diff --git a/.env.example b/.env.example
index 5b5beff..eaae99b 100644
--- a/.env.example
+++ b/.env.example
@@ -1,4 +1,64 @@
-# PentestAgent Configuration
+# PentestAgent example configuration (copy to .env and edit as needed)
+# Copy this file to `.env` and set values appropriate for your environment.
+
+# ---------------------------------------------------------------------------
+# Core settings
+LLM_PROVIDER=ollama
+#OLLAMA_BASE_URL=http://127.0.0.1:11434
+PENTESTAGENT_MODEL="ollama/qwen2.5:7b-instruct"
+OLLAMA_API_BASE=http://127.0.0.1:11434
+
+# Debugging
+PENTESTAGENT_DEBUG=true
+
+# ---------------------------------------------------------------------------
+# MCP / Vendored tools (grouped)
+# - Use the LAUNCH_* flags to allow the setup script or manager to auto-start
+#   vendored MCP servers and helper daemons. Set to `true` to enable auto-start.
+# - Defaults are `false` to avoid automatically running networked services.
+
+# Vendored HexStrike MCP adapter (legacy name support: LAUNCH_HEXSTRIKE)
+LAUNCH_HEXTRIKE=false
+#LAUNCH_HEXSTRIKE=false    # alternate spelling (kept for compatibility)
+
+# Metasploit MCP (MetasploitMCP)
+# When `LAUNCH_METASPLOIT_MCP=true` the setup script may attempt to start
+# `msfrpcd` (Metasploit RPC daemon) and then start the vendored MetasploitMCP
+# HTTP/SSE server. Provide `MSF_PASSWORD` if you want the setup script to
+# auto-launch `msfrpcd` (it will never invoke sudo).
+LAUNCH_METASPLOIT_MCP=false
+
+# Metasploit RPC (msfrpcd) connection settings
+# - `MSF_USER`/`MSF_PASSWORD`: msfrpcd credentials (keep password secret)
+# - `MSF_SERVER`/`MSF_PORT`: host/port where msfrpcd listens (typically 127.0.0.1)
+# - `MSF_SSL`: set to `true` if msfrpcd is configured with TLS
+MSF_USER=msf
+# set a non-empty password if you want setup to auto-start msfrpcd
+MSF_PASSWORD=
+MSF_SERVER=127.0.0.1
+MSF_PORT=55553
+MSF_SSL=false
+
+# Where to save any payloads generated by vendored MCP servers (optional)
+#PAYLOAD_SAVE_DIR=$HOME/payloads
+
+# ---------------------------------------------------------------------------
+# Optional provider API keys and overrides
+#OPENAI_API_KEY=
+#ANTHROPIC_API_KEY=
+#GEMINI_API_KEY=
+
+# Embeddings (for RAG knowledge base): options include 'openai' or 'local'
+PENTESTAGENT_EMBEDDINGS=local
+
+# Optional daily token budgeting (examples)
+#DAILY_TOKEN_LIMIT=1000000
+#PENTESTAGENT_DAILY_TOKEN_BUDGET=500000
+
+# ---------------------------------------------------------------------------
+# Notes:
+# - Never commit your real API keys or passwords. Keep `.env` out of version control.
+# - Use `LAUNCH_METASPLOIT_MCP=true` only in trusted test environments.# PentestAgent Configuration
 
 # API Keys (set at least one for chat model)
 OPENAI_API_KEY=