An autonomous Cisco security auditor. Tell it an IP. It SSHes in, runs hardening checks, cross-references NIST 800-53 and CIS, looks up live CVEs, and produces the report. No checklists, no scripts.
Network security audits are slow, inconsistent, and gated on the senior engineer who knows where the gotchas live. The good ones take days. The bad ones miss CVEs that have been public for months. Either way, nobody runs them often enough.
Built an MCP server that gives Claude direct, controlled access to a Cisco device: SSH, show commands, even config push. The audit runs a strict three-phase, max-three-loop structure so every run is cheap and predictable.
Loaded NIST 800-53 controls and the CIS IOS XE Benchmark (about 2,400 vectors) into ChromaDB, so every finding cites the exact control it violates. Added live NVD CVE lookup, Cisco PSIRT advisories, and EOX end-of-support dates per hardware PID.
Added a separate PenTest agent with its own 20-tool MCP server (nmap, masscan, sslyze, nikto, hydra and more) gated by a GO ACTIVE operator approval. Active tools are blocked server-side until a human says yes, even if the model asks nicely.
Wrapped it all in a FastAPI dashboard with templated HTML reports, SSE streaming, a Slack audit bot, a Slack 'overseer' agent that can read code and restart containers, and Cisco's Foundation-Sec-8B running locally on Ollama for scope-aware security chat.
Built so it could be handed to a junior on day one: every finding comes with the control it breaks and the command to fix it.