	Listed VRAM guidance	Suggested use
Qwen3.5 122B	48 GB or more	Highest-quality option for demanding sessions
Qwen3.5 35B	20 GB	Recommended by the project for many users
Qwen3.5 35B MoE	16 GB	Lower VRAM footprint than the full 35B option
Qwen3.5 9B	6 GB	Minimum viable option, with more errors expected

The Ollama library currently lists Qwen 3.5 model variants with tool and thinking support, which matches AIRecon’s stated model requirements. Operators still need enough local GPU memory to keep sessions stable.

Installation, Colab support, and limits

AIRecon’s documentation lists Python 3.12 or newer, Docker 20.10 or newer, git, curl, and a running Ollama instance as prerequisites. Docker Hub also maintains an Ollama Docker image for users who want to run the model server in a containerized setup.

For users without enough local VRAM, the project describes a limited Google Colab option that runs Ollama on a T4 GPU and connects AIRecon through a Cloudflare tunnel. That can help with experimentation, but it changes the privacy model because model inference no longer runs fully on the local machine.

• The free Colab T4 setup is listed as suitable for qwen3.5:9b.
• Free Colab sessions can end after up to 12 hours.
• Long autonomous recon sessions may exceed Colab session limits.
• Local larger-model setups remain the better option for serious, sustained testing.

The same applies to the Ollama container route. It can simplify deployment, but users still need to size the host system correctly and control access to the model endpoint.

What security teams should know

AIRecon shows how quickly AI agents are moving into offensive security workflows. It is not just a reporting assistant. It can connect reasoning, recon, proxy traffic, fuzzing, static analysis, and local memory into a single assessment loop.

That power also raises governance questions. Organizations should define approved targets, logging rules, data retention policies, and human review requirements before allowing autonomous security agents into real environments.

The AIRecon repository also includes a responsible-use notice that limits the tool to authorized security testing. That point matters because AI-assisted testing can quickly cross legal or program-scope boundaries when operators use it against systems they do not own or have permission to assess.

For red teams, bug bounty hunters, and security labs, AIRecon is still an early open-source project, but its local-first design gives it a clear angle. It aims to reduce cloud dependence while bringing agentic AI into a controlled Kali-based penetration testing workflow.

The practical takeaway is straightforward: AIRecon could make authorized testing faster and more repeatable, especially for teams already using Caido and local LLMs. It should still be treated as an assistant that needs supervision, not a replacement for professional judgment.

FAQ