In modern offensive security and penetration testing workflows, credential validation across services remains a critical but surprisingly fractured task. Legacy tools like THC Hydra and Medusa have been staples for years, yet they introduce operational friction — complex dependencies, brittle compilation environments, and disparate output formats — that disrupt tightly integrated reconnaissance and exploitation pipelines. To address these shortcomings, security engineers at Praetorian open-sourced a new credential testing tool called Brutus, designed from the ground up for efficiency, integration, and usability in 2026 red team engagements.
The Problem With Traditional Credential Testing
Penetration testers and red teams often follow a sequence:
- Scan a target network to find active hosts and ports.
- Fingerprint services to identify protocols and versions.
- Test credentials — default accounts, password sprays, private keys — against discovered services.
Tools like naabu and fingerprintx excel at the first two steps by producing structured, JSON-formatted data, enabling automated workflows and downstream processing. But credential testing has traditionally been a pause point because:
- Legacy tools like Hydra require external C libraries (
libssh,libmysqlclient, etc.) that frequently fail to build on minimal or hardened assessment hosts. - Outputs are unstructured, necessitating custom parsing scripts between tools.
- Cross-platform execution is unreliable without containerization or pre-installed dependencies.
This disconnect creates a mismatch in modern automated toolchains — a bottleneck that Brutus explicitly targets.
Introducing Brutus: A Modern Credential Testing Tool
At its core, Brutus is a multi-protocol credential testing tool written in Go, published as a single static binary with zero external dependencies. This design choice addresses build and runtime friction by removing the need for separate system libraries — everything needed to test across protocols is compiled in.
Rather than forcing testers to install and compile Hydra or patch together glue scripts, Brutus can be dropped onto a jump host, internal VM, or assessment machine and run immediately, regardless of the platform (Linux, macOS, or Windows).
Key Features and Capabilities
Brutus differentiates itself in several important ways for modern offensive operations:
1. Zero Dependencies, One Binary
Thanks to Go’s static compilation model, Brutus ships as a single executable that doesn’t rely on external libraries. No libssh-dev, no missing database client headers, no packager headaches.
This dramatically reduces setup time and increases reliability on foreign assessment networks.
2. Broad Multi-Protocol Support
Brutus supports credential testing against 20+ network services out of the box, including:
- SSH
- MySQL / PostgreSQL / MSSQL
- Redis, MongoDB
- LDAP, SMB
- WinRM
- HTTP Basic Auth
- SNMP
This coverage matches common target profiles seen in internal assessments and enterprise networks.
3. Native Recon Pipeline Integration
One of Brutus’s central design goals was to fit seamlessly into structured reconnaissance workflows. Tools like naabu (for port scanning) and fingerprintx (for service fingerprinting) already output structured data — often as JSON — that can be directly piped into Brutus without conversion or intervening scripts.
Example automated pipeline:
naabu -host 10.0.0.0/24 -p 22,3306,5432,6379 -silent \
| fingerprintx --json \
| brutus --json
This native JSON pipeline integration helps teams scale credential testing across large address spaces cleanly.
4. Embedded Bad SSH Keys & Default Credential Detection
A notable advantage Brutus has over typical brute-forcers is its built-in knowledge of known-bad SSH keys and default credentials for common appliance vendors. Rather than requiring a separate keystore, this information is compiled into the binary.
Examples include:
- Rapid7’s
ssh-badkeyscollection - Vagrant default keys
- Factory keys for appliances (F5 BIG-IP, ExaGrid, Barracuda, etc.)
Each is paired with an expected username where applicable, and Brutus will automatically test these against detected SSH services without manual intervention.
5. Library-First for Automation
Beyond CLI use, Brutus can be imported as a Go library in custom security tooling, eliminating the need to spawn external processes and parse their output. This model supports deeper automation and integration inside bespoke penetration frameworks.
Advanced and Experimental Features
While Brutus’s core functionality focuses on robust, dependency-free credential testing, the project also explores experimental AI-assisted credential discovery workflows. These include:
- LLM-assisted identification of web admin panels and vendor login forms.
- Headless browser automation to detect and submit to complex or JavaScript-rendered login pages.
These features remain experimental and depend on external AI services, but they hint at the future direction of automated credential identification in heterogeneous environments.
Use Cases and Operational Value
Brutus fills a real gap in offensive security operations:
- Penetration Testing: Validate discovered credentials across many services without manual scripting, and identify default or weak credentials on sensitive infrastructure.
- Red Teaming: Rapidly test large credential lists after phishing campaigns or lateral movement, scaling across subnets or entire enterprise address spaces.
- Defensive Auditing: Blue teams can leverage Brutus to proactively identify weak authentication in their own environments, including default SSH keys or appliance accounts.
Conclusion
Brutus represents a meaningful step forward in credential testing tooling for both offensive and defensive security practitioners. By eliminating dependency issues, embracing structured data pipelines, and expanding multi-protocol support, it simplifies a once-fragmented process into a unified and scalable workflow. Its emergence highlights a broader trend in security tooling: batteries-included, automated, and API-friendly tools built for the modern assessment landscape.
