Strix is an open-source AI penetration testing tool. Instead of matching patterns like a traditional DAST scanner, it runs autonomous AI agents that exploit your app the way a real tester would.
The difference that matters is validation. Each finding ships with a working proof-of-concept, not just a static alert, so you triage fewer false positives.
The project is Apache 2.0 licensed and has passed 41,000 GitHub stars.
Strix confirms a finding by exploiting it, then writes a full report with severity, CVSS score, and the affected endpoint.
What is Strix?
Strix orchestrates multiple AI agents that collaborate on a single target. They handle reconnaissance, exploitation, and validation out of the box.
You point it at a local directory, a git repository, or a live URL. The agents run the app dynamically, so results reflect what actually happens at runtime, not what static analysis infers.
Key Features
| Feature | Details |
|---|---|
| Testing approach | Autonomous multi-agent, dynamic code execution against the running app |
| Validation | Real proof-of-concept per finding, not static pattern matches |
| Coverage | OWASP Top 10 and beyond, including business logic and API flaws |
| Targets | Local directory, git repository, or live URL |
| Automation | Headless mode (-n), GitHub Actions, pull-request diff scoping |
| Requirements | Docker running + an LLM API key (OpenAI, Anthropic, or Google) |
| License | Apache 2.0, 41,000+ GitHub stars |
Vulnerability coverage
Strix targets the OWASP Top 10 and a range of classes beyond it. The list below comes from the project’s documentation.
- Injection: SQL, NoSQL, OS command, and server-side template injection (SSTI)
- Access control: IDOR and privilege escalation
- Authentication and session weaknesses
- XSS, CSRF, and prototype pollution
- Business logic vulnerabilities
- API security issues
- Infrastructure misconfigurations
Getting Started
Strix installs with a single command. Docker must be running and you need an LLM API key from a supported provider.
curl -sSL https://strix.ai/install | bash
- Install โ Run the curl installer above with Docker running and an LLM API key set for a supported provider (OpenAI, Anthropic, or Google).
- Point at a target โ Test a local directory, a repository, or a live app:
strix --target ./app-directory,strix --target https://github.com/org/repo, orstrix -n --target https://your-app.com. - Review findings โ The CLI reports validated vulnerabilities with proofs-of-concept and remediation guidance. Use
-nfor headless CI runs.
When to Use Strix
Strix suits developers and security teams who want exploit-validated testing wired into the workflow, not a separate scanning step. Diff scoping makes it practical to run on every pull request.
Because it needs an LLM API key, the running cost scales with model usage. For signature-based scanning without that dependency, Nuclei and OWASP ZAP remain the open-source references.
