CyberSentinel AI Combines 33 Security Tools With Claude, GPT, OpenRouter, and Ollama
7 min. read 
Published on
CyberSentinel AI v3.0 is an open-source cybersecurity platform that combines agentic AI with 33 real security tools, including Nmap, SQLMap, Nikto, Nuclei, and OWASP ZAP.
The project, published on GitHub, is designed to run locally through Docker and execute security tools inside an isolated Kali Linux sandbox. Instead of only suggesting commands, the platform can run supported tools and then use AI to analyze the results.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
CyberSentinel AI supports multiple AI providers, including Claude, GPT, OpenRouter, and Ollama. The local mode is important because it allows users to run the platform without relying on cloud AI services, although optional API keys can unlock additional providers.
CyberSentinel AI Runs Real Security Tools Locally
The main feature of CyberSentinel AI is its agentic execution model. The system can interpret a user request, choose relevant security tools, run scans, and summarize the findings in a single workflow.
The platform includes familiar tools such as Nmap for network discovery and OWASP ZAP for web application security testing. It also includes SQLMap, Nikto, Nuclei, Subfinder, WHOIS, DNS Recon, HTTP header checks, SSL/TLS analysis, and ping or traceroute checks.
According to the project documentation, CyberSentinel AI can run up to five tools concurrently before creating a unified analysis. This makes it closer to a security automation platform than a simple AI chatbot.
How the Docker-Based Architecture Works
CyberSentinel AI uses a Docker Compose stack with several services. The frontend uses Next.js and runs on port 3000, while the FastAPI backend handles tool orchestration, AI routing, and intent classification on port 8000.
The platform runs scans inside a Kali Linux sandbox container. It also includes Neo4j for graph-based attack surface mapping, ChromaDB for retrieval-augmented generation, Elasticsearch for security event storage, and Kibana for log visualization.
The project says the default local AI engine uses Ollama with qwen2.5:7b. Cloud AI providers remain optional, so teams can choose between local privacy and external model access depending on their environment.
| Component | Role | Default port |
|---|---|---|
| Next.js frontend | Streaming chat dashboard | 3000 |
| FastAPI backend | AI routing and tool orchestration | 8000 |
| Kali sandbox | Runs supported security scans | Not exposed |
| Neo4j | Knowledge graph and attack surface mapping | 7474, 7687 |
| Elasticsearch and Kibana | SIEM-style storage and visualization | 9200, 5601 |
The 33 Tools Are Split Across Six Categories
CyberSentinel AI groups its toolset into live scanners, threat intelligence APIs, SIEM integrations, AI detection tools, threat-hunting helpers, and compliance frameworks.
The live scanning category includes Nmap, SQLMap, Nikto, Nuclei, Subfinder, WHOIS, DNS Recon, SSL/TLS checks, HTTP header analysis, ping or traceroute tools, and OWASP ZAP.
The threat intelligence layer includes Shodan, VirusTotal, AbuseIPDB, AlienVault OTX, and vulnerability intelligence from NVD and CISA KEV. The project also includes connectors for ELK, Splunk, and Wazuh.
| Category | Included tools or features | Count |
|---|---|---|
| Live scanners | Nmap, SQLMap, Nikto, Nuclei, ZAP, Subfinder, DNS, WHOIS, SSL/TLS, headers, ping or traceroute | 11 |
| Threat intelligence APIs | Shodan, VirusTotal, AbuseIPDB, AlienVault OTX, NVD and CISA KEV | 5 |
| SIEM integration | ELK Stack, Splunk, Wazuh | 3 |
| AI detection | Zeek Analyzer, IOC Extractor, Log Analyzer, Threat Detection, Email Phishing Analyzer | 5 |
| Threat hunting | YARA, Sigma, Snort or Suricata rules, SIEM Query Generator | 4 |
| Compliance | MITRE ATT&CK, MITRE ATLAS, NIST/CIS, HIPAA/PCI-DSS, SOC 2/FedRAMP | 5 |
AI Provider Switching Is Built In
CyberSentinel AI supports provider switching inside the same workflow. Users can configure Claude, GPT-4o, OpenRouter, or local inference without redesigning the platform around one AI vendor.
The configuration file lists optional API keys for Anthropic, OpenAI, OpenRouter, Shodan, VirusTotal, AbuseIPDB, AlienVault OTX, and other services. The platform can still run locally when those keys are not added.
This matters for security teams that do not want to send sensitive scan output to a third-party AI provider. It also gives researchers a cheaper offline option for labs, training environments, and internal testing.
Threat Intelligence and Compliance Context Are Included
The platform pulls vulnerability and threat intelligence from sources such as NVD, CISA KEV, EPSS, AlienVault OTX, and Abuse.ch. This allows scan results to be tied to current vulnerability context instead of appearing as isolated technical output.
CyberSentinel AI also uses ChromaDB as a RAG layer grounded in security frameworks such as MITRE, CIS, and NIST. Neo4j is used to map relationships between attack surfaces, techniques, and security findings.
For defenders, this could make reports easier to understand. A scan result can be connected to a known attack technique, a compliance requirement, or a recommended mitigation path.
- Maps attack surfaces with a Neo4j knowledge graph.
- Uses ChromaDB to ground AI answers in security knowledge.
- Includes ELK-style log analysis through Elasticsearch and Kibana.
- Supports threat hunting with YARA, Sigma, and Snort or Suricata rules.
- Connects findings to MITRE ATT&CK, NIST, CIS, and other frameworks.
CyberSentinel AI Also Adds Guardrails
The project includes several safeguards, including input and output guardrails designed to block prompt injection, SSRF attempts, and system prompt leakage.
All scanning activity is intended to run inside an isolated container. The project also warns users to scan only targets they own or have written permission to test, which is an important limitation for any platform that can run real penetration testing tools.
CyberSentinel AI is not a replacement for professional judgment. Because it can execute tools, users need to apply the same legal and operational controls they would use with any security scanner.
System Requirements and Setup
CyberSentinel AI requires Docker Desktop and recommends at least 8 GB of RAM. The first build pulls the required images and local model data, while later startups should be faster once the stack has already been built.
The CyberSentinel AI repository lists the project as version 3.0 and describes it as a local-first platform with no required subscriptions. The repository also shows an MIT license, which allows users to fork and modify the project.
For security researchers, the biggest appeal is the combination of real tools, local inference, and a chat-based interface. For organizations, the main question will be whether the platform can be safely controlled, audited, and limited to approved targets.
Why CyberSentinel AI Matters
CyberSentinel AI reflects a broader shift in cybersecurity tooling. AI assistants are moving from passive advice into tool orchestration, where they can run scanners, interpret results, and help analysts prioritize findings.
That approach can save time in controlled environments, but it also increases responsibility. A platform that can run scanners must include permission checks, logging, safe defaults, and strong access controls.
CyberSentinel AI is likely to attract attention from security researchers, red teams, students, and defenders who want a local AI security lab. Its value will depend on how carefully users deploy it and whether they keep its automated capabilities inside authorized environments.
FAQ
CyberSentinel AI is an open-source cybersecurity platform that combines agentic AI with 33 real security tools. It can run supported tools inside a local Docker-based sandbox and use AI to analyze the results.
CyberSentinel AI includes tools such as Nmap, SQLMap, Nikto, Nuclei, OWASP ZAP, Subfinder, WHOIS, DNS Recon, SSL/TLS checks, threat intelligence APIs, SIEM connectors, and compliance-focused frameworks.
No. CyberSentinel AI can run locally with Ollama as the default local inference option. Users can also add optional API keys for Claude, GPT-4o, OpenRouter, and other services.
CyberSentinel AI includes sandboxing and guardrails, but it runs real security tools. Users should only scan systems they own or have explicit permission to test, and organizations should control access carefully.
CyberSentinel AI is mainly aimed at security researchers, red teams, students, and defenders who want a local AI-assisted security lab for authorized testing, training, and analysis.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages