usestrix/strix
Strix is an Apache-2.0 open-source AI pentesting agent trending on GitHub: multi-agent recon and exploitation against your own apps, validating findings with working PoCs and generating fix PRs.
**The gist** Strix, an open-source autonomous pentesting platform at **30.9k GitHub stars**, runs code dynamically and validates every finding with a working proof-of-concept. **Multi-agent** orchestration chains recon, exploitation, and post-exploitation; coverage spans the **OWASP Top 10** — SQL injection, XSS, SSRF, IDOR, JWT attacks — with CVSS scoring and **auto-fix pull requests**. Apache 2.0, written in Python.
**Why it matters** It fits a coding-agent workflow: point it at a local codebase, a GitHub repo, or a live app, or run it headless in **CI via GitHub Actions** to catch vulnerabilities your code-writing agent introduced. You **bring your own LLM key** (OpenAI, Anthropic, or Gemini models are recommended).
**The gist** Strix, an open-source autonomous pentesting platform at **30.9k GitHub stars**, runs code dynamically and validates every finding with a working proof-of-concept. **Multi-agent** orchestration chains recon, exploitation, and post-exploitation; coverage spans the **OWASP Top 10** — SQL injection, XSS, SSRF, IDOR, JWT attacks — with CVSS scoring and **auto-fix pull requests**. Apache 2.0, written in Python. **Why it matters** It fits a coding-agent workflow: point it at a local codebase, a GitHub repo, or a live app, or run it headless in **CI via GitHub Actions** to catch vulnerabilities your code-writing agent introduced. You **bring your own LLM key** (OpenAI, Anthropic, or Gemini models are recommended). **Watch out** It generates **working exploits**, so only test apps you own or have permission to test. First runs pull a sandbox image and need **Docker** running, and the project is in active development with open issues.