8.8 KiB
Strix
Open-source AI Hackers to secure your Apps
Tip
New! Strix now integrates seamlessly with GitHub Actions and CI/CD pipelines. Automatically scan for vulnerabilities on every pull request and block insecure code before it reaches production!
🦉 What are Strix?
Strix are autonomous AI agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual proof-of-concepts. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.
Key Capabilities:
- 🔧 Full hacker toolkit out of the box
- 🤝 Teams of agents that collaborate and scale
- ✅ Real validation with PoCs, not false positives
- 💻 Developer‑first CLI with actionable reports
- 🔄 Auto‑fix & reporting to accelerate remediation
🎯 Use Cases
- Application Security Testing - Detect and validate critical vulnerabilities in your applications
- Rapid Penetration Testing - Get penetration tests done in hours, not weeks, with compliance reports
- Bug Bounty Automation - Automate bug bounty research and generate PoCs for faster reporting
- CI/CD Security Gates - Run tests in CI/CD to block vulnerabilities before reaching production
🚀 Quick Start
Prerequisites:
- Docker (running)
- Python 3.12+
- An LLM provider key (or a local LLM)
Installation & First Scan
# Install Strix
pipx install strix-agent
# Configure your AI provider
export STRIX_LLM="openai/gpt-5"
export LLM_API_KEY="your-api-key"
# Run your first security assessment
strix --target ./app-directory
Note: First run automatically pulls the sandbox Docker image. Results are saved to
agent_runs/<run-name>/
🏆 Enterprise Platform
Want to skip the setup? Try our cloud-hosted version at usestrix.com
Our managed platform provides:
| Feature | Description |
|---|---|
| 📈 Executive Dashboards | Track security metrics and trends across your organization |
| 🧠 Custom Fine-Tuned Models | AI agents trained on your specific codebase and vulnerabilities |
| ⚙️ CI/CD Integration | Seamless integration with your existing workflows |
| 🔍 Large-Scale Scanning | Test multiple applications and repositories in parallel |
| 🔌 Third-Party Integrations | Connect with Jira, Slack, PagerDuty, and more |
| 🎯 Enterprise Support | Dedicated support team and SLA guarantees |
✨ Features
🛠️ Agentic Security Tools
Strix agents come equipped with a comprehensive security testing toolkit:
| Tool | Capability |
|---|---|
| 🌐 HTTP Proxy | Full request/response manipulation and analysis |
| 🖥️ Browser Automation | Multi-tab browser for XSS, CSRF, and auth flow testing |
| ⌨️ Terminal Environment | Interactive shells for command execution and testing |
| 🐍 Python Runtime | Custom exploit development and validation |
| 🔍 Reconnaissance | Automated OSINT and attack surface mapping |
| 📊 Code Analysis | Static and dynamic analysis capabilities |
| 📝 Knowledge Management | Structured findings and attack documentation |
🎯 Comprehensive Vulnerability Detection
Strix can identify and validate a wide range of security vulnerabilities:
| Category | Coverage |
|---|---|
| 🔐 Access Control | IDOR, privilege escalation, authorization bypass |
| 💉 Injection Attacks | SQL, NoSQL, command injection, template injection |
| 🖥️ Server-Side | SSRF, XXE, deserialization flaws |
| 🌐 Client-Side | XSS, prototype pollution, DOM vulnerabilities |
| ⚙️ Business Logic | Race conditions, workflow manipulation |
| 🔑 Authentication | JWT vulnerabilities, session management flaws |
| 🏗️ Infrastructure | Misconfigurations, exposed services, secrets |
🕸️ Graph of Agents
Advanced multi-agent orchestration for comprehensive security testing:
- 🔄 Distributed Workflows - Specialized agents tackle different attacks and assets simultaneously
- ⚡ Scalable Testing - Parallel execution for fast, comprehensive coverage
- 🤝 Dynamic Coordination - Agents collaborate and share discoveries in real-time
💻 Usage Examples
Basic Usage
# Scan a local codebase
strix --target ./app-directory
# Security review of a GitHub repository
strix --target https://github.com/org/repo
# Black-box web application assessment
strix --target https://your-app.com
Advanced Testing Scenarios
# Grey-box authenticated testing
strix --target https://your-app.com \
--instruction "Perform authenticated testing using credentials: user:pass"
# Multi-target testing (source code + deployed app)
strix -t https://github.com/org/app \
-t https://your-app.com
# Focused testing with custom instructions
strix --target api.your-app.com \
--instruction "Focus on business logic flaws and IDOR vulnerabilities"
🤖 Headless Mode
Run Strix programmatically without interactive UI using the -n/--non-interactive flag—perfect for servers and automated jobs. The CLI prints real-time vulnerability findings, and the final report before exiting. Exits with non-zero code when vulnerabilities are found.
strix -n --target https://your-app.com
🔄 CI/CD (GitHub Actions)
Strix can be added to your pipeline to run a security test on pull requests with a lightweight GitHub Actions workflow:
name: strix-penetration-test
on:
pull_request:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Strix
run: pipx install strix-agent
- name: Run Strix
env:
STRIX_LLM: ${{ secrets.STRIX_LLM }}
LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
run: strix -n -t ./
⚙️ Configuration
export STRIX_LLM="openai/gpt-5"
export LLM_API_KEY="your-api-key"
# Optional
export LLM_API_BASE="your-api-base-url" # if using a local model, e.g. Ollama, LMStudio
export PERPLEXITY_API_KEY="your-api-key" # for search capabilities
OpenAI's GPT-5 (openai/gpt-5) and Anthropic's Claude Sonnet 4.5 (anthropic/claude-sonnet-4-5) work best with Strix, but we support many other options.
🤝 Contributing
We welcome contributions from the community! There are several ways to contribute:
Code Contributions
See our Contributing Guide for details on:
- Setting up your development environment
- Running tests and quality checks
- Submitting pull requests
- Code style guidelines
Prompt Modules Collection
Help expand our collection of specialized prompt modules for AI agents:
- Advanced testing techniques for vulnerabilities, frameworks, and technologies
- See Prompt Modules Documentation for guidelines
- Submit via pull requests or issues
👥 Join Our Community
Have questions? Found a bug? Want to contribute? Join our Discord!
🌟 Support the Project
Love Strix? Give us a ⭐ on GitHub!