v0.2.0 · macOS + Linux native

Pentest tools that don't
live in a terminal.

Every tool you'd reach for on a Kali box, sitting in a real window with every flag exposed as a field. nmap, ffuf, hydra, evil-winrm, impacket, volatility3, 45 more. Run them by hand the way you always have, or hand an objective to the built-in AI agent and let it drive. Same binaries either way. Same flags. Same output. Just no terminal.

Download on GitHub Get a 3-Day Free Trial

Free 3-day trial, then $79 one-time. No subscription. Activate inside the app.

45+
Tools, every flag in a field
8m
Recon to root, agent unattended
0
Bytes sent to a cloud
ThreatStrike Legion — AI Operator running a TryHackMe box end-to-end
Why Legion

You're not bad at the CLI.
You're tired of it.

Pentest tools are powerful and they're all command-line. You either keep a cheat sheet in another tab or you re-Google the same nmap incantation for the fifth time this week. Either way you're losing minutes you don't have.

Legion puts a form in front of every tool. The fields are the flags. Pick a wordlist from a dropdown, point at a target, click Run. If you'd rather not do that 200 times in an engagement, hand it to the agent. It uses the same forms. You see the same output. You just didn't have to type any of it.

📋

Every flag, every dropdown

45 tools and counting. Each one a form that mirrors the real CLI flags. Bundled wordlists, interface pickers, file dialogs where they belong. You stop typing --top-ports 1000 the same way you've typed it for ten years.

🎮

Do it yourself. Or don't.

Drive every step by hand if you want the control. Or hand the whole engagement to the agent and watch it work. Or start with the agent, take over the interesting part, hand back the cleanup. The tools don't care.

🔮

Everything lands somewhere

Hosts, services, credentials, vulnerabilities, screenshots. Whoever finds them, however they're found, they go into one typed engagement. Quit at midnight, reopen at 9am, it's all still there.

How it works

Same tools, faster hands.

Click a tool in the sidebar. Fill the form. Hit Run. Watch the raw output stream right next to it. That's it. Or open the AI tab, tell it what you want, and it does the clicking for you, chaining one form into the next until the objective is met.

💬 You pick a tool
or set an objective
⚙️ Legion runs it
(GUI or agent)
🔮 Findings populate
the engagement graph
📄 One-click report
(HTML or PDF)

It's the actual binary

Not a rewrite, not a wrapper. The nmap in the form is the nmap on your PATH. Same version. Same flags. Same output, scrolling in a pane while it runs. If you'd want it on the CLI, you'll get it.

Agent uses your forms

When the AI runs nmap, it builds the same arguments your form would. Take over mid-engagement and nothing changes underneath you. It's not a second product wearing the same logo.

One engagement, one graph

Hosts, services, credentials, paths, screenshots, artifacts. Tree view, severity colors, click-to-reveal vault. Whether you found it or the agent did, it's all in the same place.

What's in the box

Built for the actual job.

All of it runs locally. No accounts, no telemetry, no SaaS dashboard you have to log into. The engagement data lives on your laptop and nowhere else.

🛡️

Every Kali tool, every flag

nmap, ffuf, nuclei, hydra, impacket, evil-winrm, smbmap, gobuster, suricata, volatility3, yara, sigma. 45 tools so far. Each one a real form with the real flags. Bundled wordlists, interface dropdowns, file pickers. The CLI is still there if you need it. You won't.

No terminal required
🤖

The agent does the boring parts

Don't feel like clicking Run on 200 forms? Type what you want done in plain English. The agent reads the output, decides what to do next, and keeps going. Recently it solved a full TryHackMe-style box, recon through Docker breakout to root, in 15 minutes unattended.

Skip it if you want
🔮

Your engagement, not your memory

Hosts, services, credentials, vulnerabilities, web paths, screenshots. All typed, all in one tree, all severity-colored. Quit the app at midnight, reopen at 9am, everything's exactly where you left it. Click a host to see what's on it. Click a cred to use it.

Goodbye notes.txt
🔒

Passwords never touch a file

Every credential the agent finds (or you log) goes straight into your OS keychain. Macs use Keychain, Linux uses Secret Service. SQLite never sees a plaintext secret. smbmap, crackmapexec, evil-winrm, impacket all get a one-click vault picker. Done with the creds.txt on the desktop.

OS keychain, always
📄

The report writes itself

Click Build Report. The AI drafts the exec summary, per-vuln remediation, and conclusion in parallel. Legion folds them into a polished HTML page (or PDF via WeasyPrint), embeds your screenshots, redacts credentials, and saves it where you want it. Tweak anything before you send.

~30 seconds to PDF
⚔️

Flip a switch, you're blue team

One toggle in the header. Sidebar swaps to DFIR, hunting, and detection-engineering tools (Volatility3, YARA, Sigma, Chainsaw, Suricata, capa, floss, plaso). The agent's instructions flip to "preserve evidence, never destroy." Same app, opposite job.

Two workstations, one binary
🧑‍💻

Bring your own model

Claude (your subscription via the Code CLI, or an API key), OpenAI, Gemini, or any local OpenAI-compatible endpoint: Ollama, LM Studio, vLLM, llama.cpp. Pick one in Settings. Keys go in the keychain. If you've got a 70B running on your rig, point Legion at it.

Local LLMs welcome
📥

Install every tool in one click

Open Tool Status. See what's installed, what's missing. Click "Install missing" and brew or apt handles it. Grab the full Kali wordlist set (SecLists + rockyou) in another click. A fresh laptop is engagement-ready in about ten minutes.

Fresh box to ready in 10
🏭

Extensible without forking

Got an MCP server for Burp, BloodHound, or your own homebrew? Paste the command into Settings, hit Probe Tools to auto-fill the allow-list, and the agent can call it next session. No PR, no rebuild.

Plug-in custom MCPs
Get the App

macOS or Linux. One download.
That's it.

Download on GitHub

Or start a 3-day free trial