Strix Tutorial: Open-Source AI Penetration Testing to Find and Fix Vulnerabilities

TL;DR: Strix turns AI into a real hacker—runs your code dynamically, finds vulnerabilities, generates working proof-of-concept exploits. 38,100+ Stars (now over 38,128 as of 2026-07-07), Apache 2.0, full CI/CD integration from CLI.

What is Strix?

Strix is an open-source AI penetration testing tool by usestrix. It is not a traditional static code scanner—instead, AI agents act like real hackers by running your code dynamically, discovering vulnerabilities, validating them through actual exploitation (PoC), then delivering fix suggestions.

Key capabilities:

  • Full pentesting toolkit: reconnaissance, exploitation, and validation out of the box
  • Multi-agent orchestration: multiple AI agents collaborate like a red team
  • Real exploit validation: false positives replaced by working PoCs
  • Developer-first CLI: actionable findings with remediation guidance
  • Auto-fix and reporting: generate patches and compliance-ready pentest reports

Strix is built on LiteLLM, Caido, Nuclei, Playwright and supports 18+ LLM providers including OpenAI, Anthropic, Google, and local models (Ollama, LMStudio).


Why Strix?

Feature Strix Traditional SAST Manual Pentesting
Pricing Free + Open Source (Apache 2.0) $10K+/year $5K+/engagement
Speed Minutes Hours Weeks
False positives Low (real PoC validation) High Very low
Coverage OWASP Top 10 + business logic Known CVEs Comprehensive
CI/CD Integration Native Partial None
Remediation Auto-patch generation None Manual
Scalability Multi-agent parallel Single-threaded Human-limited

Vs. competitors

  • vs XBOW: Strix is open-source; XBOW is closed-source commercial
  • vs Greptile for Security: Strix launched earlier with more complete features
  • vs Nuclei: Nuclei is a template scanner; Strix is AI-driven intelligent pentesting
  • vs Burp Suite manual: Burp Suite requires manual operation; Strix is fully automatic

Prerequisites

  • Docker: must be running (sandbox environment)
  • LLM API Key: OpenAI, Anthropic, Google, local models supported
  • OS: Linux, macOS or Windows
  • Python: 3.12+ (for pip installation)

Installing Strix

1
curl -sSL https://strix.ai/install | bash

Via pip

1
pip install strix-agent

⚠️ Note: When running pip install strix-agent, the tiktoken dependency may need to be compiled from source, which requires a Rust compiler. If you encounter error: can't find Rust compiler, please install Rust first:

1
2
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
source "$HOME/.cargo/env"

Then re-run pip install strix-agent.

pipx is a dedicated installer for Python CLI tools that creates an isolated virtual environment for each tool, preventing dependency conflicts with your system Python.

1
2
3
4
5
6
# 1. Install pipx
pip install --user pipx
pipx ensurepath

# 2. Install strix-agent with pipx
pipx install strix-agent

Advantages: With pipx, strix-agent runs in its own virtual environment, avoiding conflicts with your Python project dependencies and bypassing build issues like tiktoken requiring a Rust compiler. Upgrades and uninstalls are also cleaner: pipx upgrade strix-agent / pipx uninstall strix-agent.

Binary download (no Python required)

Download the pre-compiled binary from Releases:

Platform File Downloads (as of 2026-07-07)
Linux x86_64 strix-1.0.4-linux-x86_64.tar.gz 4,860
macOS ARM64 strix-1.0.4-macos-arm64.tar.gz 1,130
macOS x86_64 strix-1.0.4-macos-x86_64.tar.gz 145
Windows x86_64 strix-1.0.4-windows-x86_64.zip 1,335

Step 1: Configure LLM Provider

1
2
3
4
5
6
7
8
9
10
11
12
# Recommended provider (GPT-5.4 performs best)
export STRIX_LLM="openai/gpt-5.4"
export LLM_API_KEY="your-api-key"

# Optional: local models
export LLM_API_BASE="http://localhost:11434" # Ollama

# Optional: search capabilities for OSINT
export PERPLEXITY_API_KEY="your-api-key"

# Optional: reasoning effort
export STRIX_REASONING_EFFORT="high" # default high, use medium for quick scans

Config auto-saves to ~/.strix/cli-config.json.

Recommended models (by performance):

  1. OpenAI GPT-5.4openai/gpt-5.4 (best overall)
  2. Anthropic Claude Sonnet 4.6anthropic/claude-sonnet-4-6
  3. Google Gemini 3 Pro Previewvertex_ai/gemini-3-pro-preview

Third-party testing across 18 LLM models confirmed GPT-5.4 delivers top results. See TheArtificialQ review.


Step 2: Run Your First Scan

Scan local codebase

1
2
3
4
5
# White-box (source-aware)
strix --target ./app-directory --scan-mode standard

# Quick scan
strix --target ./app-directory --scan-mode quick

Scan remote application

1
2
3
4
5
# Black-box web assessment
strix --target https://your-app.com

# Grey-box authenticated testing
strix --target https://your-app.com --instruction "Perform authenticated testing using credentials: user:pass"

Scan GitHub repository

1
strix --target https://github.com/org/repo

Findings are saved to strix_runs/<run-name>.


Step 3: Advanced Testing Scenarios

Multi-target testing

1
2
3
4
5
# Scan source code + deployed app simultaneously
strix -t https://github.com/org/app -t https://your-app.com

# Targets from file
strix --target-list ./targets.txt

Custom instructions

1
2
3
4
5
# Focus on business logic and IDOR
strix --target api.your-app.com --instruction "Focus on business logic flaws and IDOR vulnerabilities"

# Detailed instructions via file (rules of engagement, scope, exclusions)
strix --target api.your-app.com --instruction-file ./instruction.md

PR diff-scope scanning

1
2
# Diff scan against specific base branch
strix -n --target ./ --scan-mode quick --scope-mode diff --diff-base origin/main

Step 4: Headless Mode (Automation)

1
2
# Non-interactive mode for servers/automation
strix -n --target https://your-app.com

Real-time findings printed to stdout; non-zero exit code when vulnerabilities detected.


Step 5: CI/CD Integration (GitHub Actions)

Add .github/workflows/strix.yml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
name: strix-penetration-test

on:
pull_request:

jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0

- name: Install Strix
run: curl -sSL https://strix.ai/install | bash

- name: Run Strix
env:
STRIX_LLM: ${{ secrets.STRIX_LLM }}
LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
run: strix -n -t ./ --scan-mode quick

Strix auto-scopes quick reviews to changed files in CI. If diff-scope resolution fails, ensure full git history (fetch-depth: 0) or pass --diff-base explicitly.


Vulnerability Coverage

Strix covers OWASP Top 10 and beyond:

Category Specific Vulnerabilities
Broken Access Control IDOR, privilege escalation, auth bypass
Injection Attacks SQLi, NoSQLi, OS command injection, SSTI
Server-Side SSRF, XXE, insecure deserialization, RCE
Client-Side XSS (stored/reflected/DOM), prototype pollution, CSRF
Business Logic Race conditions, payment manipulation, workflow bypass
Auth & Session JWT attacks, session fixation, credential stuffing
Infrastructure Misconfigurations, exposed services, cloud issues
API Security Broken auth, mass assignment, rate limit bypass

FAQ

What applications can it scan?

Web apps, APIs, backend services, frontend apps. Local codebases, remote URLs or GitHub repositories.

How about false positives?

Strix uses real PoC validation, dramatically reducing false positives vs traditional SAST tools. Third-party testing confirmed GPT-5.4 delivers the best results across 18 LLM models.

Local model support?

Yes. Configure LLM_API_BASE for Ollama, LMStudio or any compatible endpoint.

How long does a scan take?

Quick scan: minutes. Standard scan: 10-30 minutes depending on application size.

pip install fails with tiktoken requiring a Rust compiler?

This is a build dependency issue when tiktoken compiles from source. Install Rust first:

1
2
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
source "$HOME/.cargo/env"

Then re-run pip install strix-agent. Alternatively, use pipx install strix-agent (recommended, creates an isolated virtual environment to avoid this issue).

⚠️ Warning: Only test applications you own or have explicit authorization to test. Use Strix ethically and legally.


Summary

Strix transforms AI penetration testing from theory to practice. 38,100+ Stars, Apache 2.0, 1,700+ Discord members, 18+ LLM models—whether you are a developer, security engineer or bug bounty hunter, Strix helps you find and fix vulnerabilities fast.

🔗 Useful Links