usestrix / strix
Open-source AI penetration testing tool to find and fix your app’s vulnerabilities.
description README.md
Strix
The open-source AI pentesting tool. Autonomous AI hackers that find and fix your app’s vulnerabilities.
[!TIP] New! Strix integrates seamlessly with GitHub Actions and CI/CD pipelines. Automatically scan for vulnerabilities on every pull request and block insecure code before it reaches production - Get started with no setup required.
Strix Overview
Strix are autonomous AI penetration testing agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual proofs-of-concept. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.
Key Capabilities:
- Full pentesting toolkit - reconnaissance, exploitation, and validation out of the box
- Multi-agent orchestration - teams of AI pentesters that collaborate and scale
- Real exploit validation - working PoCs, not false positives like legacy vulnerability scanners
- Developer‑first CLI - actionable findings with remediation guidance
- Auto‑fix & reporting - generate patches and compliance-ready pentest reports
Use Cases
- Application Security Testing - Detect and validate critical vulnerabilities in your applications
- Rapid Penetration Testing - Get penetration tests done in hours, not weeks, with compliance reports
- Bug Bounty Automation - Automate bug bounty research and generate PoCs for faster reporting
- CI/CD Integration - Run tests in CI/CD to block vulnerabilities before reaching production
🚀 Quick Start
Prerequisites:
- Docker (running)
- An LLM API key from any supported provider (OpenAI, Anthropic, Google, etc.)
Installation & First Scan
# Install Strix
curl -sSL https://strix.ai/install | bash
# Configure your AI provider
export STRIX_LLM="openai/gpt-5.4"
export LLM_API_KEY="your-api-key"
# Run your first security assessment
strix --target ./app-directory
[!NOTE] First run automatically pulls the sandbox Docker image. Results are saved to
strix_runs/<run-name>
☁️ Strix Platform
Try the Strix full-stack penetration testing platform at app.strix.ai - sign up for free, connect your repos and domains, and launch a pentest in minutes.
- Validated findings with PoCs - every vulnerability includes a working proof-of-concept exploit and reproduction steps
- One-click autofix - AI-generated security patches as ready-to-merge pull requests
- Continuous pentesting - always-on vulnerability scanning that keeps pace with your deployments
- DevSecOps integrations - GitHub, GitLab, Bitbucket, Slack, Jira, Linear, and CI/CD pipelines
- Continuous learning - AI that builds on past findings, adapts to your codebase, and reduces false positives over time
✨ Features
Agentic Pentesting Tools
Strix agents come equipped with a comprehensive offensive security toolkit - the same tools used by professional penetration testers and ethical hackers:
- HTTP Interception Proxy - Full request/response manipulation and analysis with Caido
- Browser Exploitation - Automated browser for testing XSS, CSRF, clickjacking, and auth bypass flows
- Shell & Command Execution - Interactive terminal for exploit development and post-exploitation
- Custom Exploit Runtime - Python sandbox for writing and validating proof-of-concept exploits
- Reconnaissance & OSINT - Automated attack surface mapping, subdomain enumeration, and fingerprinting
- Static & Dynamic Code Analysis - SAST + DAST capabilities for comprehensive application security testing
- Vulnerability Knowledge Base - Structured findings with CVSS scoring and OWASP classification
Comprehensive Vulnerability Scanner
Strix identifies, validates, and exploits a wide range of security vulnerabilities across the OWASP Top 10 and beyond:
- Broken Access Control - IDOR, privilege escalation, auth bypass
- Injection Attacks - SQL injection, NoSQL injection, OS command injection, SSTI
- Server-Side Vulnerabilities - SSRF, XXE, insecure deserialization, RCE
- Client-Side Attacks - XSS (stored/reflected/DOM), prototype pollution, CSRF
- Business Logic Flaws - Race conditions, payment manipulation, workflow bypass
- Authentication & Session - JWT attacks, session fixation, credential stuffing vectors
- Infrastructure & Cloud - Misconfigurations, exposed services, cloud security issues
- API Security - Broken authentication, mass assignment, rate limiting bypass
Graph of Agents (Multi-Agent Pentesting)
Advanced multi-agent orchestration for comprehensive automated penetration testing:
- Distributed Pentesting - Specialized AI agents for recon, exploitation, and post-exploitation
- Scalable Security Testing - Parallel execution across multiple targets for fast, comprehensive coverage
- Dynamic Coordination - Agents share discoveries, chain vulnerabilities, and collaborate like a red team
Usage Examples
Basic Usage
# Scan a local codebase
strix --target ./app-directory
# Security review of a GitHub repository
strix --target https://github.com/org/repo
# Black-box web application assessment
strix --target https://your-app.com
Advanced Testing Scenarios
# Grey-box authenticated testing
strix --target https://your-app.com --instruction "Perform authenticated testing using credentials: user:pass"
# Multi-target testing (source code + deployed app)
strix -t https://github.com/org/app -t https://your-app.com
# Targets from a file, one target per non-empty, non-comment line
strix --target-list ./targets.txt
#