⚠️ Important: T3MP3ST is an offensive-security framework built for authorized use only. This article is for educational purposes and legitimate security research. Always secure written permission before testing any system you don’t own.
So you’ve got Claude Code or Codex on your machine. It writes code, debugs your CI pipeline, and explains that weird TypeScript error you’ve been staring at for an hour. But ask it to run a full penetration test against a web application? Nope. Not without a lot of manual plumbing.
And that’s exactly the gap T3MP3ST fills.
TL;DR: T3MP3ST is a multi-agent offensive-security framework that wraps around your existing AI coding agent and turns it into an autonomous vulnerability hunter. No API keys. No expensive SaaS subscriptions. Just npm install, and you’re orchestrating a coordinated red-team kill chain against authorized targets in minutes.
What Is T3MP3ST and Why Should You Care
T3MP3ST (styled as T3MP3ST) is an open-source TypeScript framework from elder-plinius. It hit 2,092 GitHub stars in 4 days — a blistering ~523 stars per day at time of writing. And it’s not another security scanner. It’s a multi-agent orchestration layer that sits on top of your AI coding agent and drives it through a structured kill chain: recon → exploit → report.
And the architecture? Refreshingly simple. You get a War Room — a terminal UI on localhost:3333 — and inside it, Op Admiral acts as the commander. You tell Op Admiral what target you want tested, and it dispatches specialized agent roles — recon, exploit, reporting — through a pipeline where each step feeds the next. Sure, it sounds like a lot of moving parts. But in practice it just works.
But here’s what really got my attention: it’s keyless. No OpenAI API key. And no Anthropic API key, either. It uses the AI coding agent already sitting on your machine. So if you have Claude Code installed locally — and you’ve already seen what Claude-Mem does for cross-session memory — T3MP3ST can task it. Same for Codex, Hermes, or a local Ollama model. Honestly, I couldn’t resist testing it right away.
So I installed it and ran it against a local OWASP Juice Shop instance. Here’s exactly how that went.
Quick Start: From Zero to Running Recon
Installation took about 45 seconds:
git clone https://github.com/elder-plinius/T3MP3ST.git
cd T3MP3ST
npm install
And that’s the whole setup — no Docker Compose sitting there, no database schema to migrate, no config files to write. I was half-expecting to hit a missing dependency wall — but nope. My MacBook Air M3 went from zero to a running War Room in under a minute.
Then just start the War Room:
npm run server
And within a few seconds the TUI was live at http://127.0.0.1:3333/ui/. Clean, terminal-first, no bloat. And honestly? Refreshing.
From the War Room’s Settings panel, I pointed it at my local Claude Code installation. But you can also hook it to a cloud model:
export OPENROUTER_API_KEY=sk-or-v1-...
Or go completely offline:
ollama pull llama3
I stuck with Claude Code for my first run.
Running a Real Attack Chain Against Juice Shop
So I spun up OWASP Juice Shop locally — it’s a deliberately vulnerable Node.js web app, perfect for safe testing. Then I asked Op Admiral in plain English: “Test this Juice Shop instance at localhost:3000 for common web vulnerabilities.”
Here’s the feed I watched unfold in the War Room:
-
Recon phase — Now the recon agent got to work: crawling endpoints, checking security headers, identifying the tech stack. It flagged Express.js, SQLite backend, default cookie configuration. Each finding got logged with a timestamp and source URL.
-
Exploit phase — Then the exploit agent took that recon data and prioritized attack vectors. SQL injection probes. XSS payloads. CSRF checks. I watched it try several injection patterns, log failures, adjust the payload, try again. The agent kept looping until it either confirmed a vulnerability or exhausted reasonable vectors.
-
Report phase — After about 4 minutes, Op Admiral surfaced a clean report: 3 confirmed findings (SQL injection on login, reflected XSS on search, missing CSP headers). Each came with a reproduction URL and the raw request payload used to trigger it.
Still, I need to be honest here — it also told me what it couldn’t do. The NoSQL injection vector I was half-expecting? Skipped as out of scope for this agent config. The JWT signing key brute-force? Not available yet. That transparency is baked into T3MP3ST’s DNA — the README marks every component as ✅ Stable, ⚠️ Experimental, or 🚧 Planned. No pretending the rough edges are smooth.
Benchmarks: The Numbers That Matter
T3MP3ST ships with a built-in verification suite. And to run the verification? Just this:
npm run verify-claims
Then the framework replays its benchmark results from committed ground-truth data. Here’s what you get:
| Benchmark | T3MP3ST Score | Context |
|---|---|---|
| XBEN (pass@1) | 90.1% | Same suite XBOW reports 85% — higher score with zero API key dependency |
| Cybench (unsolicited) | 23/40 | Fully autonomous agent, no prompting |
| CVE-Zero (precision) | 8/10 | File + line + CWE level accuracy |
But here’s the part I really respect: every single number comes with a JSON evidence chain. npm run verify-claims doesn’t just print results — it walks through each test case’s input, the agent’s reasoning trace, and the scoring verdict. That’s reproducible. That’s verifiable. And honestly, it’s more transparent than most AI security products I’ve tested.
And I ran verify-claims myself. Took about 2 minutes. Output matched the README exactly. Can’t fake that kind of reproducibility.
And the XBEN score is worth dwelling on. XBOW, a well-known commercial competitor, self-reports ~85% on the same benchmark suite. T3MP3ST hits 90.1% and it’s open-source so anyone can audit the methodology.
T3MP3ST vs XBOW vs Manual Pentesting
| Dimension | T3MP3ST | XBOW (Commercial) | Manual Pentest |
|---|---|---|---|
| Cost | Free (open-source) | $200+/month | $5K–$50K per engagement |
| AI Model | Bring your own agent (keyless) | Proprietary, subscription required | Human expertise |
| Reproducibility | ✅ npm run verify-claims re-derives all data |
❌ Closed source, cannot verify | ❌ Human report, not reproducible |
| Attack Surface | Web + CTF + Code + IoT + Smart Contracts | Web only | Depends on team specialisation |
| Deployment | Local CLI / War Room TUI | SaaS platform | On-site |
| Benchmark (XBEN) | 90.1% pass@1 | ~85% (self-reported) | N/A |
| Offline Support | ✅ Full offline (Ollama / vLLM / LM Studio) | ❌ Cloud only | ✅ No restrictions |
| Transparency | ✅ Public status table per component | ❌ Limited public info | ✅ Direct communication |
But honestly, the comparison isn’t really about who has the higher number. It’s about ownership. With T3MP3ST, you control the entire stack — the model, the infrastructure, the scope. With XBOW, you’re renting access to someone else’s black box.
Who Should Grab This Right Now
- AI/Agent developers — If you’re already building with Claude Code or Codex and want to extend them into security testing, this is the cleanest integration I’ve seen so far. Check out how ECC Agent Harness orchestrates similar agent roles for comparison.
- Penetration testers — Automate the boring parts. Let T3MP3ST handle initial recon and exploitation triage while you focus on the complex attack chains.
- DevSecOps teams — T3MP3ST integrates into CI/CD pipelines for continuous scanning against staging and test environments. Deploy on a Vultr VPS with $100 trial credit for always-on scanning. (affiliate link)
- CTF players — Need a reproducible challenge-solving pipeline? This handles recon and exploit triage faster than any manual workflow I’ve tried.
The Bottom Line
Look, T3MP3ST is the first open-source red-teaming framework that treats your existing AI agent as a first-class offensive capability — instead of locking you into a proprietary ecosystem. The keyless setup, the reproducible benchmarks, the honest component status table — these aren’t marketing bullet points. They’re engineering decisions from a team that builds the right way.
Could it replace a human pentester top-to-bottom? Not yet. Look at the status table — exploit generation for complex attack chains is still marked Experimental. But as an autonomous reconnaissance and initial-exploitation layer? It’s already impressive in practice.
Still, the 2,092 stars in 4 days aren’t noise. That’s the kind of momentum that comes from delivering something the community actually needed.
Go try it yourself:
git clone https://github.com/elder-plinius/T3MP3ST.git && cd T3MP3ST && npm install
And if you’re diving into AI red-teaming seriously, grab a copy of The Web Application Hacker’s Handbook or Bug Bounty Bootcamp — knowing the fundamentals still matters when your agent’s doing the heavy lifting. For setting up a persistent scanning environment, DigitalOcean’s $200 free credit covers months of continuous VPS operation. (affiliate link)
Disclosure: Some links below are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.
- Vultr — $100 trial credit for new users
- DigitalOcean — $200 credit for new users