200+ wrapped security tools (wpscan, dalfox, hydra, hashcat, paramspider, ffuf, gobuster, sqlmap, prowler, scout-suite, ...) are now reachable from Claude Code, Cursor, Codex, and any MCP client. No Anthropic API key required for MCP users.

What's new

MCP tools (added in this release)

• mcp__pentest-ai__plan_tools(scope, intensity, target) — returns the canonical tool list for an engagement profile (web, ad, cloud, full)
• mcp__pentest-ai__ensure_tools_installed(tools, auto_install) — audits which tools are on PATH; with auto_install=True, batches the installs

These complement list_tools / run_tool (which have shipped since 0.10).

Agent-loop tool surface

Every SecurityTool wrapper in tools/registry.py is now reachable via the agent loop as tool.<name>. Previously the loop only saw probes (60 SPA-aware checks); now it also has the 200+ tool wrappers plus generic tool.run / tool.list / tool.plan / tool.ensure_installed actions.

Smart upfront install

ptai start --agent-mode now predicts which tools the LLM will need from the (scope, intensity, target) profile, audits PATH, and asks ONCE to install the missing ones in batch. Decline persists to ~/.pentest-ai/install-preferences.json::denied_tools so future engagements don't re-prompt. CI / non-TTY contexts skip silently.

Install UX

• ptai setup --per-tool wpscan,dalfox,paramspider for ad-hoc single-tool installs
• SecurityTool gains optional install_method / install_cmd / manual_url fields for wrappers not in TOOL_CATALOG

Hexstrike compatibility

v0.14.0 is the first release where ptai's tool surface matches or exceeds HexStrike's breadth on web targets (Juice Shop benchmark: ptai 46 critical+high across 5 OWASP buckets vs HexStrike's 0 critical+high in 1 bucket).

Install

```bash
pip install ptai==0.14.0

or

pipx upgrade ptai
```

For Claude Code / Cursor / Codex users:
```bash
claude mcp add pentest-ai -- ptai mcp
```

Full release notes in CHANGELOG.md.