Forty Minutes With AIRecon

AIRecon is an open-source autonomous pentest agent published by pikpikcu in March 2026. It drives a local large language model — an Ollama instance running an 8-billion-parameter model or larger — through a four-phase loop: reconnaissance, analysis, exploitation, report. Fifty-seven built-in skills, 289 keyword-to-skill auto-mappings, all wrapped in a Kali Docker sandbox with a Caido proxy in front. The premise is that the LLM is the brain, and the framework converts its decisions into HTTP requests, scans, and tool invocations against the target.

The pitch is the version of agentic-pentest discourse that has been circulating for two years. Autonomous agents hacking faster than humans, defensive automation failing against AI-speed offense, and so on. On April 19, 2026, an operator in Maharashtra pointed AIRecon at an Indian life insurer’s wildcard domain and ran it against one of our Ollama honeypots. The honeypot does not run real inference. Forty minutes later, after twelve identical retries against the same /api/chat request, the operator walked away. No inference returned, no reasoning step ever executed, no recon phase ever began.

This is what the framework does when its model is unavailable. It is also a first observation of AIRecon being used in the wild by someone who is not its author, against a target that did not invite the attention. The post describes the run, the failure mode, and the fingerprint that survives across IP rotation.

The tool

AIRecon is an autonomous pentest agent by pikpikcu. MIT, first release 2026-03-05. A local Ollama LLM inside a Kali Docker sandbox and a Caido proxy, driving a four-phase recon→analysis→exploit→report loop. 57 built-in skills, 289 keyword-to-skill auto-mappings, 8B minimum model size.

The system prompt is a static file: airecon/proxy/prompts/system.txt. The copy we logged runs 2.2 KB longer, the delta being runtime-injected target context and SQLite-backed memory. The prompt is not the novel part. A named tool running against a non-consenting target by someone who isn’t its author is.

The operator’s network

A small consumer ISP, not a VPS provider, not a VPN exit, not bulletproof infrastructure. We are not identifying the operator further.

What the operator typed

Three user messages, across two sessions.

test the modell

Typo preserved. Carried forward in conversation history through every subsequent request in the session.

find the bug in this wildcard target [redacted].com

AIRecon’s <engagement_detection> block routes any public domain to Type 3, “Bug Bounty / External Assessment.” “Wildcard target” is HackerOne/Bugcrowd scope vernacular: on a real program it means *.example.com is in scope. This target has no program of any kind. Bounty language applied to a domain that never opened the door.

full recon to [redacted].com

Different IP, same /24 neighbor, no chat history, five minutes of retries.

Why the loop stalled

Ollama’s /api/chat returns newline-delimited JSON. Each line is a JSON object with partial message.content; the terminal line carries "done": true and any tool_calls. Agents parse incrementally, act on the terminal chunk.

{"model":"deepseek-r1:70b","message":{"role":"assistant","content":"I'll"},"done":false}
{"model":"deepseek-r1:70b","message":{"role":"assistant","content":" start"},"done":false}
...
{"model":"deepseek-r1:70b","message":{"role":"assistant","content":"","tool_calls":[...]},"done":true,"total_duration":...}

The framework passes enumeration easily. /api/tags returns a JSON catalogue of models with plausible SHA256 digests and gguf metadata. /api/ps advertises which models are currently VRAM-resident, with expires_at timestamps that advance between polls. An agent does not verify any of this. The digests are just hex strings, the metadata is YAML-shaped, and no client computes local hashes against a remote model registry. AIRecon treats the endpoint as live and proceeds to inference.

/api/chat and /api/generate are where a fake breaks. Both need real model computation: the agent ships a full system + user prompt, waits for a token stream, and parses the terminal chunk’s tool_calls to decide what to execute next. Our sensor fault-injects these responses. Slow time-to-first-byte, truncation before "done": true, or bodies that json.loads refuses.

AIRecon’s HTTP client streams the response line-by-line, accumulating content and tool_calls across chunks, acting once the terminal object arrives. A parse exception or a read timeout surfaces at the transport layer, which sits below the agent’s reasoning. The <failure_loop_recovery> rule in the system prompt (“rotate techniques after two failed steps”) is an instruction to the model, and the model never runs because nothing parseable ever reached it. httpx’s retry policy fires instead, re-sending the same request body. Twelve retries, same result, operator exit.

Timeline

06:03:37  browser       GET /  /favicon.ico  /.git/HEAD  /.well-known/security.txt
06:03:47  urllib/3.13   GET  /api/ps
06:06:25  curl/8.19.0   POST /api/generate  {model: deepseek-r1:70b, keep_alive: 0}
06:06:29  urllib→httpx  same POST x2 in 4 seconds (client cycling)
06:06:29  httpx/0.28.1  GET /api/tags  polling starts
06:08:17  AIRecon       POST /api/chat  user: "test the modell"
06:15:57  AIRecon       POST /api/chat  user += "find the bug in wildcard target [redacted].com"
06:16–18  AIRecon       POST /api/chat  9× retries, same message pair
06:18:52  ---           session ends, no inference

06:27:46  AIRecon       POST /api/chat  user: "full recon to [redacted].com"
06:27–42  AIRecon       POST /api/chat  12× retries, GET /api/tags 221× interleaved
06:42:50  ---           session ends, operator does not return

Fingerprinting the framework

Session 1 cycled through five UAs in fifteen minutes: Chrome, curl/8.19.0, Python-urllib/3.13, python-httpx/0.28.1, Python/3.13 aiohttp/3.13.5. First three: a human hand-testing. Last two: AIRecon. python-httpx drives the agent’s tool calls; aiohttp runs a parallel /api/tags poller, separate from the reasoning loop. Both clients on one session is a reliable framework fingerprint without needing the system prompt body.

Second signature. The prompt carries [RESUMED SESSION: <epoch>_<hex> for <target>] in its dynamic context block. AIRecon persists per-target state in ~/.airecon/memory/airecon.db; RESUMED fires when prior state exists. Our epoch decodes to 2026-04-19 06:27:07 UTC, 39 seconds before session 2 began. It proves prior engagement with this target but does not date it.

Seventeen days earlier

2026-04-02: 103.165.69.8 (same /24, different IP) sent one GET /api/tags to the same sensor with python-requests/2.32.3. No follow-up. Likely reachability scanning, feeding the list AIRecon later consumed. Same operator or same-/24 neighbor is indistinguishable from outside; the network is four /24s under one upstream, and the sensor targeted is identical.

We are on someone’s list

Host: 139.162.131.147:11434 on every request. That Linode Singapore IP looks like a widely-indexed public Ollama. In sixty days, 231 distinct IPs across 93 ASNs hit our sensor carrying that exact Host header: AT&T, Bharti Airtel, China Mobile, Cloudflare, DigitalOcean, Google LLC, Hetzner, Indosat, Teletalk Bangladesh, Akamai, plus smaller residential and hosting networks. Independent scanners sharing one artifact: a target list that pairs our sensor with the Linode.

Pillar Security’s Operation Bizarre Bazaar documented a marketplace reselling stolen Ollama inference, fed by scanner infrastructure. 231 IPs / 93 ASNs converging on one Host header is consistent with that picture.

Summary

Operator           AS154193 LINKWAY BROADBAND (consumer ISP)
                   Virar, Maharashtra
                   103.165.69.48, 103.165.69.41
 
Tool               pikpikcu/airecon (MIT, 394 stars)
                   First observed in-the-wild deployment
Model              deepseek-r1:70b (catalogue-expected)
 
Target             Indian life insurer's wildcard domain (redacted)
                   No public bug bounty program
 
Window             2026-04-19, 06:03–06:43 UTC (40 minutes)
Prior scoping      2026-04-02 from 103.165.69.8 (same /24)
 
Requests           439 HTTP
Chat invocations   12 × POST /api/chat
Successful         0
Outcome            Operator abandoned after 12 retries

What this changes, what it does not

What the capture supports:

• A public agentic pentest framework is being operated in the wild by users other than its author, against targets that did not invite the attention. Presumable before, observed now.
• The entry bar is low. No hosting layer, no VPN, no OPSEC.
• Provider-side deception is working defense today. Trend Micro’s DeepSeek-R1 benchmark and HiddenLayer’s universal-bypass work measure what happens when the model responds. This capture is what happens when it cannot.

What it does not support:

• Agents “hacking autonomously.” When the loop stalled, nothing adapted.
• Compromise. Nothing reached the insurer.
• Any claim about more capable operators. One operator, one tool, one failed run. A data point, not a trend.

For organizations operating GPU compute or model-serving infrastructure as a service, the agent class above is your tenants’ adversary, not directly yours, but tenant-credential compromise shows up in your telemetry as repeated inference loops against unfamiliar models. The retry shape is the framework’s signature, and it survives the IP rotation that ASN-based blocking does not.

Indicators

103.165.69.48   session 1, 2026-04-19 06:03–06:19 UTC   AS154193 LINKWAY BROADBAND
103.165.69.41   session 2, 2026-04-19 06:27–06:43 UTC   AS154193 LINKWAY BROADBAND
103.165.69.8    recon only, 2026-04-02                  AS154193 LINKWAY BROADBAND

System prompt opens:    "You are AIRecon, an advanced AI cybersecurity agent
                         developed by Pikpikcu Labs"
                        (static portion matches airecon/proxy/prompts/system.txt)
 
HTTP client pair:       python-httpx/0.28.1       (agent tool-call channel)
                        Python/3.13 aiohttp/3.13.5 (parallel availability monitor)
                        Both on the same session = reliable AIRecon fingerprint
 
Integration seam:       POST /api/generate {"model":"<name>","keep_alive":0}
                        issued with three different User-Agents inside 4 seconds
 
Session-state string:   [RESUMED SESSION: <unix_ts>_<hex> for <target>]
                        Present in system prompt body, indicates prior SQLite
                        state in ~/.airecon/memory/airecon.db

Host: 139.162.131.147:11434
  Linode Singapore, widely-indexed public Ollama
  Co-scanned with our sensor by 231 IPs / 93 ASNs over 60 days

Full POST bodies, session transcripts, and fault-injection traces are available on request via the contact form at honeypot.observer, including to the named target’s security team.

Acknowledgments

The activity above is recorded against a deception target. No real system was compromised. AIRecon is published at github.com/pikpikcu/airecon under MIT. Trend Micro and HiddenLayer framed the model-side picture; Pillar Security framed the marketplace context for the 231-IP target-list pattern observed here. The honeypot runs a fork of Beelzebub by Beelzebub.AI, extended for AI-targeted telemetry.