The Pentester and the Machine: Decisions, Code, and Lessons from an AI-Powered Security Audit Platform (The Professional and the Machine)

Manual security auditing no longer scales.The attack surface of an average organization exceeds what a pentest team can cover in a typical engagement. Thousands of findings from Nessus, ScoutSuite, Purple Knight, and OSINT sources that need to be correlated, prioritized, and turned into a report the CISO understands and the board approves.This book documents the real-world construction of a security auditing platform powered by artificial intelligence. From automated multi-source scanning to autonomous offensive agents with mandatory guardrails.What will you learn?Integrate Nessus, ScoutSuite, Purple Knight, and Hudson Rock into a unified scanning engineBuild autonomous reconnaissance agents with Claude Agent SDK: subdomains, ports, servicesDesign a multi-agent orchestrator: recon → vulnerabilities → exploitation → persistence → reportImplement mandatory guardrails: scope lock, authorization gate, sandbox isolationCorrelate findings with MITRE ATT&CK and CVEs using specialized RAGGenerate PowerPoint, PDF, and Excel reports that adapt to the audience: CISO, technical team, or boardBuild a RAG Knowledge Center where each client queries only their own findingsDeploy the platform with Docker Compose: Node.js, React, MySQL, Qdrant, RedisScale from internal tool to Auditing as a Service (AaaS) with a subscription model28 technical chapters across 9 partsEach chapter starts with a real auditing problem and ends with the implemented solution. Working code, decisions with discarded alternatives, and documented limitations.Part I — The new paradigm: why manual auditing died · Part II — Architecture: multi-tenant, data model, security · Part III — Scanning engine: Nessus, ScoutSuite, Active Directory, infostealers · Part IV — Offensive agents: reconnaissance, vulnerabilities, exploitation, full chain · Part V — AI in auditing: multi-provider LLM, RAG, risk narratives, chatbot · Part VI — Reports: PowerPoint, PDF, Excel, and audience-adapted output · Part VII — Deployment: Docker, CI/CD, observability · Part VIII — The business: client management and AaaS · Part IX — Ethics, guardrails, and the auditor of the futureOffensive AI with responsibilityThe agents in this book attack within a controlled sandbox with scope lock, human checkpoints, and a complete audit trail. Every agent action is logged. No unauthorized attacks, no real exfiltration, no collateral damage.Code available in the public repository: github.com/machinebooksWho is this for?Pentesters who want to automate the repetitive parts and focus on reasoningOffensive security teams that need to scale without multiplying headcountCybersecurity consultancies looking to offer auditing as a serviceSecurity architects building internal assessment toolsBook #2 in "The Professional and the Machine" series, which also includes The Architect and the Machine, The CISO and the Machine, PQC-Day and the Machine, The Cyber Range and the Machine, and The User and the Machine. Each book is standalone.Includes glossary, reference appendices, and architecture diagrams.About the authors: Carlos Pérez González, AI solutions architect with over two decades in offensive cybersecurity (OSCE, OSCP, OSWE, OSEP). Founder of ihacklabs, acquired by Telefónica in 2020. Juan Carlos Montes Senra, cybersecurity architect with a forensic and offensive profile (GCFA, GREM), published in PHRACK #65. Read more