Frequently Asked Questions

Everything you need to know about Strix, the open-source AI penetration testing tool

What is Strix?

Strix are autonomous AI penetration testing agents that act just like real hackers. They run your code dynamically, find vulnerabilities, and validate them through actual proof-of-concepts. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or false positives of static analysis tools.

How does Strix work?

Strix uses AI agents equipped with a comprehensive offensive security toolkit. These agents perform reconnaissance, exploitation, and validation across your applications. The system:

  • Dynamically analyzes your code and running applications
  • Identifies potential vulnerabilities using AI-driven scanning
  • Validates findings through real exploitation attempts
  • Generates proof-of-concept exploits and remediation suggestions
  • Provides detailed reports with CVSS scores and OWASP classifications

What kind of vulnerabilities can Strix detect?

Strix identifies a wide range of security vulnerabilities across the OWASP Top 10 and beyond:

  • Broken Access Control: IDOR, privilege escalation, auth bypass
  • Injection Attacks: SQL injection, NoSQL injection, OS command injection, SSTI
  • Server-Side Vulnerabilities: SSRF, XXE, insecure deserialization, RCE
  • Client-Side Attacks: XSS (stored/reflected/DOM), prototype pollution, CSRF
  • Business Logic Flaws: Race conditions, payment manipulation, workflow bypass
  • Authentication & Session: JWT attacks, session fixation, credential stuffing
  • Infrastructure & Cloud: Misconfigurations, exposed services, cloud security issues
  • API Security: Broken authentication, mass assignment, rate limiting bypass

Is Strix open source?

Yes! Strix is completely open source under the Apache License 2.0. You can view the source code, contribute to the project, and use it freely in your projects. The project is actively maintained by the Strix team and community contributors.

What are the system requirements?

Strix requires:

  • Running Docker installation
  • An LLM API key from a supported provider (OpenAI, Anthropic, Google, etc.)
  • Python 3.8+ (if running locally)
  • 4GB+ RAM recommended for complex scans
  • 10GB+ free disk space for scan results

How do I install Strix?

Installation is straightforward:

# Install Strix
curl -sSL https://strix.ai/install | bash

# Configure your AI provider
export STRIX_LLM="openai/gpt-5.4"
export LLM_API_KEY="your-api-key"

# Run your first security assessment
strix --target ./app-directory

For detailed installation instructions, visit our documentation.

Can I use Strix in CI/CD pipelines?

Absolutely! Strix integrates seamlessly with CI/CD pipelines including GitHub Actions, GitLab CI, and Jenkins. You can automatically scan for vulnerabilities on every pull request and block insecure code before it reaches production.

Here's a GitHub Actions example:

name: strix-penetration-test

on:
  pull_request:

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Install Strix
        run: curl -sSL https://strix.ai/install | bash

      - name: Run Strix
        env:
          STRIX_LLM: ${{ secrets.STRIX_LLM }}
          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
        run: strix -n -t ./ --scan-mode quick

What AI models are supported?

Strix supports multiple LLM providers including:

  • OpenAI: GPT-4, GPT-3.5-turbo
  • Anthropic: Claude 3 Sonnet, Claude 2.1
  • Google: Gemini Pro, PaLM 2
  • Local Models: Ollama, LM Studio, vLLM
  • Cloud Providers: Azure OpenAI, AWS Bedrock, Google Vertex AI

For the full list of supported providers and models, see our LLM Providers documentation.

How do I get support?

We offer multiple channels for support:

  • Documentation: Comprehensive guides and tutorials at docs.strix.ai
  • Community Discord: Join our community for discussions and help at discord.gg/strix-ai
  • GitHub Issues: Report bugs and request features on our GitHub issues page
  • Enterprise Support: For enterprise customers, we offer dedicated support with SLAs

Is there a paid version?

Strix offers both open-source and enterprise versions:

  • Open Source: Free to use for personal and commercial projects with Apache 2.0 license
  • Strix Platform: Cloud-based platform at app.strix.ai with additional features:
    • One-click autofix with AI-generated patches
    • Continuous pentesting with always-on scanning
    • Advanced DevSecOps integrations
    • Compliance-ready reports (SOC 2, ISO 27001, PCI DSS)
    • SSO (SAML/OIDC) and BYOK model support

For enterprise features and pricing, visit our enterprise page.

How does Strix handle false positives?

Strix significantly reduces false positives through:

  • Real exploit validation - findings are confirmed with working proof-of-concepts
  • Context-aware scanning - understands your application's specific business logic
  • Continuous learning - AI adapts to your codebase and improves over time
  • Manual review options - allows security teams to validate findings

Can Strix test APIs and microservices?

Yes! Strix has specialized tools for API testing including:

  • API endpoint discovery and mapping
  • Authentication bypass testing (JWT, API keys, OAuth)
  • Parameter tampering and mass assignment attacks
  • Rate limiting and DoS vulnerability detection
  • GraphQL schema introspection and query manipulation

What scanning modes are available?

Strix offers multiple scanning modes:

  • Quick: Fast focused scan ideal for CI/CD pipelines
  • Standard: Comprehensive scan with balanced depth and speed
  • Deep: In-depth analysis with maximum coverage
  • Diff: PR-specific scanning focused on changed files
  • Custom: User-defined scope and instructions