METATRON: offline AI pentest helper

A penetration test usually starts with a pile of raw clues: open ports from Nmap, domain records from Whois, web fingerprints from WhatWeb, and server headers from curl. METATRON tries to turn that pile into a first draft of findings on the same Linux machine that collected the data. (github.com) Nmap is the part that knocks on thousands of digital doors to see which ones answer, and the official Nmap guide describes it as a tool for network discovery and security auditing used by millions. METATRON plugs Nmap into a command-line workflow so the scan output goes straight into an artificial intelligence model instead of waiting for a human to read it line by line. (nmap.org) (github.com) A local language model is an artificial intelligence system that runs on your own hardware, like using a calculator on your desk instead of sending every equation to a website. METATRON uses Ollama as that local model runner, and its repository says the setup is built around a custom “metatron-qwen” model based on Qwen 3.5. (github.com) That local setup changes what leaves the building. The project says there is no cloud service, no application programming interface key, and no subscription, so target internet protocol addresses, banners, and scan logs stay on the tester’s machine unless the tester exports them. (github.com) The toolchain is very concrete. The README lists Nmap for port scanning, Whois and dig for registration and Domain Name System data, WhatWeb for website fingerprinting, curl for header checks, and Nikto for web server checks, then says the model analyzes the combined output for vulnerabilities, exploit ideas, and fixes. (github.com) METATRON also stores results instead of treating each scan like a one-off command. Its GitHub page says findings are written into a MariaDB database with full scan history, which means a team can compare what changed between one run and the next instead of pasting notes into separate text files. (github.com) One detail that makes it more than a chatbot wrapper is the “agentic loop” in the README. The project says the model can ask for another tool run in the middle of analysis, which is closer to a junior analyst saying “I need one more scan on that service” than a static summary of the first output. (github.com) The project is new enough that its traction is part of the story. On April 9, 2026, the public GitHub repository showed about 1,700 stars, 321 forks, and 12 commits, with the latest visible commit landing 3 days earlier. (github.com) The catch is that automation is not the same thing as authorization. The Open Worldwide Application Security Project testing guide frames penetration testing as a professional security practice, and tools like METATRON still need a legal scope, because scanning a system you do not own is not made safer by adding artificial intelligence to it. (owasp.org) So the real shift here is not that a machine can “hack” by itself. It is that a Debian-based Linux box, using local models and standard recon tools, can now do the boring first pass of security analysis without sending sensitive target data to a cloud provider at all. (github.com)