In January 2018, a single GitHub repository sent shockwaves through the global cybersecurity community. A tool called AutoSploit — built by a developer known only as Vector (later NullArray) — had done something that made professionals deeply uncomfortable: it made large-scale exploitation almost effortless. No deep technical knowledge required. Just a Shodan API key and a few keystrokes.
AutoSploit is one of the most debated tools in the history of offensive security. Was it a wake-up call? A reckless experiment? A gift to script kiddies? Depending on who you ask, it was all three. In this article, we trace the full history of AutoSploit — from its controversial birth in 2018 all the way through its final version and eventual abandonment.
What Was AutoSploit?
At its core, AutoSploit was a Python-based automated mass exploitation tool that combined two existing technologies into a single, frightening pipeline:
- ▸Shodan — the internet-connected device search engine often called "Google for hackers"
- ▸Metasploit — the industry-standard penetration testing framework
The idea was simple. You enter a search query — say, "Apache" or "IIS" — and AutoSploit would automatically pull a list of vulnerable targets from Shodan's API, then fire pre-selected Metasploit modules against them, attempting to establish Remote Code Execution (RCE), Reverse TCP shells, or Meterpreter sessions.
What made it so alarming wasn't the capability itself — seasoned pentesters had been combining Shodan and Metasploit manually for years. What made it alarming was that AutoSploit required almost no skill to run.
The Origin: January 2018
AutoSploit was first published to GitHub on January 30, 2018, by a developer operating under the Twitter handle @Real__Vector (also known as VectorSEC), who described himself as a "cyber security enthusiast" focused on InfoSec, OSINT, and offensive security.
The initial release was around 400 lines of Python. It was described straightforwardly on GitHub:
"As the name might suggest, AutoSploit attempts to automate the exploitation of remote hosts. Targets are collected automatically by employing the Shodan.io API."
Within days, the repository had accumulated thousands of stars and forks. Within a week, it had been picked up by Motherboard (Vice), Ars Technica, Wired, Dark Reading, Help Net Security, and dozens of other outlets. The tool had gone viral — and not in a good way, at least according to much of the security establishment.
The Explosion of Controversy
The backlash was almost immediate and came from some of the most respected voices in the industry.
Richard Bejtlich, a prominent long-time security expert, was among the first to publicly condemn it:
"There is no need to release this. The tie to Shodan puts it over the edge. There is no legitimate reason to put mass exploitation of public systems within the reach of script kiddies. Just because you can do something doesn't make it wise to do so. This will end in tears."
The core concern wasn't that AutoSploit introduced new attack techniques — it didn't. What it did was lower the barrier to mass exploitation to near-zero, putting the ability to scan and attack thousands of public-facing systems into the hands of anyone with an internet connection and a Shodan account.
Security commentators noted the tool could be weaponised to:
- ▸Build large-scale botnets for DDoS campaigns
- ▸Deploy ransomware across vulnerable targets
- ▸Mine cryptocurrency using compromised infrastructure
- ▸Establish persistent access to government, corporate, or critical infrastructure systems
One analysis by Critical Path Security described AutoSploit as "just the beginning of a new reality around cybersecurity", noting that the tool had no built-in scoping mechanism and would indiscriminately target whatever Shodan returned — including systems belonging to governments, hospitals, and defence contractors.
A live demonstration by the Jupiter Broadcasting podcast TechSNAP, conducted shortly after release, reportedly uncovered vulnerable systems belonging to the US Department of Defense and Amazon — a detail that underscored just how real the threat was.
Vector's Defence
To his credit, Vector wasn't silent. He engaged publicly and defended his decision to release the tool openly.
His position was that AutoSploit was no different in principle from any other dual-use security tool — a category that includes Metasploit itself, Nmap, Burp Suite, and dozens of others that are standard parts of every professional pentester's toolkit. The argument was familiar in the security community: if knowledge and tooling are suppressed, defenders are blinded while attackers — who share information freely in underground forums — are not.
Vector also pointed out that everything AutoSploit did could already be done manually by someone with intermediate security knowledge. AutoSploit simply chained the steps together. The tool was released under a GNU open-source licence, and Vector maintained that it was intended for legitimate security research and testing.
He was, however, realistic about the ethical complexity. The open-source community's response was mixed — some praised the transparency and the implicit pressure it placed on organisations to patch exposed systems, while others called for GitHub to remove the repository entirely.
GitHub did not remove it.
Rapid Iteration: v2.0, v3.x, and the Growing Feature Set
Despite the controversy — or perhaps because of it — development on AutoSploit continued at pace through 2018. Version 2.0 was released in March 2018, adding:
- ▸Proxy support and custom user-agent configuration for OPSEC
- ▸Command-line argument/flag support
- ▸Improved Metasploit module handling
- ▸Docker support for easier, containerised deployment
The tool's README on GitHub at this point explicitly advised users that "receiving back connections on your local machine might not be the best idea from an OPSEC standpoint" — suggesting use from a VPS. This was a telling detail: the tool's authors were aware of exactly how it was being used, and who was using it.
Version 3.x brought a more mature terminal interface, a cleaner command structure (view, exploit, search, single, personal), integration with Censys and ZoomEye as additional reconnaissance sources alongside Shodan, and the ability to load custom target lists and exploit files. By version 3.1.3, AutoSploit had become a surprisingly polished piece of software.
The team also expanded. A contributor known as Ekultek (who later managed releases) joined the project, and a small but active development community formed around the tool on GitHub and Discord.
Version 4.0: The Final Release
The last official release of AutoSploit was version 4.0, released on GitHub by Ekultek. It added nmap integration directly into the AutoSploit terminal session — meaning users could now scan, enumerate, and exploit targets without ever leaving the tool. Key fixes addressed several longstanding issues logged by the community.
After version 4.0, development effectively stopped. The commit history went quiet. Issues on GitHub continued to pile up, many unanswered. A 2021 issue flagged that the tool's core Python 2.7 syntax was producing SyntaxError exceptions under Python 3, making it non-functional on most modern systems without modification — a sign the codebase was no longer being actively maintained.
The repo today sits archived — still public, still forkable, still starring over 5,200 GitHub stars and over 1,100 forks, but effectively dead. No new commits. No new releases. The Discord server link in the wiki is expired. The dev team email remains listed, but there are no signs of active development.
Why Did AutoSploit Die?
AutoSploit's decline was less dramatic than its birth. A few factors contributed:
1. Python 2 end-of-life. AutoSploit was built on Python 2.7, which reached official end-of-life in January 2020. As the security community migrated to Python 3, tools that weren't ported became increasingly difficult to run without workarounds. AutoSploit was never fully ported.
2. The tooling ecosystem evolved. By 2019–2020, more sophisticated frameworks had emerged that offered similar (and broader) automation with better maintenance. Tools like reconFTW, Nuclei, and integration-heavy pipelines made AutoSploit's Shodan-to-Metasploit approach feel narrow by comparison.
3. Shodan API costs and access changes. Accessing Shodan at the volume AutoSploit required wasn't free, which limited its utility for casual users.
4. Legal and ethical pressure. While the tool was never banned from GitHub, the sustained legal and reputational risk associated with a mass-exploitation tool was real. Countries like Australia have Computer Misuse legislation (the Criminal Code Act 1995) that makes unauthorised use of tools like AutoSploit a serious criminal offence, regardless of how they're marketed. This kind of legal environment may have dampened enthusiasm for continued development.
5. Creator moved on. NullArray (Vector) remained active in other areas of open-source security — including RootHelper and DorkNet — but AutoSploit appears to have run its course as a passion project.
The Legacy of AutoSploit
AutoSploit's place in security history is not as a tool people still use. It's as a cultural inflection point.
It forced a conversation the security industry needed to have: about dual-use tooling, about responsible disclosure, about the ethics of open-source exploitation frameworks, and about the uncomfortable reality that the gap between "script kiddie" and "capable attacker" was narrowing fast.
For defenders and blue teamers, AutoSploit was a wake-up call. If a 400-line Python script could scan Shodan and fire exploits against thousands of systems automatically, what were nation-state actors and organised crime groups capable of? The answer was sobering — and organisations that weren't already patching exposed services, monitoring for unusual inbound activity, and running regular penetration tests had no excuse not to be after 2018.
For the penetration testing community, AutoSploit sits in the same awkward category as Metasploit itself once did: a powerful tool built in the open, for dual-use purposes, that some will misuse and many will learn from.
What AutoSploit Teaches Us About Modern Pentesting
The AutoSploit controversy highlighted a principle that drives the work we do at Aussie Pentest: automated tooling has a legitimate place in a security program, but it's no substitute for scoped, professional assessment.
AutoSploit had no concept of scope. It didn't care whether the IIS server it was firing exploits at belonged to your client or a hospital in another country. That indiscriminate nature is exactly what makes unsanctioned use of mass exploitation tools criminal — and what makes professional, scoped penetration testing so essential.
When Aussie Pentest runs automated assessments or manual penetration tests, every target is defined, every action is authorised, and every finding is documented and reported back with remediation guidance. That's the difference between security research and cybercrime.
If AutoSploit taught the industry anything, it's that the threat landscape isn't waiting for organisations to catch up. Automated exploitation is real, it's accessible, and the only way to get ahead of it is to test your own systems before someone else does.
Conclusion
AutoSploit arrived in January 2018 as a polarising, viral, and genuinely alarming piece of open-source software. It combined Shodan and Metasploit into a mass exploitation pipeline that required almost no skill to operate, sparked front-page coverage from every major security publication, and ignited a debate about responsible disclosure and dual-use tools that the industry is still having today.
It grew through several major versions, attracted a small developer community, and quietly died — a victim of Python 2 end-of-life, an evolving tooling ecosystem, and the weight of its own reputation.
It never became the "automated hacking apocalypse" some feared. But it changed the conversation. And in cybersecurity, changing the conversation is sometimes the most consequential thing a tool can do.
Aussie Pentest provides professional penetration testing, automated security assessments, and Essential Eight compliance services for Australian businesses. Contact us to find out what an attacker would find on your network before they do.