# Strix

> Open-source autonomous AI penetration testing tool that continuously finds, validates, and auto-fixes vulnerabilities across APIs, web apps, code, and cloud infrastructure.

Strix is an open-source autonomous AI penetration testing tool built by OmniSecure, Inc. and published under the Apache 2.0 license. It deploys teams of AI agents that act like real hackers — running code dynamically, finding vulnerabilities, and validating them through working proof-of-concept exploits. The project has accumulated over 28,000 GitHub stars since its creation in August 2025, and a managed cloud platform at app.strix.ai extends the open-source CLI with continuous coverage, PR reviews, and auto-fix capabilities.

## What It Is

Strix is an agentic security testing platform that combines static analysis, dynamic application security testing (DAST), and multi-agent orchestration to automate the full penetration testing lifecycle. Unlike legacy vulnerability scanners that produce false positives, Strix validates every finding with a working exploit before reporting it. The tool covers the OWASP Top 10 and beyond — including IDOR, SSRF, SQL injection, XSS, JWT attacks, business logic flaws, and cloud misconfigurations — across REST APIs, GraphQL, web apps, source code, and cloud infrastructure.

## Core Architecture: Graph of Agents

Strix uses a multi-agent orchestration model where specialized AI agents collaborate like a red team:

- **Reconnaissance agents** handle attack surface mapping, subdomain enumeration, and fingerprinting
- **Exploitation agents** run targeted attacks using an HTTP interception proxy (Caido integration), browser automation (Playwright), a Python exploit sandbox, and an interactive shell
- **Validation agents** confirm exploitability with working PoCs and CVSS scoring
- **Coordination layer** lets agents share discoveries, chain vulnerabilities, and scale across multiple targets in parallel

The CLI supports OpenAI, Anthropic, Google Vertex AI, AWS Bedrock, Azure, and local models via LiteLLM, configurable with a single environment variable.

## Developer Workflow and CI/CD Integration

Strix is designed to plug directly into DevSecOps pipelines:

- Install via a single `curl` command; requires Docker and an LLM API key
- Scan local codebases, GitHub repos, or live URLs with `strix --target`
- A `--non-interactive` flag enables headless mode for automated jobs; exits with a non-zero code when vulnerabilities are found
- A GitHub Actions workflow snippet is provided in the README for PR-scoped security scans
- The cloud platform integrates with GitHub, GitLab, Bitbucket, Slack, Jira, and Linear
- In CI pull request runs, Strix automatically scopes quick reviews to changed files

## Cloud Platform vs. Open-Source CLI

The open-source CLI (`strix-agent` on PyPI) provides the full agentic pentesting engine. The managed cloud platform at app.strix.ai adds:

- Continuous always-on pentesting that keeps pace with deployments
- One-click auto-fix: AI-generated patches delivered as merge-ready pull requests, retested to confirm the vulnerability is gone
- A real-time security posture dashboard with validated findings and PoCs
- Attack surface monitoring and scheduled pentesting
- An enterprise tier with VPC/on-premise/air-gapped deployment, SSO (SAML/OIDC), SCIM, custom model support (BYOK), internal infrastructure pentesting, and dedicated SLA

## Update: v1.0.4 and New Platform Launch

The latest release is **v1.0.4**, published June 9, 2026. The repository was last pushed June 30, 2026, indicating active development. Alongside the CLI releases, the team published a blog post titled "Introducing the New Strix Platform" (April 13, 2026), signaling a significant expansion from a CLI tool to a full-stack security platform. A partnership with Caido (March 2026) brought precision HTTP interception proxy capabilities into the agentic pentesting workflow. The project is SOC 2 Type II and ISO 27001 compliant on the enterprise side.

## Features
- Autonomous AI penetration testing agents
- Multi-agent orchestration (Graph of Agents)
- Real exploit validation with proof-of-concept
- One-click auto-fix with merge-ready PRs
- PR security reviews in CI/CD pipelines
- Continuous attack surface monitoring
- REST, GraphQL, and web app pentesting
- Infrastructure and cloud misconfiguration scanning
- OWASP Top 10 vulnerability coverage
- IDOR, SSRF, SQLi, XSS, JWT attack detection
- HTTP interception proxy (Caido integration)
- Browser automation for XSS/CSRF/auth bypass testing
- Python exploit sandbox
- SAST + DAST capabilities
- CVSS scoring and OWASP classification
- Headless/non-interactive mode for automation
- GitHub Actions CI/CD integration
- Multi-LLM provider support (OpenAI, Anthropic, Google, etc.)
- Local model support via Ollama/LMStudio
- Compliance-ready pentest reports (SOC 2, ISO 27001, PCI DSS)
- Self-hosted/VPC/air-gapped enterprise deployment
- SSO (SAML/OIDC) and SCIM
- Zero data retention policy

## Integrations
GitHub, GitLab, Bitbucket, Slack, Jira, Linear, GitHub Actions, Caido, OpenAI, Anthropic Claude, Google Vertex AI, AWS Bedrock, Azure OpenAI, Ollama, LMStudio, Nuclei, Playwright, LiteLLM, Docker, Kubernetes, AWS, Google Cloud, Azure

## Platforms
CLI, WEB, API, LINUX, MACOS, WINDOWS

## Pricing
Open Source, Free tier available

## Version
v1.0.4

## Links
- Website: https://strix.ai
- Documentation: https://docs.strix.ai
- Repository: https://github.com/usestrix/strix
- EveryDev.ai: https://www.everydev.ai/tools/strix
