Brutus Is the Pentesting Tool THC Hydra Should Have Been Twenty Years Ago
Let me paint you a familiar picture. You’re on a pentest engagement. You’ve got a target list of 400 services. You want to spray some credentials. You reach for THC Hydra because it’s 2026 and apparently that’s still what we do. Then you spend 45 minutes on a jump box arguing with libssl versions, compiling from source, discovering that libidn2 is missing, swearing softly at /usr/local/lib, and eventually giving up and doing it manually.
This is the state of offensive security tooling: conceptually simple tasks wrapped in decades of dependency debt and held together with ancient C code and despair.
Brutus is the answer nobody asked for but everyone needed.
What It Actually Is
Brutus is a multi-protocol credential testing tool written in pure Go. It ships as a single binary. No external dependencies. No compilation. No pkg-config shenanigans. You drop it on a box and it runs. On Linux. On macOS. On Windows. Identically.
It supports 22 protocols out of the box. SSH, RDP, SMB, FTP, HTTP Basic, HTTP forms, LDAP, the usual suspects — all the things you need to test when someone hands you an internal assessment and says “find the low-hanging fruit.”
But what makes Brutus genuinely interesting isn’t the protocol list. It’s the design philosophy.
The Bad SSH Keys Thing
Here’s the feature that got my attention: Brutus ships with the entire Rapid7 ssh-badkeys collection and the HashiCorp Vagrant default key collection compiled directly into the binary. No external key files. No setup. Every SSH service you scan automatically gets tested against known-compromised keys from F5 BIG-IP appliances, ExaGrid systems, Barracuda units, Ceragon gear, Array Networks devices — all tracked by CVE where applicable.
This matters because on internal assessments there are always Vagrant boxes or network appliances running factory SSH keys somewhere. Everyone knows they’re there. Nobody tests for them comprehensively because the manual workflow — find the device, identify the vendor, look up the default key, test it — is tedious enough to get deprioritized. It becomes “we’ll check that later” and later never comes.
With Brutus it just happens. Automatically. As part of the normal scan. What was previously a half-day side project is now free. That’s the right way to embed tribal knowledge into tooling.
Piping JSON Like It’s the 2020s
The other thing Brutus gets right is integration. Modern offensive security workflows are structured: naabu for port scanning, fingerprintx for service fingerprinting, tools producing and consuming JSON streams. Hydra and Medusa were built before this was a thing. Getting them to play nicely with structured pipelines means writing glue scripts that parse inconsistent output, handle encoding edge cases, and break on every new target.
Brutus natively consumes JSON from upstream tools and produces JSON output. You pipe discovered services directly into credential testing and get structured results back. No format conversion. No awk. No sed. No crying.
This is how toolchains should work. The fact that it took until 2026 to get this in a credential tester is embarrassing for the industry, but at least we’re here now.
The AI Admin Panel Feature (Actually Impressive)
Brutus also has an experimental feature that I’d normally roll my eyes at but genuinely respect: AI-powered identification and testing of unknown web admin panels.
Here’s the problem it solves. On any internal assessment you encounter dozens of login pages on non-standard ports — IPMI consoles, storage appliance UIs, switch management interfaces, monitoring tools. Traditional automated testing chokes on these because you don’t know what they are, and the credential lists are different for a Dell iDRAC versus a NetScaler versus a random SOHO switch.
Brutus renders the page in a headless browser, uses computer vision to identify what the appliance is, then looks up likely default credentials and tests them — handling JavaScript-rendered forms, CSRF tokens, and multi-step logins along the way. For HTTP Basic Auth targets it analyzes headers and authentication realm data to make the same identification.
Is this slower and more expensive than a pure brute-force approach? Yes. Is it smarter than any automated tool has ever been at this specific problem? Also yes.
The Part I’d Actually Critique
The AI features introduce latency and cost that don’t scale. Running LLM calls for every HTTP service across hundreds of targets gets expensive and slow. The Brutus team acknowledges this and is working on smarter batching and device fingerprint caching. Good — because right now it’s a proof of concept that needs production hardening before you’d want to point it at a flat /16.
Also: 22 protocols is a good number. But the real test is how well they’re implemented, not the count. THC Hydra also claims a large protocol list. The difference between “supports” and “actually works reliably” in credential testers is a wide gulf filled with edge cases and timing bugs. Community testing at scale will tell the real story here.
Go Remains the Right Choice for Security Tooling
This is worth saying plainly: Go is the right language for writing security tools in 2026. Single binary distribution. Cross-compilation is trivial. No runtime dependency hell. Reasonable performance. Static typing that prevents an entire class of bugs that plague C-based tools. The security community has been slowly figuring this out — impacket is Python and it’s painful to deploy, Hydra is C and it’s painful to compile, but tools like nuclei, naabu, httpx, and now Brutus are Go and they just work.
If you’re writing a new security tool in 2026 and you’re not using Go or Rust, you owe the people who will eventually use your tool a very good explanation.
The Bottom Line
Brutus is covered in depth by Help Net Security and worth adding to your toolkit.
The pentesting world has been running on decades-old C tools long enough. A single binary that does structured JSON I/O, embeds institutional knowledge about compromised keys, and brings AI vision to a problem that genuinely needed it — this is what progress looks like in offensive security tooling.
THC Hydra served us well. It can retire now.