CAI)<a align="center" href="" target="https://github.com/aliasrobotics/CAI">
<img
width="100%"
src="https://github.com/aliasrobotics/cai/raw/main/media/cai.png"
>
</a>
Professional Edition with unlimited alias1 tokens | 📊 View Benchmarks | 🚀 Learn More
|
|
Cybersecurity AI (CAI) is a lightweight, open-source framework that empowers security professionals to build and deploy AI-powered offensive and defensive automation. CAI is the de facto framework for AI Security, already used by thousands of individual users and hundreds of organizations. Whether you're a security researcher, ethical hacker, IT professional, or organization looking to enhance your security posture, CAI provides the building blocks to create specialized AI agents that can assist with mitigation, vulnerability discovery, exploitation, and security assessment.
Key Features:
- 🤖 300+ AI Models: Support for OpenAI, Anthropic, DeepSeek, Ollama, and more
- 🔧 Built-in Security Tools: Ready-to-use tools for reconnaissance, exploitation, and privilege escalation
- 🏆 Battle-tested: Proven in HackTheBox CTFs, bug bounties, and real-world security case studies
- 🎯 Agent-based Architecture: Modular framework design to build specialized agents for different security tasks
- 🛡️ Guardrails Protection: Built-in defenses against prompt injection and dangerous command execution
- 📚 Research-oriented: Research foundation to democratize cybersecurity AI for the community
[!NOTE] Read the technical report: CAI: An Open, Bug Bounty-Ready Cybersecurity AI
For further readings, refer to our impact and CAI citation sections.
Robotics - CAI and alias1 on: Unitree G1 Humanoid Robot |
OT - CAI and alias1 on: Dragos OT CTF 2025 |
|---|---|
| CAI uncovers vulnerabilities and privacy violations in Unitree G1 humanoid robots including unauthorized telemetry transmission to China-related servers, exposed RSA keys with world-writable permissions, and potential surveillance capabilities violating GDPR and international privacy laws. | CAI powered by alias1, demonstrates exceptional performance in operational technology cybersecurity by achieving a Top-10 ranking in the Dragos OT CTF 2025. The AI agent reached Rank 1 during competition hours 7-8, completed 32 of 34 challenges, and maintained a 37% velocity advantage over top human teams. |
![]() |
![]() |
IT (Bug Bounty) - CAI on: HackerOne Platform |
OT - CAI and alias0 on: Ecoforest Heat Pumps |
|---|---|
| HackerOne's top engineers leverage CAI to explore next-gen agentic AI architectures and build their own security products. CAI's Retester agent directly inspired HackerOne's AI-powered Deduplication Agent, now deployed in production to handle millions of vulnerability reports at scale. | CAI discovers critical vulnerability in Ecoforest heat pumps allowing unauthorized remote access and potential catastrophic failures. AI-powered security testing reveals exposed credentials and DES encryption weaknesses affecting all of their deployed units across Europe. |
![]() |
![]() |
Robotics - CAI and alias0 on: Mobile Industrial Robots (MiR) |
IT (Web) - CAI and alias0 on: Mercado Libre's e-commerce |
|---|---|
| CAI-powered security testing of MiR (Mobile Industrial Robot) platform through automated ROS message injection attacks. This study demonstrates how AI-driven vulnerability discovery can expose unauthorized access to robot control systems and alarm triggers. | CAI-powered API vulnerability discovery at Mercado Libre through automated enumeration attacks. This study demonstrates how AI-driven security testing can expose user data exposure risks in e-commerce platforms at scale. |
![]() |
![]() |
OT - CAI and alias0 on: MQTT broker |
IT (Web) - CAI and alias0 on: PortSwigger Web Security Academy |
|---|---|
| CAI-powered testing exposed critical flaws in an MQTT broker within a Dockerized OT network. Without authentication, CAI subscribed to temperature and humidity topics and injected false values, corrupting data shown in Grafana dashboards. | CAI-powered race condition exploitation in file upload vulnerability. This study demonstrates how AI-driven security testing can identify and exploit timing windows in web applications, successfully uploading and executing web shells through automated parallel requests. |
![]() |
![]() |
[!WARNING] :warning: CAI is in active development, so don't expect it to work flawlessly. Instead, contribute by raising an issue or sending a PR.
Access to this library and the use of information, materials (or portions thereof), is not intended, and is prohibited, where such access or use violates applicable laws or regulations. By no means the authors encourage or promote the unauthorized tampering with running systems. This can cause serious human harm and material damages.
By no means the authors of CAI encourage or promote the unauthorized tampering with compute systems. Please don't use the source code in here for cybercrime. Pentest for good instead. By downloading, using, or modifying this source code, you agree to the terms of the
LICENSEand the limitations outlined in theDISCLAIMERfile.