My Security Agent Stack: How Zerocool Guards the Perimeter
The tools behind my security agent. Shannon for white-box pentesting, PentAGI for autonomous scanning, Ghost Security for code analysis, Argus and WebCopilot for recon. All wired into one agent in my wololo setup.
The Setup
My wololo setup has a security agent called Zerocool. It runs recon, scans for vulns, and reviews code for security issues before anything ships. Not a single tool. A stack of tools coordinated by one agent.
Here's what's in the stack and why.
Recon Layer
Argus (jasonxtn) for quick information gathering. Python-based, clean TUI, covers networks, web apps, and security environments. Good for the "what am I looking at" phase when Zerocool first touches a target. Not the heaviest toolkit but it's fast and the interface is proper nice for an agent to parse.
WebCopilot for attack surface mapping. Enumerates subdomains (assetfinder, sublister, subfinder, amass, findomain, gobuster), filters live hosts via dnsx, crawls endpoints, then uses gf patterns to extract params vulnerable to XSS, LFI, SSRF, SQLi, open redirect, and RCE. Scans them with dalfox, kxss, sqlmap. It's the automated "find every door and window" tool. Point it at a domain and it maps the whole surface.
Pentesting Layer
Shannon is the star of the stack. 37,000 stars. Autonomous white-box AI pentester by Keygraph. It reads your source code, identifies attack vectors, and then actually executes real exploits. Injection, auth bypass, SSRF, XSS. Reports only proven vulnerabilities with copy-paste PoCs. Not theoretical risk assessments. Proof.
96% on the XBOW benchmark. Handles 2FA, TOTP, SSO, browser automation, parallel exploitation. The Lite version is AGPL-3.0. Pro adds SAST, SCA, secrets scanning, and CI/CD integration.
PentAGI for fully autonomous scanning. 14,600 stars. Sandboxed Docker execution with 20+ security tools baked in (nmap, metasploit, sqlmap). Knowledge graph via Neo4j. Team of specialist AI agents for research, dev, and infra. Multi-LLM support. docker compose up and it's running.
I use Shannon for targeted white-box testing on code I control. PentAGI for broader autonomous scanning where I want the agent to find things I haven't thought of.
Code Security Layer
Ghost Security Skills for AI-native code analysis inside Claude Code. Four skills: ghost:repo-context (understand the codebase), ghost:scan-deps (dependency vulnerabilities), ghost:scan-secrets (leaked credentials), ghost:scan-code (code-level security issues). Install and your agent can security-review a PR before it merges.
This is the layer that runs on every commit. Shannon and PentAGI run on schedules or before releases. Ghost Security runs continuously.
How Zerocool Uses Them
The agent picks tools based on what phase of the security review it's in:
- Recon: Argus + WebCopilot map the target
- Static analysis: Ghost Security scans the code and dependencies
- Dynamic testing: Shannon runs white-box exploits against the running app
- Autonomous sweep: PentAGI does a broad scan for anything the targeted tools missed
- Report: Zerocool compiles findings, deduplicates, and files issues
All of this is ethical/authorised testing on my own infrastructure. If you're pointing any of these at targets you don't own, that's on you.