Strix are autonomous AI agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual exploitation. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.
- Full hacker toolkit out of the box
- Teams of agents that collaborate and scale
- Real validation via exploitation and PoC, not false positives
- Developerβfirst CLI with actionable reports
- Autoβfix & reporting to accelerate remediation
- Detect and validate critical vulnerabilities in your applications.
- Get penetration tests done in hours, not weeks, with compliance reports.
- Automate bug bounty research and generate PoCs for faster reporting.
- Run tests in CI/CD to block vulnerabilities before reaching production.
Prerequisites:
- Docker (running)
- Python 3.12+
- An LLM provider key (or a local LLM)
# Install
pipx install strix-agent
# Configure AI provider
export STRIX_LLM="openai/gpt-5"
export LLM_API_KEY="your-api-key"
# Run security assessment
strix --target ./app-directoryFirst run pulls the sandbox Docker image. Results are saved under agent_runs/<run-name>.
Want to skip the setup? Try our cloud-hosted version: usestrix.com
- π Full HTTP Proxy - Full request/response manipulation and analysis
- π Browser Automation - Multi-tab browser for testing of XSS, CSRF, auth flows
- π» Terminal Environments - Interactive shells for command execution and testing
- π Python Runtime - Custom exploit development and validation
- π Reconnaissance - Automated OSINT and attack surface mapping
- π Code Analysis - Static and dynamic analysis capabilities
- π Knowledge Management - Structured findings and attack documentation
- Access Control - IDOR, privilege escalation, auth bypass
- Injection Attacks - SQL, NoSQL, command injection
- Server-Side - SSRF, XXE, deserialization flaws
- Client-Side - XSS, prototype pollution, DOM vulnerabilities
- Business Logic - Race conditions, workflow manipulation
- Authentication - JWT vulnerabilities, session management
- Infrastructure - Misconfigurations, exposed services
- Distributed Workflows - Specialized agents for different attacks and assets
- Scalable Testing - Parallel execution for fast comprehensive coverage
- Dynamic Coordination - Agents collaborate and share discoveries
# Local codebase analysis
strix --target ./app-directory
# Repository security review
strix --target https://github.com/org/repo
# Web application assessment
strix --target https://your-app.com
# Focused testing
strix --target api.your-app.com --instruction "Prioritize authentication and authorization testing"
# Testing with credentials
strix --target https://your-app.com --instruction "Test with credentials: testuser/testpass. Focus on privilege escalation and access control bypasses."export STRIX_LLM="openai/gpt-5"
export LLM_API_KEY="your-api-key"
# Optional
export LLM_API_BASE="your-api-base-url" # if using a local model, e.g. Ollama, LMStudio
export PERPLEXITY_API_KEY="your-api-key" # for search capabilitiesOur managed platform provides:
- π Executive Dashboards
- π§ Custom Fine-Tuned Models
- βοΈ CI/CD Integration
- π Large-Scale Scanning
- π Third-Party Integrations
- π― Enterprise Support
- Container Isolation - All testing in sandboxed Docker environments
- Local Processing - Testing runs locally, no data sent to external services
Warning
Only test systems you own or have permission to test. You are responsible for using Strix ethically and legally.
Love Strix? Give us a β on GitHub!
Have questions? Found a bug? Want to contribute? Join our Discord!