Wink Pings

An Open-Source Tool That Lets AI Penetrate Your Apps Like a Hacker — And It’s Free

Strix, an open-source AI-powered penetration testing agent, has earned 35.5k stars on GitHub. It uses multiple specialized agents to mimic real hacking teams, capable not only of finding vulnerabilities but also providing working exploit code. It’s free, but don’t expect it to replace a professional formal audit.

A development team has open-sourced Strix, an AI agent that can run full penetration testing against your applications — and this is AI actually "hacking" your system. It doesn’t just spit out a report full of vague potential issues; it delivers actual working exploit code for discovered vulnerabilities. It already has 35.5k stars on GitHub, a wildly impressive number in the security tool space where most projects only get a few hundred stars.

Why does it work so well? It doesn’t task a single AI with handling every step of the process. Instead, Strix splits work across multiple specialized agents, each tracking different attack paths at the same time — just how a real penetration testing team divides responsibilities.

What you get for free:

- The full toolkit used by professional penetration testers: HTTP proxy, browser exploitation, shell access, custom exploits, and information gathering

- Actually verified vulnerabilities, not a scary-looking list of unconfirmed guesses

- 35.5k+ stars, while most security tools struggle to even break 1,000

What it replaces (as an initial first-round check):

- No need to book a penetration testing firm and wait weeks for an open slot

- No need to pay a five-figure invoice just to get started

- No more guessing whether the "findings" from generic scanners are actual vulnerabilities

Setup instructions (requires Docker):

1. Install: `curl -sSL https://strix.ai/install | bash`

2. Configure your model: `export STRIX_LLM="openai/gpt-5.4"` and `export LLM_API_KEY="your-key"` (supports OpenAI, Anthropic, Google, and more)

3. Point it to your project: `strix --target ./your-app`

4. Results are saved automatically, and it remembers your configuration, so you won’t need to re-enter your API key next time

To be clear: this cannot replace a full professional audit before a formal production release. But as a free initial first check, it catches far more vulnerabilities than you would expect from a free tool.

The screenshot shows it running against a target called /acme-shop. It planned four attack surface agents, each of which verifies discoveries in real time. Confirmed vulnerabilities so far include: SQL injection in POST /api/login that allows authentication bypass (critical severity), IDOR in GET /api/user/:id that lets attackers read any user account by modifying the ID (high severity), and reflected XSS in GET /search?q= (currently being tested).

35.5k stars, licensed under Apache-2.0, 100% free and open-source.

![Strix running screenshot](https://wink.run/image?url=https%3A%2F%2Fpbs.twimg.com%2Fmedia%2FHMall7WWAAE0w6s%3Fformat%3Djpg%26name%3Dlarge)

发布时间: 2026-07-05 12:27