V-8 Scanner is an AI-augmented web vulnerability scanner. It discovers, tests, and reports security flaws in web applications using a mix of traditional scanning, WAF evasion, and optional LLM-based validation. Built as a research project to explore whether adaptive scanning plus AI validation can cut down noise while keeping critical findings.
BASEF 2026 β 1st Place. This project won first place at the British Academy of Science and Engineering Fair (BASEF) 2026 and will represent Egypt at the International Science and Engineering Fair (ISEF) 2026 in Phoenix, Arizona.
- 11 vulnerability modules β SQLi, XSS, RCE, LFI, SSRF, IDOR, JWT, CSRF, broken access control, HTTP smuggling, open redirect
- Dynamic discovery β HTML crawl, JavaScript endpoint extraction, API schema detection
- WAF evasion β 25+ WAF profiles, polyglot payloads, TLS fingerprinting, adaptive technique switching
- AI Brain (optional) β Scan planning, payload crafting, response analysis, chain detection. Works fine without it.
- Output β JSON and HTML reports with CVSS scores, remediation notes, and curl-ready evidence
On an authorized test run against a deliberately vulnerable target, V-8 reported 100 raw findings. After AI validation, that dropped to 41 validated findings with 53 duplicates and 6 false positives removed (59% noise reduction), while keeping high-impact issues like SQLi, RCE, SSRF, and XSS.
| Capability | ZAP | Nikto | Burp | V-8 |
|---|---|---|---|---|
| FP elimination via AI | No | No | No | Yes |
| Local LLM (privacy-first) | No | No | No | Yes |
| WAF / Cloudflare bypass | No | No | Ltd | 25+ profiles |
| TLS fingerprint mimicry | No | No | No | Yes |
| Executive report generation | No | No | Manual | Auto |
| Autonomous agent | No | No | No | ReAct |
Same demo app (17 intentional vulnerabilities, Flask). Same target, same conditions.
| Vulnerability class | Nikto | Wapiti | V-8 |
|---|---|---|---|
| SQL injection | 0 | 0 | 6 |
| XSS | 0 | 1 | 4 |
| RCE | 0 | 1 | 5 |
| LFI | 0 | 0 | 1 |
| SSRF | 0 | 1 | 1 |
| IDOR | 0 | 0 | 4 |
| CSRF | 0 | 0 | 6 |
| Open redirect | 0 | 0 | 1 |
| Info disclosure | 0 | 0 | 4 |
| Missing headers | 3 | 5 | 1 |
Vulnerability classes detected: Nikto 1, Wapiti 4, V-8 10. Validated findings: Nikto 3, Wapiti 7, V-8 41. Wapiti missed SQLi, CSRF, and IDOR entirely; Nikto only checks server config, not app logic or parameters.
# Install
pip install -r requirements.txt
# Scan a target (authorized testing only)
python main.py scan https://your-target.com
# Stealth mode with WAF evasion
python main.py scan https://your-target.com --profile stealth --adaptive
# API server
python api_server.py --port 8080Entry points: CLI (main.py), Flask API (api_server.py), and MCP server for AI agent integration. The pipeline runs fingerprinting, discovery, parallel scanning, and enrichment (CVSS, remediation, evidence) before outputting reports.
| Resource | Location |
|---|---|
| Project summary | docs/project/PROJECT_SUMMARY.md |
| Architecture details | docs/project/ARCHITECTURE.md |
| Research plan | docs/research/research_plan.md |
| Abstract | docs/research/abstract.md |
| User guide | docs/user-guide/ |
βββ main.py # CLI entry
βββ api_server.py # REST API
βββ mcp_server.py # MCP server for AI agents
βββ src/ # Core engine (scanners, evasion, AI, discovery)
βββ hexstrike/ # MCP tools and Flask routes
βββ demo-app/ # Intentionally vulnerable test app
βββ docs/ # Research, presentations, user guide
All testing is done only on systems with explicit authorization. No malware development or deployment. The project is intended for defensive evaluation and responsible disclosure.
V-8 Scanner β V-8 Security Research Team. BASEF 2026 1st Place. Representing Egypt at ISEF 2026, Phoenix, Arizona.

