Repository iconcurepo.dev
strix preview

usestrix / strix

agentsai-hackingai-penetration-testingai-pentesting

Open-source AI penetration testing tool to find and fix your app’s vulnerabilities.

41k Stars
visibility248 Watchers
fork_right4.3k Forks
Python
historyUpdated recently

description README.md

Strix Banner

Strix

The open-source AI pentesting tool. Autonomous AI hackers that find and fix your app’s vulnerabilities.


Docs Website

Ask DeepWiki GitHub Stars License PyPI Version

Join Discord Follow on X

usestrix/strix | Trendshift usestrix%2Fstrix | Trendshift

[!TIP] New! Strix integrates seamlessly with GitHub Actions and CI/CD pipelines. Automatically scan for vulnerabilities on every pull request and block insecure code before it reaches production - Get started with no setup required.


Strix Overview

Strix are autonomous AI penetration testing agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual proofs-of-concept. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.

Key Capabilities:

  • Full pentesting toolkit - reconnaissance, exploitation, and validation out of the box
  • Multi-agent orchestration - teams of AI pentesters that collaborate and scale
  • Real exploit validation - working PoCs, not false positives like legacy vulnerability scanners
  • Developer‑first CLI - actionable findings with remediation guidance
  • Auto‑fix & reporting - generate patches and compliance-ready pentest reports

Use Cases

  • Application Security Testing - Detect and validate critical vulnerabilities in your applications
  • Rapid Penetration Testing - Get penetration tests done in hours, not weeks, with compliance reports
  • Bug Bounty Automation - Automate bug bounty research and generate PoCs for faster reporting
  • CI/CD Integration - Run tests in CI/CD to block vulnerabilities before reaching production

🚀 Quick Start

Prerequisites:

  • Docker (running)
  • An LLM API key from any supported provider (OpenAI, Anthropic, Google, etc.)

Installation & First Scan

# Install Strix
curl -sSL https://strix.ai/install | bash

# Configure your AI provider
export STRIX_LLM="openai/gpt-5.4"
export LLM_API_KEY="your-api-key"

# Run your first security assessment
strix --target ./app-directory

[!NOTE] First run automatically pulls the sandbox Docker image. Results are saved to strix_runs/<run-name>


☁️ Strix Platform

Try the Strix full-stack penetration testing platform at app.strix.ai - sign up for free, connect your repos and domains, and launch a pentest in minutes.

  • Validated findings with PoCs - every vulnerability includes a working proof-of-concept exploit and reproduction steps
  • One-click autofix - AI-generated security patches as ready-to-merge pull requests
  • Continuous pentesting - always-on vulnerability scanning that keeps pace with your deployments
  • DevSecOps integrations - GitHub, GitLab, Bitbucket, Slack, Jira, Linear, and CI/CD pipelines
  • Continuous learning - AI that builds on past findings, adapts to your codebase, and reduces false positives over time

Start your first pentest →


✨ Features

Agentic Pentesting Tools

Strix agents come equipped with a comprehensive offensive security toolkit - the same tools used by professional penetration testers and ethical hackers:

  • HTTP Interception Proxy - Full request/response manipulation and analysis with Caido
  • Browser Exploitation - Automated browser for testing XSS, CSRF, clickjacking, and auth bypass flows
  • Shell & Command Execution - Interactive terminal for exploit development and post-exploitation
  • Custom Exploit Runtime - Python sandbox for writing and validating proof-of-concept exploits
  • Reconnaissance & OSINT - Automated attack surface mapping, subdomain enumeration, and fingerprinting
  • Static & Dynamic Code Analysis - SAST + DAST capabilities for comprehensive application security testing
  • Vulnerability Knowledge Base - Structured findings with CVSS scoring and OWASP classification

Comprehensive Vulnerability Scanner

Strix identifies, validates, and exploits a wide range of security vulnerabilities across the OWASP Top 10 and beyond:

  • Broken Access Control - IDOR, privilege escalation, auth bypass
  • Injection Attacks - SQL injection, NoSQL injection, OS command injection, SSTI
  • Server-Side Vulnerabilities - SSRF, XXE, insecure deserialization, RCE
  • Client-Side Attacks - XSS (stored/reflected/DOM), prototype pollution, CSRF
  • Business Logic Flaws - Race conditions, payment manipulation, workflow bypass
  • Authentication & Session - JWT attacks, session fixation, credential stuffing vectors
  • Infrastructure & Cloud - Misconfigurations, exposed services, cloud security issues
  • API Security - Broken authentication, mass assignment, rate limiting bypass

Graph of Agents (Multi-Agent Pentesting)

Advanced multi-agent orchestration for comprehensive automated penetration testing:

  • Distributed Pentesting - Specialized AI agents for recon, exploitation, and post-exploitation
  • Scalable Security Testing - Parallel execution across multiple targets for fast, comprehensive coverage
  • Dynamic Coordination - Agents share discoveries, chain vulnerabilities, and collaborate like a red team

Usage Examples

Basic Usage

# Scan a local codebase
strix --target ./app-directory

# Security review of a GitHub repository
strix --target https://github.com/org/repo

# Black-box web application assessment
strix --target https://your-app.com

Advanced Testing Scenarios

# Grey-box authenticated testing
strix --target https://your-app.com --instruction "Perform authenticated testing using credentials: user:pass"

# Multi-target testing (source code + deployed app)
strix -t https://github.com/org/app -t https://your-app.com

# Targets from a file, one target per non-empty, non-comment line
strix --target-list ./targets.txt

#