strix
usestrix
Framework of autonomous AI hacker agents for dynamic application security testing.
What is strix?
A framework of autonomous 'AI hacker' agents that test an application dynamically the way a pentester would. Each agent gets a full toolkit (HTTP proxy, Playwright browser, terminal, Python runtime, recon) and reports validated proof-of-concepts for issues like IDOR, SQL and command injection, SSRF, XSS, auth and JWT flaws, and business-logic bugs. It runs locally (Python 3.12+, a Docker sandbox, strix --target ...) and requires an external LLM key.
Pros & Cons
Pros
- Validates findings with real proof-of-concepts rather than signature matches, which the project claims cuts false positives (its own claim)
- Broad tool and vulnerability coverage out of the box, with multi-agent orchestration
- Apache-2.0, local execution, CI/CD integration and provider-agnostic LLM support
Cons
- PyPI marks it development status Alpha despite the 'v1.0' tag - treat production security gates with care
- 'AI hackers' and 'zero false positives' are project claims; autonomous offensive tools still need human validation, and you may only test systems you own or are authorized to test
- Agentic pentests burn a lot of tokens (running LLM cost, unquantified by the project) and require Docker
License
Apache-2.0 (OSI-open)
When it is interesting
Developers who want continuous, PoC-backed security testing they can self-host.
When it is too early
As an unattended production gate, given the alpha status.
Commercial alternative & related
- Commercial counterpart: Snyk
This repo featured in the 2026-06 edition of the Open-Source AI Radar.
UI-TARS-desktop
bytedance
Native desktop app for a GUI/computer-use agent powered by the open-weight UI-TARS model.
Page Agent
alibaba
In-page JavaScript GUI agent - control any webpage with natural language, no headless browser or extension.
Browser Harness
browser-use
Self-healing browser harness that lets LLMs drive a real browser via CDP.