Skip to content
Strix

Strix

NEW
Category: DAST
License: Apache 2.0
Suphi Cankurt
Suphi Cankurt
+8 Years in AppSec
Updated July 13, 2026
2 min read
Key Takeaways
  • Autonomous AI agents run the app and validate each finding with a real proof-of-concept, not a static false positive
  • Covers OWASP Top 10 and beyond: SQL/NoSQL/OS command injection, SSTI, IDOR, XSS, CSRF, prototype pollution, business logic, and API flaws
  • Installs with one curl command; requires Docker and an LLM API key (OpenAI, Anthropic, or Google)
  • Apache 2.0, 41,000+ GitHub stars; runs headless in CI with pull-request diff scoping

Strix is an open-source AI penetration testing tool. Instead of matching patterns like a traditional DAST scanner, it runs autonomous AI agents that exploit your app the way a real tester would.

The difference that matters is validation. Each finding ships with a working proof-of-concept, not just a static alert, so you triage fewer false positives.

The project is Apache 2.0 licensed and has passed 41,000 GitHub stars.

Strix terminal UI showing a confirmed business logic vulnerability with a CVSS 7.1 report and proof-of-concept Strix confirms a finding by exploiting it, then writes a full report with severity, CVSS score, and the affected endpoint.

What is Strix?

Strix orchestrates multiple AI agents that collaborate on a single target. They handle reconnaissance, exploitation, and validation out of the box.

You point it at a local directory, a git repository, or a live URL. The agents run the app dynamically, so results reflect what actually happens at runtime, not what static analysis infers.

Key Features

FeatureDetails
Testing approachAutonomous multi-agent, dynamic code execution against the running app
ValidationReal proof-of-concept per finding, not static pattern matches
CoverageOWASP Top 10 and beyond, including business logic and API flaws
TargetsLocal directory, git repository, or live URL
AutomationHeadless mode (-n), GitHub Actions, pull-request diff scoping
RequirementsDocker running + an LLM API key (OpenAI, Anthropic, or Google)
LicenseApache 2.0, 41,000+ GitHub stars

Vulnerability coverage

Strix targets the OWASP Top 10 and a range of classes beyond it. The list below comes from the project’s documentation.

  • Injection: SQL, NoSQL, OS command, and server-side template injection (SSTI)
  • Access control: IDOR and privilege escalation
  • Authentication and session weaknesses
  • XSS, CSRF, and prototype pollution
  • Business logic vulnerabilities
  • API security issues
  • Infrastructure misconfigurations
Note
Proof over pattern
Strix agents validate findings by exploiting them and attaching a working proof-of-concept. This is the main distinction from signature-based scanning, where a match still needs a human to confirm it is real.

Getting Started

Strix installs with a single command. Docker must be running and you need an LLM API key from a supported provider.

curl -sSL https://strix.ai/install | bash
  1. Install โ€” Run the curl installer above with Docker running and an LLM API key set for a supported provider (OpenAI, Anthropic, or Google).
  2. Point at a target โ€” Test a local directory, a repository, or a live app: strix --target ./app-directory, strix --target https://github.com/org/repo, or strix -n --target https://your-app.com.
  3. Review findings โ€” The CLI reports validated vulnerabilities with proofs-of-concept and remediation guidance. Use -n for headless CI runs.

When to Use Strix

Strix suits developers and security teams who want exploit-validated testing wired into the workflow, not a separate scanning step. Diff scoping makes it practical to run on every pull request.

Because it needs an LLM API key, the running cost scales with model usage. For signature-based scanning without that dependency, Nuclei and OWASP ZAP remain the open-source references.

Tip
Best For
Teams that want autonomous, proof-validated penetration testing in CI/CD, scoped to code changes, and are comfortable supplying their own LLM API key.
Note: Open-source (Apache 2.0). Requires Docker and an LLM API key. Distributed as the strix-agent PyPI package.

Frequently Asked Questions

Is Strix free?
Yes. Strix is open source under the Apache 2.0 license with over 41,000 GitHub stars. You supply your own LLM API key (OpenAI, Anthropic, or Google), so the running cost is the model usage, not the tool.
How is Strix different from a traditional DAST scanner?
A traditional scanner matches patterns and often reports findings a human has to triage. Strix runs AI agents that dynamically execute the application, attempt real exploits, and attach a working proof-of-concept to each finding, which cuts down false positives.
What does Strix need to run?
Docker must be running and you need an LLM API key from a supported provider (OpenAI, Anthropic, or Google). Installation is a single curl command, and you point it at a local directory, a git repository, or a live URL.
Can Strix run in CI/CD?
Yes. The open-source CLI has a headless mode (the -n flag) and a GitHub Actions workflow, and it can scope testing to a pull-request diff so it only tests changed code. Broader integrations with GitLab, Bitbucket, Slack, Jira, and Linear are part of the hosted Strix Platform.