Instead of hacking themselves, attackers are increasingly deploying a free AI weapon that hacks for them. Twelve autonomous AI agents juggle 150 highly specialized security tools, from reconnaissance to zero-day exploitation, and it seems to be working.
Imagine Kali Linux, the Swiss army knife of cybersecurity, acting autonomously based on its owner's commands, understanding all the tools, and using them at an inhuman speed.
Meet HexStrike AI – an AI brain that directs over 150 specialized cybersecurity utilities to autonomously scan, exploit, and persist inside targets.
Researchers from Check Point warn that this freely available platform, which is supposed to be a defender’s assistant, is quickly mutating into a hacker’s dream weapon.
Threat actors, using HexStrike AI MCP (multi-agent control protocol server), were able to exploit newly discovered zero-day vulnerabilities within hours of their release, leaving network defenders no time to mitigate them.
However, the creator of the tool believes that it provides defenders with unique opportunity to tip the scales to their side and urges them to embrace automation and AI-driven orchestration.
“HexStrike AI was built with one clear intention: to empower defenders, red teams, and researchers with the same speed and orchestration capabilities that threat actors are beginning to adopt,” Muhammad Osama, Creator of HexStrike AI, told Cybernews.
Adopted by threat actors
Last week, Citrix disclosed three zero-day flaws affecting its NetScaler line of networking products and enabling attackers to run unauthenticated remote code.
Exploiting such vulnerabilities is normally a complex task, requiring an understanding of memory operations, authentication bypasses, and the peculiarities of NetScaler’s architecture.
The conversation on this topic is live. Join in the discussion.
With HexStrike-AI, 12 hours later, attackers shared their successes on an underground forum.
“We have observed threat actors discussing the use of HexStrike-AI to scan for and exploit vulnerable NetScaler instances,” Check Point researchers said in a report.
“Such work has historically required highly skilled operators and weeks of development.”
Instead of manual labor, AI agents automated reconnaissance, assisted with exploit crafting, and facilitated payload delivery for the critical vulnerabilities.
How does HexStrike work?
The HexStrike AI framework was publicly released on GitHub in July. The developer touts it as “a revolutionary AI-powered offensive security framework that combines professional security tools with autonomous AI agents to deliver comprehensive security testing capabilities.”
It acts like a “brain” that orchestrates large numbers of AI agents to launch complex operations at scale. An advanced server bridges LLMs (large language models), like Claude, GPT, Copilot, and others, with real-world offensive capabilities.
HexStrike can autonomously run over 150 cybersecurity tools, such as Nmap, Metasploit, Burp, John the Ripper, etc., for automated pentesting, vulnerability discovery, bug bounty automation, and security research.
It's a dream come true for hackers, as it marks a significant shift in how threat actors organize and execute cyberattacks. Hackers can abuse the same agents to exploit vulnerabilities, deploy backdoors, and exfiltrate data.
The GitHub page explains that users can choose various AI integrations to spin up AI agents of over 12 different specializations, such as tool selection and parameter organization, vulnerability intelligence, attack chain discovery, system optimization, and others.
The system is capable of monitoring vulnerabilities and exploit analysis, live command control and monitoring, and real-time dashboards and progress tracking.
Everything starts with prompts, like “Perform a comprehensive security assessment of example.com” or “Find XSS vulnerabilities in this web application.”
Operations such as subdomain enumeration, vulnerability scanning, web app security testing, CTF challenge solving, and report generation can be completed in minutes instead of hours, with higher success rates and lower false positive rates. HexStrike includes retry logic and recovery handling to keep working even after failures.
“Within hours of its release, dark web chatter shows threat actors attempting to use HexStrike-AI to go after a recent zero-day CVEs, with attackers dropping webshells for unauthenticated remote code execution,” Check Point researchers said.
“With HexStrike-AI, threat actors claim to reduce the exploitation time from days to under 10 minutes.”
The developer plans to release a major upgrade soon, which will expand capabilities to over 250 AI agents and tools, bring one-command setup, Docker support, a native desktop client, optimizations, and other improvements.
“The window between disclosure and mass exploitation shrinks dramatically. CVE-2025-7775 is already being exploited in the wild, and with HexStrike-AI, the volume of attacks will only increase in the coming days,” Check Point warns.
The report urges defenders to prioritize immediate patching and hardening of any affected systems.
“HexStrike-AI is a watershed moment. What was once a conceptual architecture – a central orchestration brain directing AI agents – has now been embodied in a working tool. And it is already being applied against active zero-days.”
While the security community has warned previously about the potential convergence of AI orchestration and offensive tooling, HexStrike AI is one of the first practical examples.
The developer: defenders have a unique opportunity
“The reality is, automation and AI are transforming cyber operations on both sides. Attackers will leverage these tools to reduce the time between vulnerability disclosure and exploitation, but defenders can leverage the exact same technologies to detect faster, respond smarter, and patch quicker, ”Osama, Creator of HexStrike AI, said.
With both sides racing, defenders have a unique opportunity to tip the balance to their side.
“Attackers often move opportunistically and chaotically, while defenders, if they embrace automation and AI-driven orchestration, can build systematic, adaptive, and resilient defenses that scale beyond what manual processes allow,” Osama believes.
The upcoming HexStrike AI v7.0 will be even more powerful, introducing a fully integrated RAG system that empowers real-time adaptation to zero-days, dynamic exploit research, and next-generation defensive automation.
The developer suggests defenders use HexStrike or other similar tools to do the following:
- Simulate realistic AI-driven attack chains, and identify weaknesses before adversaries do.
- Integrate with patching pipelines and detection systems, which helps shrink the exploit window from weeks to hours.
- Adopt orchestration at scale, which helps defenders to finally keep pace with the speed of modern threats.
“In short, I believe HexStrike AI shows that the same innovations that accelerate attacks can be used even more effectively to accelerate defense. The security community needs to seize this moment and lead with AI, rather than lag behind it,” Osama concludes.
Updated on September 4th [06:30 a.m. GMT] with comments from the HexStrike AI creator.
Your email address will not be published. Required fields are markedmarked