EVA is an AI penetration testing agent that guides users through complete pentest engagements with AI-powered attack strategy, autonomous command generation, and real-time vulnerability analysis based on outputs. The goal is not to replace the pentest professional but to guide and assist and provide faster results.
- 🜂 Intelligent Reasoning: Advanced AI-driven analysis and attack path identification depending on query.
- ⵢ Automated Enumeration: Systematic target reconnaissance and information gathering based on provided target.
- ꎈ Vulnerability Assessment: AI-powered vulnerability identification and exploitation strategies, suggesting next steps for vulnerability or OSINT.
- ⑇ Multiple AI Backends: Support for Ollama, OpenAI GPT, Anthropic, Gemini, G4F.dev and custom API endpoints
- ㄖ Session Management: Persistent sessions and chats
- ⑅ Interactive Interface: Real-time command execution and analysis of output in multi-stage.
graph TD
A[🜂 EVA Launch] --> B{🢧 Session Selection}
B -->|Existing Session| C[🢧 Load Session Data]
B -->|New Session| D[߭ Initialize Session]
C --> E[ㄖ Select AI Backend]
D --> E
E --> F[🦙 Ollama Local]
E --> G[⬡ OpenAI GPT]
E --> J1[✶ Anthropic Claude]
E --> J2[✦ Google Gemini]
E --> H[⟅ Custom API]
E --> I[🜅 G4F.dev Provider]
F --> J[Pentest Shell]
G --> J
J1 --> J
J2 --> J
H --> J
I --> J
J --> K[⌖ Target Definition]
K --> L[🧠 AI Pentest Strategy]
L --> M[🝯 Reconnaissance Phase]
M --> N[➤_ Execute Commands]
N --> O[ꎐ Analyze Results]
O --> P{ᐈ Vulnerabilities Found?}
P -->|Yes| Q[🖧 Exploitation Planning]
P -->|No| R[⭯ More Enumeration]
R --> L
Q --> S[⚡ Exploitation Phase]
Q --> T[Export graphs and mapped networks]
S --> U[➤_ Execute Exploit]
U --> V{🞜 Access Gained?}
V -->|Yes| W[𐱃 Privilege Escalation]
V -->|Failed| X[⭯ Alternative Methods]
X --> Q
W --> Y[𐦝 Post-Exploitation]
Y --> Z{🞜 Objectives Met?}
Z -->|Generate Report| AA[📋 Generate Report]
Z -->|Exit and Save| AB[💾 Save & Exit]
Z -->|No| AC[🔍 Continue Pentest]
AC --> L
AA --> AB
subgraph "🍎 EVA "
AD[⯐ Attack Strategy AI]
AE[𝚵 Session Memory]
AF[ᐮ Vulnerability Analysis]
AG[CVE DATABASE SEARCH]
AH[𐰬 Output Processing]
end
L --> AD
AD --> AE
O --> AF
AF --> AG
AG --> AH
AH --> L
curl -fsSL https://ollama.ai/install.sh | shrpip install eva-exploit
evagit clone https://github.com/ARCANGEL0/EVA.git
cd EVA
chmod +x eva.py
./eva.py
# Adding it to PATH to be acessible anywhere
sudo mv eva.py /usr/local/bin/evaWhen starting EVA, it will automatically handle:
- ✅ API key setup (According to Model)
- ✅ Ollama model download (Default set as whiterabitv2, feel free to change to any other desired model)
- ✅ Session directory creation
- ✅ Dependencies installation
If you wish to modify endpoints, ollama models, API Keys or configure EVA, please run:
eva --config~/EVA_data/
├── sessions/ # Session storage
│ ├── session1.json
│ ├── session2.json
│ └── ...
├── reports/ # Vulnerability reports
│ ├── report1.html
│ ├── report1.pdf
│ └── ...
└── attack_maps/ # Attack vector maps in HTML/JS
├── attack_surface1.html
├── attack_surface2.html
└── ...
eva --configWill display the following configuration:
API_ENDPOINT = "NOT_SET"
G4F_MODEL="gpt-oss-120b"
G4F_URL="https://api.gpt4free.workers.dev/api/novaai/chat/completions"
OLLAMA_MODEL = "ALIENTELLIGENCE/whiterabbitv2"
SEARCHVULN_MODEL = "gpt-oss:120b-cloud"
SEARCVULN_URL = "https://ollama.com/api/chat"
OLLAMA_API_KEY = "NOT_SET"
OPENAI_API_KEY = "NOT_SET"
ANTHROPIC_API_KEY = "NOT_SET"
GEMINI_API_KEY = "NOT_SET"
ANTHROPIC_MODEL = "claude-3-5-sonnet-latest"
GEMINI_MODEL = "gemini-2.0-flash"
OLLAMA_CLOUD_TIMEOUT = 45
CONFIG_DIR = Path.home() / "EVA_data" #
SESSIONS_DIR = CONFIG_DIR / "sessions"
REPORTS_DIR = CONFIG_DIR / "reports"
MAPS_DIR = CONFIG_DIR / "attack_maps"
TERMS_ACCEPTEDTHING = CONFIG_DIR / ".confirm"
CONFIG_DIR.mkdir(parents=True, exist_ok=True)
SESSIONS_DIR.mkdir(parents=True, exist_ok=True)
REPORTS_DIR.mkdir(parents=True, exist_ok=True)
MAPS_DIR.mkdir(parents=True, exist_ok=True)
username = os.getlogin()
MAX_RETRIES = 10 ### maximum retries for fetching requests
RETRY_DELAY = 10 ### delay between requests to avoid rate limit errorpython3 eva.py
# or if installed via pip:
eva
# open config.py in your default editor
eva --config
# deletes all sessions and files
eva --delete
# configure custom api and payload handler
eva --custom-api
# vulnerability / exploit intel search
eva --search i have a wingftp server running on version 4.7.3, find me exploits for it
# run eva default launcher
eva - Select Session: Choose existing session or create new one
- Choose AI Backend:
- Ollama (Recommended): Local AI with WhiteRabbit-Neo model
- GPT-5: OpenAI's latest model (requires API key)
- G4F: Uses g4f.dev endpoints with models running GPT5.2, feel free to change model used.
- Anthropic: Claude API backend (requires API key)
- Gemini: Google Gemini API backend (requires API key)
- Custom API: Your own API endpoint if desired
- In the input field of chat, type in your request or what you need assistance with for EVA to help you!
USER > i need help with a CTF machine, ip is 10.10.16.81
After making a request, commands will be provided and the pentest workflow will start, use commands below as reference.
| Command | Description |
|---|---|
/exit / /quit |
Exit EVA and save session |
/model |
Change AI backend |
/rename |
Rename the current session |
/search <query> or search <query> |
Run exploit/vulnerability intel search inside current chat session and feed results into next analysis |
/report |
Generates a PDF/HTML report with latest findings on session |
/map |
Generates a html file with attack surface map of session |
/menu |
Return to session menu |
R |
Run suggested command |
S |
Skip command |
A |
Ask for next step |
Q |
Quit session |
demonstration video.
USER > I'm on a Windows target at IP 10.10.11.95, what should I enumerate first?
[ANALYSIS]
Based on the Windows environment, I need to perform comprehensive
enumeration focusing on:
1. System Information (OS version, patches, architecture)
2. Network Services (ports, services, listening processes)
3. User Context (current user, groups, privileges)
4. Security Controls (AV, firewall, UAC settings)
5. Potential Attack Vectors (SMB, RDP, IIS, etc.)
Let me start with basic system reconnaissance to understand the target better...
> execute: nmap -sC -sV -O 10.10.10.10
| [R]un | [S]kip | [A]sk | [G]enerate HTML Report | [V]iew attack map | [Q]uit |
> R
- Model:
ALIENTELLIGENCE/whiterabbitv2"(best one for OffSec)- ✅ Complete offline operation
- ✅ No API costs
- ✅ Privacy-focused
- ❌ Higher CPU/GPU usage, recommended for machines above 8GB+ VRAM/RAM
- ❌ Heavier model, ~9.8gb model
- Models: GPT-5, GPT-4.1 (fallback)
- About:
- ✅ Faster reasoning
- ✅ Extensive knowledge base
- ✅ Continuous updates
- ❌ Paid, requires apikey
- Models: GPT-5-1
- About:
- ✅ Updated information in real-time (usually)
- ✅ Quick responses
- ❌ Might be unstable or down sometimes, low stability.
- Endpoint: Configurable API to use your own as you wish. Please run
eva --custom-apito set API handler and payload - About:
- ✅ Custom model integration
- ✅ Modifiable as you wish
- Model: Configurable via
ANTHROPIC_MODEL - About:
- ✅ Strong reasoning quality
- ✅ Stable API
- ❌ Requires
ANTHROPIC_API_KEY
- Model: Configurable via
GEMINI_MODEL - About:
- ✅ Fast response latency
- ✅ Native JSON output mode and better parsing, usually provides best results
- ❌ Requires
GEMINI_API_KEY
- ⬢ OpenAI integration: Integrated OpenAI into EVA
- ⬢ G4F.DEV: Added G4F endpoints to free GPT5 usage.
- ⬢ Custom API: Add custom endpoint besides ollama and OpenAI
- ⬢ Automated Reporting: Concise HTML report generation (+ optional PDF via wkhtmltopdf)
- ⬢ CVE Database Integration: Real-time vulnerability data
- ⬢ Visual Attack Maps: Interactive network diagrams such as connections or such, like Kerberos domains and AD devices.
- ⬡ Cloud Integration: AWS/GCP deployment ready
- ⬡ Web Interface: Browser-based EVA dashboard
CTF (Capture The Flag) competitions
Authorized penetration testing
Security research and laboratory environments
Systems you own or have explicit permission to test
Unauthorized access to any system
Illegal or malicious activities
Production systems without explicit authorization
Networks you do not own or control
I take no responsibility for misuse, illegal activity, or unauthorized use.
Any and all consequences are the sole responsibility of the user.
MIT License
Copyright (c) 2026 EVA - Exploit Vector Agent
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Hack the world. Byte by Byte. ⛛
𝝺𝗿𝗰𝗮𝗻𝗴𝗲𝗹𝗼 @ 2026
