DarkMoon Open‑Source AI Pentesting Platform Automates Evidence‑Backed Security Assessments
What Happened — DarkMoon, an open‑source platform, uses a large language model to plan and orchestrate penetration‑testing actions. The reasoning layer (OpenCode) talks to the LLM, while a Model Context Protocol (MCP) server enforces an allow‑list of >50 vetted security tools that run inside isolated Docker containers. Results are fed back into the orchestrator, producing a full, evidence‑backed report aligned with ISO 27001, NIST SP 800‑115 and MITRE ATT&CK.
Why It Matters for Compliance & Audit Readiness
- Provides deterministic, auditable test runs that generate continuous evidence of control effectiveness – a core SOC 2 requirement.
- Aligns automated findings with established frameworks, simplifying control mapping and reducing manual evidence‑gathering effort.
- The explicit allow‑list and scoped execution model help demonstrate robust change‑control and tool‑approval processes to auditors.
Who Is Affected – Organizations that must prove security controls for SOC 2, especially in technology/SaaS, financial services, healthcare, and retail sectors.
Recommended Actions
- Integrate DarkMoon scans into your continuous‑compliance pipeline; map each finding to the relevant SOC 2 control.
- Verify the MCP allow‑list matches your internal tool‑approval policy and retain the generated reports as audit artifacts.
- Periodically review scope definitions to ensure testing stays within authorized boundaries.
Technical Notes – DarkMoon separates reasoning (LLM) from execution (MCP‑controlled tools) and runs all actions inside isolated Docker containers. Supported tools include Nuclei, sqlmap, BloodHound, NetExec, and others. Cost is low (≈ $10 per web‑app scan using Claude Opus API).