Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Armur-Ai/Pentest-Swarm-AI/llms.txt

Use this file to discover all available pages before exploring further.

pentestswarm playbook lets you run structured, repeatable attack sequences defined in YAML instead of relying on the freestyle AI swarm. Playbooks encode expert knowledge about a specific testing objective — OWASP Top 10, bug-bounty recon, CI/CD pipeline auditing, CTF solving — into an ordered series of phases, each specifying which tools to run and how the AI should interpret the results. This makes campaigns auditable, shareable, and reproducible across teams.

Synopsis

pentestswarm playbook <subcommand> [args] [flags]

Subcommands

playbook run <path-or-name>

Execute a playbook against a target. The argument is either a direct file path to a YAML file or the name of a playbook in the ./playbooks/ directory (without the .yaml extension).
--target
string
required
The domain name or IP address to test. Required.
pentestswarm playbook run playbooks/owasp-top10.yaml --target example.com
pentestswarm playbook run bug-bounty --target app.example.com
When a playbook runs, the CLI prints each phase in order, dispatches the configured tools, and passes results to the AI post-analysis prompt defined in the YAML. Live events are streamed exactly as with pentestswarm scan --follow. Example output: 
  * Running playbook: Bug Bounty Swarm
  * Author: Armur AI
  * Target: example.com
  * Phases: 4

  15:04:05 [>>]  Running subfinder on example.com
  15:04:08 [<<]  subfinder: 22 subdomains discovered
  15:04:09 [think]  Cataloguing subdomains, checking for wildcard and takeover candidates...
  ...

  Playbook complete.

playbook list

List all playbooks discovered in the ./playbooks/ directory, showing phase count and tags. 
pentestswarm playbook list
Example output: 
  NAME                          PHASES  TAGS
  ──────────────────────────────────────────────────
  Bug Bounty Swarm              4       [bug-bounty, external, web, recon, active]
  OWASP Top 10 Assessment       4       [web, owasp, comprehensive]
  External Attack Surface Mon.  5       [asm, external, monitoring, passive-first]
  CI/CD Security Swarm          4       [ci, cd, sast, secrets, sbom, sarif]
  Internal Network Swarm        3       [internal, network, authorized-only, high-risk]
  CTF Solver Swarm              4       [ctf, htb, thm, benchmark, autonomous]
  API Security Assessment       2       [api, rest, graphql]

playbook validate <path>

Parse and validate a playbook YAML file without running it. Checks that required fields are present, tool names are recognized, and variable references are consistent. 
pentestswarm playbook validate my-playbook.yaml
Output on success: 
  [VALID] My Custom Playbook (3 phases, 2 variables)
Output on failure: 
  [INVALID] My Custom Playbook
  ERROR: phase "exploitation" references unknown tool "mybiztool"
  WARN:  variable "api_key" declared but never referenced
The command exits with a non-zero code when there are errors, making it suitable for pre-commit hooks and CI pipelines.

playbook create

Scaffold a new playbook YAML file at ./playbooks/my-playbook.yaml with sensible defaults and inline comments. Edit the generated file, then run playbook validate before using it. 
pentestswarm playbook create
Generated template: 
name: my-playbook
description: Description of what this playbook tests
author:
  name: Your Name
  github: yourgithub
version: 1.0.0
tags: [web, custom]

variables:
  target_domain:
    type: string
    required: true

phases:
  - name: reconnaissance
    tools:
      - name: subfinder
        options: { recursive: false }
      - name: httpx
        options: { follow_redirects: true }
    post_analysis: |
      Analyze discovered assets and identify interesting targets.

  - name: vulnerability_scan
    tools:
      - name: nuclei
        options:
          severity: [critical, high, medium]
    post_analysis: |
      Classify findings and prioritize for exploitation.

Built-in playbooks

The following playbooks ship in the ./playbooks/ directory:
NameFilePhasesTags
Bug Bounty Swarmbug-bounty.yaml4bug-bounty, external, web, recon, active
OWASP Top 10 Assessmentowasp-top10.yaml4web, owasp, comprehensive
External Attack Surface Monitoringexternal-asm.yaml5asm, external, monitoring, passive-first
CI/CD Security Swarmci-cd-security.yaml4ci, cd, sast, secrets, sbom, sarif
Internal Network Swarminternal-network.yaml3internal, network, authorized-only, high-risk
CTF Solver Swarmctf-solver.yaml4ctf, htb, thm, benchmark, autonomous
API Security Assessmentapi-security.yaml2api, rest, graphql

Bug Bounty Swarm playbook — phase breakdown

The bug-bounty.yaml playbook is the most comprehensive example. Its four phases are:
  1. subdomain_enumeration — runs subfinder (recursive) and dnsx, then asks the AI to flag wildcards and dangling CNAME takeover candidates.
  2. web_surface — runs httpx, katana (depth-3 with JS crawling), and gau, then maps alive hosts, tech stacks, and deep-link endpoints.
  3. vulnerability_scan — runs nuclei against critical/high/medium severity templates, filtering duplicates against known program issues when program_slug is set.
  4. active_escalation — opt-in phase triggered when the classifier finds a POTENTIAL_SQLI, SSRF, or IDOR finding with pheromone score ≥ 0.5. Runs sqlmap with --batch for automated confirmation.

Playbook YAML reference

name: string              # Required. Human-readable name.
description: string       # Required. What this playbook tests.
author:
  name: string
  github: string
version: "1.0.0"          # Semver string.
tags: [string]            # Free-form tags for filtering.

variables:
  VARIABLE_NAME:
    type: string | int | bool
    required: true | false
    description: string   # Optional inline docs.

phases:
  - name: string          # Phase identifier.
    tools:
      - name: string      # Tool name from the tool registry.
        options:          # Tool-specific key/value options.
          key: value
    post_analysis: |      # Prompt injected into the AI after this phase.
      Natural language instructions for the orchestrator.

Examples

# Run the built-in bug-bounty playbook by name
pentestswarm playbook run bug-bounty --target example.com

# Run a custom playbook by path
pentestswarm playbook run playbooks/owasp-top10.yaml --target app.example.com

# List all installed playbooks
pentestswarm playbook list

# Validate a playbook before committing it
pentestswarm playbook validate my-playbook.yaml

# Scaffold a new playbook skeleton
pentestswarm playbook create

scan

Run a freestyle AI pentest without a playbook

scope

Import and diff program scope files to feed into playbook runs

report

Polish the findings report generated after a playbook run

doctor

Verify the tools referenced in your playbooks are installed

Build docs developers (and LLMs) love

Get started for freeTalk to us