Skip to main content
Status: Stable Version: 1.0.0 Author: Rifteo Tags: pentest, security, integrations Requires: hexstrike-ai MCP server v6.0.0+
★ Top 5 benchmark result: 0 → 2 confirmed findings with CVSS scores and remediation per session — vs. 0 structured findings without the skill. See the full results in the Benchmark Results section below.
Installation 
rifteo-skills add hexstrike-forge

Summary

Turn a four-word prompt into a complete, triage-clean, report-ready penetration test. HexStrike Forge is the methodology layer on top of the hexstrike-ai MCP server: it tells the agent which tools to run, in what order, in parallel, what to do when tools fail, and how to triage raw flags into confirmed findings.
  • Runs 5 structured phases from passive recon to finding delivery, with a hard triage gate between each phase
  • Executes tools in parallel batches to maximize coverage without sequential bottlenecks
  • Recovers from tool failures automatically by logging the gap and substituting an equivalent tool
  • Filters raw scanner output through triage rules to discard noise before writing any finding
  • Produces findings with CVSS score, evidence block, and remediation, ready for pentest-report or remediation-planner

How It Works

Phase 1: Passive Recon

Runs in parallel: subfinder, dnsenum, waybackurls, wafw00f. Captures: subdomain inventory, DNS records, historical endpoints, WAF presence. WAF detection is a critical signal that shapes Phase 2 tool selection. If a tool binary is missing, it is logged as a tool gap and skipped without stalling the phase.

Phase 2: Active Recon

Runs in parallel: nmap -sV -sC, gobuster dir, dirsearch, nikto. Captures: open ports and service versions, directory and file enumeration, server misconfigurations, missing security headers. Triage gate: every flag from Phase 2 is classified as INVESTIGATE or DISCARD before Phase 3 begins. Only INVESTIGATE flags carry forward.
DecisionCriteria
INVESTIGATEUnknown directory, EOL software, potential source exposure
DISCARDMissing header with no exploitable context, informational only

Phase 3: Vulnerability Scan

Runs targeted nuclei scans using tags derived from Phase 2 findings (apache, cve, exposure, ssh, etc.), plus manual verification of each INVESTIGATE flag via curl or nmap scripts. Triage gate: each flag is either CONFIRM (becomes a finding) or DISCARD (documented as cleared). False positive discard target: below 20% confirm rate is acceptable.

Phase 4: Forge

Writes a structured finding for each confirmed flag: 
[F-XX] Title
Severity: Critical / High / Medium / Low
CVSS: score (vector)
Host: target:port

Description: what the vulnerability is and why it matters.

Evidence:
[tool output verbatim]

Remediation: specific fix action.
No finding is written without evidence. No finding is written without a remediation.

Phase 5: Delivery

After findings are forged, the skill presents a delivery menu: 
→ pentest-report    full formatted client report
→ remediation-planner  prioritized fix guidance per finding
→ engagement-handoff  save state for follow-up session

Benchmark Results

Tested on scanme.nmap.org (authorized). Same prompt. Same model. Same MCP server. Skill on vs skill off.
MetricWithout SkillWith Skill
Phases executed1 (ad hoc)5 (structured)
Tool calls made718
Parallel executionNoYes (3 batches)
Tool failures recovered0 / 23 / 3
Raw flags produced28
Confirmed findings0 structured2 with CVSS + remediation
False positives reportedunmeasured0 (6 discarded)
OutputRaw JSON blobsReport-ready findings
Time increases with the skill (+144%) because it runs more tools across more phases with triage between each. This is intentional: it trades speed for completeness and accuracy.

Known Tool Bugs

Surfaced during benchmarking. The skill works around these automatically.
ToolBugWorkaround
httpx_probePasses -l flag for URL input instead of direct argumentLogged and skipped
dirsearch_scanpkg_resources module missingSubstituted with gobuster
nmap_advanced_scanRuns broadcast pre-scan scripts, scans local subnet instead of targetAvoided in favor of targeted nmap -sV -sC
waybackurls_discoveryBinary not installed on MCP serverLogged as tool gap, skipped
bugbounty_reconnaissance_workflowReturns a plan JSON, does not execute toolsSkill handles execution manually

Known Limitations

  • Requires the hexstrike-ai MCP server to be running and reachable
  • Phase timings depend on target responsiveness and tool availability
  • Static analysis only for some checks, dynamic exploitation is out of scope
  • Tool bugs listed above may be fixed in future MCP server releases

scope-grill

Interview the user about scope, authorization, and rules of engagement before testing begins

finding-writer

Convert raw pentest notes into structured audit findings ready for reporting

pentest-report

Generate a complete, client-ready penetration test report from all confirmed findings