Strix are autonomous AI agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual proof-of-concepts. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.

Key Capabilities:

• 🔧 Full hacker toolkit out of the box
• 🤝 Teams of agents that collaborate and scale
• ✅ Real validation with PoCs, not false positives
• 💻 Developer‑first CLI with actionable reports
• 🔄 Auto‑fix & reporting to accelerate remediation

• Application Security Testing - Detect and validate critical vulnerabilities in your applications
• Rapid Penetration Testing - Get penetration tests done in hours, not weeks, with compliance reports
• Bug Bounty Automation - Automate bug bounty research and generate PoCs for faster reporting
• CI/CD Integration - Run tests in CI/CD to block vulnerabilities before reaching production

Prerequisites:

• Docker (running)
• Python 3.12+
• An LLM provider key (e.g. get OpenAI API key or use a local LLM)

# Install Strix
pipx install strix-agent

# Configure your AI provider
export STRIX_LLM="openai/gpt-5"
export LLM_API_KEY="your-api-key"

# Run your first security assessment
strix --target ./app-directory

Want to skip the local setup, API keys, and unpredictable LLM costs? Run the hosted cloud version of Strix at app.usestrix.com.

Launch a scan in just a few minutes—no setup or configuration required—and you’ll get:

• A full pentest report with validated findings and clear remediation steps
• Shareable dashboards your team can use to track fixes over time
• CI/CD and GitHub integrations to block risky changes before production
• Continuous monitoring so new vulnerabilities are caught quickly

Run your first pentest now →

Strix agents come equipped with a comprehensive security testing toolkit:

• Full HTTP Proxy - Full request/response manipulation and analysis
• Browser Automation - Multi-tab browser for testing of XSS, CSRF, auth flows
• Terminal Environments - Interactive shells for command execution and testing
• Python Runtime - Custom exploit development and validation
• Reconnaissance - Automated OSINT and attack surface mapping
• Code Analysis - Static and dynamic analysis capabilities
• Knowledge Management - Structured findings and attack documentation

Strix can identify and validate a wide range of security vulnerabilities:

• Access Control - IDOR, privilege escalation, auth bypass
• Injection Attacks - SQL, NoSQL, command injection
• Server-Side - SSRF, XXE, deserialization flaws
• Client-Side - XSS, prototype pollution, DOM vulnerabilities
• Business Logic - Race conditions, workflow manipulation
• Authentication - JWT vulnerabilities, session management
• Infrastructure - Misconfigurations, exposed services

Advanced multi-agent orchestration for comprehensive security testing:

• Distributed Workflows - Specialized agents for different attacks and assets
• Scalable Testing - Parallel execution for fast comprehensive coverage
• Dynamic Coordination - Agents collaborate and share discoveries

# Scan a local codebase
strix --target ./app-directory

# Security review of a GitHub repository
strix --target https://github.com/org/repo

# Black-box web application assessment
strix --target https://your-app.com

# Grey-box authenticated testing
strix --target https://your-app.com --instruction "Perform authenticated testing using credentials: user:pass"

# Multi-target testing (source code + deployed app)
strix -t https://github.com/org/app -t https://your-app.com

# Focused testing with custom instructions
strix --target api.your-app.com --instruction "Focus on business logic flaws and IDOR vulnerabilities"

Run Strix programmatically without interactive UI using the -n/--non-interactive flag—perfect for servers and automated jobs. The CLI prints real-time vulnerability findings, and the final report before exiting. Exits with non-zero code when vulnerabilities are found.

strix -n --target https://your-app.com

Strix can be added to your pipeline to run a security test on pull requests with a lightweight GitHub Actions workflow:

name: strix-penetration-test

on:
  pull_request:

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Strix
        run: pipx install strix-agent

      - name: Run Strix
        env:
          STRIX_LLM: ${{ secrets.STRIX_LLM }}
          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}

        run: strix -n -t ./

export STRIX_LLM="openai/gpt-5"
export LLM_API_KEY="your-api-key"

# Optional
export LLM_API_BASE="your-api-base-url"  # if using a local model, e.g. Ollama, LMStudio
export PERPLEXITY_API_KEY="your-api-key"  # for search capabilities

OpenAI's GPT-5 (openai/gpt-5) and Anthropic's Claude Sonnet 4.5 (anthropic/claude-sonnet-4-5) are the recommended models for best results with Strix. We also support many other options, including cloud and local models, though their performance and reliability may vary.

We welcome contributions from the community! There are several ways to contribute:

See our Contributing Guide for details on:

• Setting up your development environment
• Running tests and quality checks
• Submitting pull requests
• Code style guidelines

Help expand our collection of specialized prompt modules for AI agents:

• Advanced testing techniques for vulnerabilities, frameworks, and technologies
• See Prompt Modules Documentation for guidelines
• Submit via pull requests or issues

Have questions? Found a bug? Want to contribute? Join our Discord!

Love Strix? Give us a ⭐ on GitHub!

Strix builds on the incredible work of open-source projects like LiteLLM, Caido, ProjectDiscovery, Playwright, and Textual. Huge thanks to their maintainers!