Benchmarks

​

How benchmarks work

Each benchmark runs the identical prompt twice once with no skill loaded (the agent improvises), once with the skill loaded as system context. The comparison measures:

• Turns to completion how many back-and-forth exchanges before a usable result
• Tokens used total input + output tokens consumed
• Time wall-clock seconds from prompt to final output
• Output quality rated Incomplete → Partial → Good → Complete

The goal is not to make the agent look bad without skills it’s to show exactly what structured methodology adds, and where.

---

​

Results at a glance

---

---

​

Detailed results

​

idor-hunter

+120% findings on the same target with the same prompt. Without the skill, the agent applied a shallow approach and stopped after the most obvious vectors 5 IDORs found. With idor-hunter, it followed a complete enumeration across path params, query strings, JSON bodies, and headers finding 11 IDORs on the same target. 6 vulnerabilities that would have been missed in a real engagement.

---

​

find-skills

-97% time. 185 seconds → 5 seconds. Without the skill, the agent didn’t know what skills exist it improvised a Python script suggestion and confused the user. With find-skills, it immediately identified finding-writer as the right skill and provided the install command. One turn, 5 seconds.

---

​

hexstrike-forge

0 confirmed findings → 2 report-ready findings with CVSS + PoC + remediation. Prompt: “pentest scanme.nmap.org” four words, same target, same MCP server. Without the skill, the agent ran 7 tools ad hoc, hit the same tool bug twice without recovering, misunderstood the workflow tool, and produced zero deliverables just raw JSON output. With hexstrike-forge, it ran 5 structured phases, recovered from 3 tool failures, discarded 6 false positives, and produced 2 report-ready findings.

HexStrike without the skill is a toolbox. HexStrike with the skill is an engagement.

---

​

ssrf-hunter

False positives vs a confirmed exploit the most critical delta. Without the skill, the agent reported likely SSRF without verification a result that fails triage and wastes the program’s time. With ssrf-hunter, it followed a structured confirmation sequence (OOB callback → loopback → cloud metadata) and produced a verified working payload. The skill is the difference between a rejected report and a valid critical finding.

---

​

xss-hunter

9/10 XSS found in 2 minutes vs 7/10 in 8 minutes. Custom lab with 10 planted XSS vulnerabilities. Without the skill, the agent missed 3 including DOM-based and stored variants due to an incomplete coverage strategy and redundant recon steps. With xss-hunter, the pre-ordered test sequence (reflected → stored → DOM-based) eliminated redundancy and improved coverage.

---

​

jwt-cracker

3 turns → 1. -75% time. Without the skill, the agent needed 2 correction prompts before producing a usable JWT test. With jwt-cracker, complete structured output on the first turn phases, expected outputs, and interpretation annotated.

---

​

control-lookup

3 turns → 1. High user effort → Low. Without the skill, the agent’s first response claimed it had already answered (it hadn’t) 2 more correction prompts needed. With control-lookup, it immediately produced the correct control card with cross-framework mappings to NIST CSF and PCI-DSS in a single turn.

---

​

cvss-scorer

-63% tokens, -68% time. Same score, no noise. Both produce the correct CVSS vector. The skill version is 3 lines vector, score, one contextual note. Without it, the agent writes 500 tokens of explanation around the same answer. Fast scoring for a busy pentest workflow.

---

​

scope-grill

-93% tokens. -90% time. Structured scope collection vs a wall of legal text. Without the skill, the agent dumped a full legal disclaimer and engagement template overwhelming and not actionable. With scope-grill, it asked the first of 10 structured scoping questions and collected information one step at a time. Complete in 1 turn.

---

​

engagement-handoff

-58% tokens, -56% time. End-of-day status → structured handoff doc.

---

​

compliance-gap-analyzer

Partial → Complete in 1 turn. -38% tokens.

---

​

remediation-planner

2 turns → 1. -57% tokens.

---

​

risk-assessor

2 turns → 1 for CVE emergency patch decisions.

---

​

vuln-diagnose

-42% tokens, -53% time.

---

​

attack-surface

-37% tokens. Partial → Good attack surface map.

---

​

nuclei-template-writer

Good → Complete. Adds matcher strategy explanation the raw version skips.

---

​

ssti-hunter

Same result, faster. No wasted turns guessing the template engine. Both runs found and exploited the SSTI. The difference is speed: without the skill, the agent spent extra turns guessing the template engine before picking payloads. With ssti-hunter, a deterministic polyglot detection sequence reached confirmed exploitation faster no engine guessing, no wasted turns.

---

​

pentest-report

Same quality, less overhead.

---

​

Reading the color codes

Red is not always bad. Skills like bugbounty-reporter, js-analyzer, and check-exploit use more tokens because they produce more complete output. The benchmark shows the trade-off explicitly so you can decide whether it’s worth it for your workflow.