Hackingpal HackingPal, an open-source AI-assisted security workbench, launches for macOS and Linux, offering an engagement-centric workflow with human-approved actions, full audit trails, and client-ready reports. The tool integrates a Claude-powered copilot that suggests next steps without running tools autonomously, ensuring accountable penetration testing. It is designed for authorized engagements only, bundling port scanners, vulnerability probes, and other modules. The AI-assisted security workbench for authorized, accountable engagements. Human-approved actions. Full audit trail. Client-ready reports. Local. Offline-first. Open source. It runs a whole engagement, not just isolated tools. Most security tooling hands you a port scanner, a fuzzer, a hash cracker — and a stack of disconnected output to glue together yourself. HackingPal is built around the engagement: a named, scoped container for a single piece of work. Targets are first-class. Playbooks chain tools. Every scan result auto-attaches to the active engagement as evidence. The end of the workflow is a report, not a folder of CSVs. Every action is human-approved and logged — copilot, not autopilot, deliberately. A Claude-powered assistant watches the session, helps interpret output, drafts text for findings, and suggests next steps. It does not run tools on its own. Every active check waits for explicit human go-ahead, every scan start/finish/error writes to an append-only audit log, and every sudoers grant the app holds can be revoked in one click. The AI is there to make you faster, not to take you out of the loop. That's a design choice, not a limitation — accountable testing is the point. It produces a real report at the end. Promote any result to a tracked finding. Score it with the built-in CVSS v3.1 calculator the band drives the badge across the whole app . Attach evidence items with capture timestamps — scan output, request/response pairs, analyst notes, screenshots, commands — each marking when the proof was observed. When you're done, export a client-ready report in Markdown or PDF: executive summary, severity counts, every finding with its CVSS vector and full evidence timeline, methodology, and the authorized-testing disclaimer. The executive summary is template-rendered, so reports generate with no API key configured. Engagement → Targets → Playbook → Tools → Evidence → Report Download HackingPal-macos-arm64.dmg → Mount the DMG, drag the app to /Applications , then first-launch via right-click → Open the build is unsigned — no paid Apple Developer cert yet . Subsequent launches work normally. Download HackingPal-linux-x86 64.AppImage → chmod +x and run. git clone https://github.com/hackingpal/hackingpal.git cd hackingpal && docker compose up -d curl http://127.0.0.1:8765/health Per-platform install guides: macOS /hackingpal/hackingpal/blob/main/docs/README-macos.md · Linux /hackingpal/hackingpal/blob/main/docs/README-linux.md · Windows experimental /hackingpal/hackingpal/blob/main/docs/README-windows.md . See docs/SIGNING.md /hackingpal/hackingpal/blob/main/docs/SIGNING.md for the current code-signing status. macOS and Linux are the actively maintained targets. Windows builds appear in CI but parity is not a v1.0 commitment. Use Docker or the macOS/Linux builds for serious work. HackingPal works without an Anthropic key. Open Settings → API keys to add one and unlock the copilot — it'll watch the session, interpret tool output, draft finding summaries, and help with the report. Without a key: - Every tool still runs. - Findings still track, CVSS still scores, evidence still timelines. - The report exporter still works — the executive summary is template-based, not LLM-generated. The roadmap keeps the provider layer flexible. Local-model and cheaper-provider support are on the list. This is testing software. It bundles port scanners, vulnerability probes, web-application attack modules, credential testers, network capture, cloud and Active Directory enumeration — useful in legitimate engagements, illegal to point at infrastructure you don't own or have written permission to test. By installing or running HackingPal you agree to use it only for authorized work: your own systems, CTFs, training labs, or engagements with explicit written authorization. The full disclaimer is at DISCLAIMER.md /hackingpal/hackingpal/blob/main/DISCLAIMER.md . Active checks XSS, SQLi, command injection, SSRF, IDOR, LFI, password spraying, Kerberos roasting, exploit launches are gated behind a per-tool authorization checkbox and scope-policy guard. The engagement's scope is the fence; targets outside it are rejected with a clear refusal, not a runtime error. The audit log is the trust anchor — every action is recorded, durably, with the engagement it belonged to. The tool library lives inside engagements; it is the resource the workflow calls into, not the product itself. ~75 tools across: Discovery — LAN Scan, IP Checker, DNS Recon, WHOIS/ASN, Local Discovery mDNS/SSDP/LLMNR , Ping. Recon — Port Scanner, Nmap full 612-NSE-script surface, multi-target, SYN/UDP/OS , Network Audit, TLS Auditor, Fingerprint, HTTP Probe, TCPDump. OSINT — CT Logs, Email Sec SPF/DMARC/DKIM , Subdomain Takeover, Reverse IP, Breach Lookup, Dorking, GitHub Leak Scanner, Shodan/Censys, People/Email Enum, Profile Finder, Wayback URLs, URLScan. Web exploit — XSS, SQLi, Command Injection, LFI, SSRF, IDOR — each gated by authorization checkbox + scope guard. Cloud — AWS / Azure / GCP read-only recon boto3 / azure-identity / google-auth , IMDS tester, S3 bucket scanner. Active Directory — LDAP enumerator, SMB enumerator, password sprayer, Kerberos roasting, BloodHound ingestor, lateral movement planner. Wireless — WiFi Scan, Evil Twin detector, Bluetooth recon, WPA / PMKID handshake capture. Red Team — Reverse Shell builder/listener, payload obfuscator, pivoting helper, credential harvester, C2 beacon simulator, SearchSploit. Forensics & posture — Persistence audit, process inspector, steganography LSB embed/extract, chi-square detector, AES-GCM , macOS / Linux / Windows posture, firewall rules, systemd units, users audit. Engagement layer — Findings Tracker, CVSS v3.1 Calculator, multi-item evidence timeline with capture timestamps, audit log, report exporter. Playbooks — composable presets that chain tools across phases. Built-ins include external red team, internal network, web app assessment, AD kill chain, AWS assessment, WiFi/physical, container/k8s escape, bug-bounty stealth, and a compromise assessment. A more detailed catalogue with endpoints + acceptance criteria lives in ROADMAP.md /hackingpal/hackingpal/blob/main/ROADMAP.md and the per-page docs. Hybrid Electron + React + TypeScript frontend with a bundled FastAPI + Python sidecar that owns all the network / forensics / exploitation logic. hackingpal/ ├── backend/ FastAPI server — ~75 routers │ ├── lib/ engagement, audit log, cvss, report, target policy, ... │ ├── routers/ one router per tool surface │ └── main.py loopback-only startup guard + per-launch auth token └── frontend/ ├── electron/ main + preload Electron host └── src/ ├── pages/ one .tsx per sidebar entry ├── components/ Sidebar, ChatBubble, EngagementPill, ... └── lib/ engagement state, sessionLog, theme, nav Backend listens on 127.0.0.1:8765 only. The startup guard refuses to bind a wildcard host. Every privileged endpoint is gated by Depends require local auth plus a per-launch token. Streaming routers follow a uniform WS protocol with a {"action":"stop"} abort message. Credentials live in the OS keystore Keychain / Secret Service / Credential Manager — nothing else writes credentials to disk. The audit log is append-only and is the trust anchor for every report. Full developer guide: CLAUDE.md /hackingpal/hackingpal/blob/main/CLAUDE.md . Security model: SECURITY.md /hackingpal/hackingpal/blob/main/SECURITY.md . Two terminals: Terminal 1 — backend FastAPI on 8765, auto-reload cd backend && python3 -m uvicorn main:app --reload --port 8765 Terminal 2 — frontend Vite + Electron cd frontend && npm install && npm run dev:all Run only the browser frontend with npm run dev and open http://localhost:5173 . Build a release with npm run dist:mac or dist:linux ; CI matrix builds + tagged releases live in .github/workflows/build.yml /hackingpal/hackingpal/blob/main/.github/workflows/build.yml . Contribution guide: CONTRIBUTING.md /hackingpal/hackingpal/blob/main/CONTRIBUTING.md . MIT /hackingpal/hackingpal/blob/main/LICENSE . HackingPal is open source, free to use for authorized work, and offered without warranty. Please read DISCLAIMER.md /hackingpal/hackingpal/blob/main/DISCLAIMER.md and SECURITY.md /hackingpal/hackingpal/blob/main/SECURITY.md before pointing it at anything. ; HackingPal