Key Takeaways
- Nebula is an open‑source CLI tool that embeds large language models (LLMs) directly into a penetration tester’s terminal, enabling AI‑assisted vulnerability assessments, exploit generation, and documentation without leaving the workflow.
- It supports multiple AI backends—including OpenAI APIs, local models via Ollama (Llama‑3.1, Mistral‑7B, DeepSeek‑R1‑Distill‑Llama‑8B), and offers both CPU and GPU inference options.
- Nebula works alongside existing security utilities (Nmap, Metasploit, custom scripts) rather than replacing them, letting testers toggle between manual commands and AI queries with a “!” prefix or a dedicated AI/Terminal mode button.
- Core features include real‑time cybersecurity search agents, automated note‑taking, exploitation suggestions, external data import, screenshot capture with annotation, and a live status feed.
- Installation requires Python 3.10‑3.13.9, at least 16 GB RAM, and either Ollama for local models or an OpenAI API key; a Docker deployment with X11 forwarding is also available.
- BerylliumSec’s complementary Deep Application Profiler (DAP) uses neural‑network‑based malware analysis to detect zero‑day threats that signature‑based tools miss, offered as a web service and API.
- Future plans involve developing domain‑specific LLMs tuned for penetration‑testing tasks, which should improve the relevance and accuracy of Nebula’s outputs.
- Nebula exemplifies the growing trend of integrating LLMs into offensive security tooling, balancing air‑gapped local inference for high‑security environments with convenient cloud‑API access for rapid experimentation.
- The tool is hosted on GitHub, with troubleshooting logs stored at ~/.local/share/nebula/logs to aid independent debugging.
Introduction and Core Concept
Nebula, created by BerylliumSec, is an open‑source penetration‑testing platform that brings large language models straight into the command‑line interface. By doing so, it lets ethical hackers query AI models for reconnaissance, exploit ideation, and documentation without switching windows or breaking their terminal flow. The tool is designed to augment, not replace, existing security utilities, making it a seamless add‑on to familiar workflows.
Supported AI Backends and Inference Options
Nebula is backend‑agnostic, offering users a choice between cloud‑hosted and locally run models. Cloud options include OpenAI’s API‑accessible models (e.g., GPT‑4, GPT‑3.5). For local execution, Nebula relies on Ollama, which supports CPU and GPU inference and can serve models such as Meta’s Llama‑3.1‑8B‑Instruct, Mistral AI’s Mistral‑7B‑Instruct‑v0.2, and DeepSeek‑R1‑Distill‑Llama‑8B. Users simply pull the desired model with Ollama and reference its name in Nebula’s engagement settings, or set an OPENAI_API_KEY environment variable for cloud models.
Workflow Integration and CLI Interaction
The tool is built to coexist with any CLI‑invokable security utility. Testers can continue to run Nmap scans, launch Metasploit modules, or execute custom scripts while Nebula runs in parallel. Interaction with the AI is straightforward: prefix a command with “!” or toggle a dedicated AI/Terminal mode button to send a query to the model and receive a response inline. This design preserves muscle memory and reduces context‑switching overhead.
Feature Set of Nebula
Nebula packs a suite of AI‑enhanced capabilities aimed at streamlining a penetration test. Real‑time internet search agents pull the latest cybersecurity threat intel into responses, ensuring up‑to‑date context. Automated note‑taking captures findings as they arise and categorizes them for later reporting. The tool also offers exploitation suggestions derived from the output of terminal tools, helping testers pivot quickly. External data—such as scan results or payloads—can be imported for AI‑assisted analysis. Documentation is further aided by built‑in screenshot capture with annotation, and a status feed panel refreshes every five minutes to show recent activity.
Installation, Requirements, and Deployment Options
To run Nebula locally, a machine needs Python 3.10‑3.13.9 and at least 16 GB of RAM. Installation is performed via pip: python -m pip install nebula-ai --upgrade. For local models, users must first install Ollama, pull a model (e.g., ollama pull mistral), and configure Nebula to reference it. Cloud‑based models require setting the appropriate API key (e.g., OPENAI_API_KEY) before launching the tool. Nebula also provides a Docker image that uses X11 forwarding for GUI support and mounts volumes for logs and engagement folders, facilitating portable deployment across environments.
Deep Application Profiler (DAP) – Complementary Service
Alongside Nebula, BerylliumSec released the Deep Application Profiler (DAP), a malware‑analysis service that moves beyond signature‑based detection. DAP employs neural networks to scrutinize an executable’s internal structure and infer its behavioral intent, enabling the identification of zero‑day malware that traditional scanners often miss. DAP is offered both as a web interface and as a RESTful API, delivering detailed breakdowns that analysts can review alongside Nebula’s findings.
Future Development and Specialized Models
BerylliumSec has signaled intentions to train custom LLMs specifically tuned for penetration‑testing tasks, rather than relying solely on general‑purpose models adapted for security. Such domain‑specific models could better understand exploit payloads, common vulnerability patterns, and the nuances of various attack surfaces, leading to more accurate vulnerability discovery and exploitation guidance in future Nebula releases.
Broader Implications for Offensive Security
Nebula illustrates a broader shift toward embedding LLMs directly into offensive security toolchains. By providing AI‑assisted reconnaissance, note‑taking, and exploit ideation inside the terminal, it reduces cognitive load and accelerates testing cycles. The dual support for air‑gapped local inference (via Ollama) and convenient cloud API access lets organizations balance operational security requirements with ease of use, accommodating everything from highly regulated, disconnected labs to fast‑moving red‑team exercises.
Conclusion and Access Information
In summary, Nebula offers a practical, extensible way for security professionals to harness the power of LLMs without abandoning their trusted command‑line tools. Its flexible architecture, rich feature set, and complementary DAP service make it a valuable addition to modern penetration‑testing arsenals. The project is hosted on GitHub, and runtime diagnostics can be found in the log directory ~/.local/share/nebula/logs, helping users troubleshoot issues independently.

