
Table of Contents
- Intro
- [Local PWN Wiki
- Installation
- General Usage
- Call to Arms
- Module Documentation
- Keep Us Caffeinated
- 0x004D65726368
Intro
What is PWN
PWN (Pronounced /pōn/ or pone), is a powerful open-source offensive cybersecurity automation framework and continuous security integration platform. It enables security researchers, red teamers, penetration testers, and vulnerability researchers to rapidly discover zero-days, automate exploitation, perform advanced web application testing, conduct source code analysis (SAST), orchestrate infrastructure reconnaissance, and execute AI-augmented autonomous security operations.
PWN stands on the shoulders of security giants, providing over 66 production-grade plugins, full LLM integration with tool-calling agents, persistent memory, reusable skills, session/cron management, and a highly interactive REPL for prototyping and driving complex security workflows. All core automation primitives are open to promote trust, peer review, and collaborative innovation in adversarial security.
See the full PWN Wiki for detailed guides.
Why PWN
In cybersecurity, where proprietary black-box tools dominate and threats evolve daily, an open framework for core security primitives, vulnerability research, exploitation techniques, and intelligent automation is essential. PWN ensures foundational modules remain transparent and auditable while providing seamless bridges to commercial and open security tools (e.g. Burp Suite Professional, Metasploit, Nmap, Nessus, and multiple LLMs).
Broad collaboration accelerates zero-day discovery, reliable exploit development, continuous vulnerability management in CI/CD pipelines, and the creation of reusable AI-driven security skills. PWN makes advanced red team and vuln research capabilities accessible and extensible to all.
See Why PWN in the wiki.
How PWN Works
PWN AI Feedback Learning Loop (Self-Improving Agent)
The core of pwn-ai is a closed feedback loop for autonomous improvement:
See full details in Skills, Memory & Learning and the Diagrams wiki page.
PWN is structured as a Ruby gem with a rich namespace:
PWN::Plugins::*— 66+ specialized modules (BurpSuite [preferred for web proxying/scanning], Zaproxy [fallback], Metasploit, NmapIt, TransparentBrowser, Shodan, NessusCloud, NexposeVulnScan, Fuzz, SAST engines, Android analysis, SDR/GQRX, Blockchain, Bounty platforms like HackerOne, hardware interfaces, OCR, packet crafting, etc.).PWN::AI::*— Multi-provider LLM clients (OpenAI, Anthropic, Gemini, Grok OAuth device flow, Ollama) and autonomousPWN::AI::Agentwith tool-calling harness (pwn_evalfor full PWN namespace, shell execution, skills, memory recall/remember, learning loops).PWN::SAST— Static application security testing and test case generation. See SAST Wiki.PWN::Reports— Automated reporting from scans, agents, and findings. See Reporting.PWN::Memory / Sessions / Cron / Skills / Config— Persistent facts, conversation sessions, scheduled autonomous tasks, reusable markdown skills (distillable from successful workflows), and environment management. See Skills, Memory & Learning.PWN::Driver— Framework for building custom security automation packages ("drivers"). See Drivers.
The pwn REPL (launched via the pwn command) is the primary interface: a Pry-powered interactive shell with the entire PWN namespace pre-loaded. It supports rapid prototyping, direct execution of any plugin method, and custom commands.
Particularly powerful is the pwn-ai command inside the REPL:
- Activates an autonomous AI agent TUI with multi-line input support (use SHIFT+ENTER to insert newlines; ENTER submits the full prompt).
- Full awareness of PWN plugins, skills (
~/.pwn/skills), memory, sessions, and cron. - Leverages LLM tool-calling to execute PWN methods (e.g.,
PWN::Plugins::BurpSuite,PWN::Plugins::NmapIt,PWN::Plugins::TransparentBrowser,PWN::SAST,PWN::Reports), shell commands, and orchestrate end-to-end tasks. - Supports self-improvement via
PWN::AI::Agent::Learning/ Metrics (records per-tool success/duration, distills skills from outcomes). - Example instruction: "Use NmapIt to scan target.example.com for open ports, then TransparentBrowser to spider the web app, run SAST analysis if source is available, proxy via BurpSuite, and generate a vulnerability report with PWN::Reports."
- Additional REPL commands:
pwn-asm(assembly prototyping with multiline),pwn-ai-memory,pwn-ai-sessions,pwn-ai-cron,pwn-ai-delegate,welcome-banner, etc. - Easily prototype and roll out custom "drivers" (see
/opt/pwn/bin/examples).
Mix and match plugins, invoke via the REPL or pwn-ai agent, record/replay sessions, schedule autonomous jobs, and generate reports. PWN is designed for both interactive red teaming and headless/CI automation.
Here are some example drivers distributed with PWN.
Local PWN Wiki
A full local wiki has been generated in this checkout:
/opt/pwn/documentation/Home.md
- Home
- What is PWN
- Installation
- pwn-ai Agent
- Plugins
- AI Integration
- Troubleshooting
- ...and many more
Run cat /opt/pwn/documentation/Home.md or open in your editor for the complete local documentation.
Installation
Tested on Debian-Based Linux Distros & OSX leveraging Ruby via RVM.
$ cd /opt
$ sudo git clone https://github.com/0dayinc/pwn
$ cd /opt/pwn
$ ./install.sh
$ ./install.sh ruby-gem
$ pwn
pwn[v0.5.615]:001 >>> PWN.help
See the dedicated Installation Wiki for more options.
General Usage
Detailed local guide: General PWN Usage
It is strongly recommended to update PWN frequently as new capabilities (plugins, AI agents, skills, zero-day tooling) are released regularly:
$ rvm list gemsets
$ rvm use ruby-4.0.5@pwn
$ gem uninstall --all --executables pwn
$ gem install --verbose pwn
$ pwn
pwn[v0.5.615]:001 >>> PWN.help
If using a multi-user install of RVM:
$ rvm list gemsets
$ rvm use ruby-4.0.5@pwn
$ rvmsudo gem uninstall --all --executables pwn
$ rvmsudo gem install --verbose pwn
$ pwn
pwn[v0.5.615]:001 >>> PWN.help
Inside the pwn REPL (the heart of PWN):
- Full access to every PWN class and plugin.
PWN.help— list all top-level modules.pwn-ai— launch the autonomous AI agent (highly recommended for complex tasks). Once active you can issue natural language instructions that leverage PWN's full power.- Example flow:
pwn[v0.5.615]:001 >>> pwn-ai [*] pwn-ai agent TUI activated... > Perform active scan of https://target.example.com using preferred tooling, then analyze findings with PWN modules and produce a report. - Other REPL helpers:
pwn-asm, memory/session/cron management commands, etc. - Exit AI mode with
back; use full Ruby/PWN expressions at any time.
PWN periodically upgrades to the latest version of Ruby (reflected in /opt/pwn/.ruby-version). The easiest way to upgrade Ruby + pwn from a previous installation:
$ /opt/pwn/vagrant/provisioners/pwn.sh
This updates Ruby, recreates the pwn gemset, etc. Note that older Ruby versions can only use pwn gems compatible with that Ruby.
Call to Arms
Contributions that expand PWN's offensive capabilities are welcome. If you can provide access to additional commercial LLMs, security scanners, or bounty platforms (or wish to contribute plugins, AI skills, or exploit modules), please email us. This accelerates interoperability and zero-day research tooling. See our How to Contribute and the growing skills system for ways to extend the AI agent.
See also the wiki page on Contributing.
Module Documentation
Primary Documentation: Browse the embedded local wiki — start at /opt/pwn/documentation/Home.md.
Additional documentation on using PWN can be found on RubyGems.org. Explore the source under lib/pwn/plugins/, lib/pwn/ai/, and PWN:: constants directly in the REPL.
Key wiki pages:
I hope you enjoy PWN and remember... ensure you always have permission prior to carrying out any sort of security testing or hacktivities. Now — go pwn all the things (responsibly)!
Keep Us Caffeinated
If you've found this project useful and you're interested in supporting our efforts, we invite you to take a brief moment to keep us caffeinated:
0x004D65726368
... (stickers, mugs, and apparel links preserved)


