Strix: continuous agent pentesting
An open‑source framework called Strix now runs AI agents for continuous penetration testing, chaining discovered vulnerabilities into fixes and integrating with CI/CD to automate security checks. The project claims it can replicate services that would normally cost tens of thousands of dollars, making automated security testing more accessible for engineering teams. (x.com)
Penetration testing usually means hiring humans to probe an app for weaknesses. Strix is an open-source project that says software agents can now do that work continuously inside a development pipeline. (github.com) The code repository shows Strix with 23,600 GitHub stars and 350 commits as of April 15, 2026, and its Python package, `strix-agent`, was updated to version 0.8.3 on March 22, 2026. (github.com) (pypi.org) Strix says its agents run code dynamically, test live behavior, and validate findings with proof-of-concept exploits instead of only flagging suspicious patterns in source code. Its documentation lists browser automation, an Hypertext Transfer Protocol proxy, terminal access, Python runtime tools, and code analysis among the built-in testing tools. (docs.strix.ai 1) (docs.strix.ai 2) That puts Strix in the gap between static analyzers, which often return false positives, and manual pentests, which are slower and usually bought as one-off engagements. Strix’s own docs pitch “quick” and “deep” scan modes and say rapid tests can run in hours rather than weeks. (docs.strix.ai) (freecodecamp.org) The newer piece is automation around code changes. Strix added GitHub Actions and general continuous integration and continuous delivery support, with documentation saying pull request scans can scope themselves to changed files and return exit code 2 when vulnerabilities are found. (docs.strix.ai 1) (docs.strix.ai 2) The company site says the hosted platform can generate fix pull requests after reproducing and retesting a bug, and the open-source package description also advertises “auto-fix” and reporting. That moves the product from finding bugs to proposing code changes a team can review and merge. (strix.ai) (pypi.org) Strix requires Docker and an application programming interface key for a supported large language model provider such as OpenAI, Anthropic, Google, Amazon Web Services Bedrock, Azure OpenAI, or local models. The docs show installs through a shell script and headless runs for Jenkins, GitLab CI, CircleCI, and GitHub Actions. (pypi.org) (docs.strix.ai 1) (docs.strix.ai 2) The project also ships with a warning: only test applications you own or have explicit permission to test. That matters because the same features that help a security team simulate an attacker could be misused outside an authorized environment. (docs.strix.ai) (github.com) Strix is not only an open-source command line tool now. The company sells a hosted platform with code, application programming interface, cloud, and infrastructure testing, and its public pricing page lists a Pro plan at $29 per seat per month plus $49 per domain, with Enterprise pricing for private deployments. (strix.ai) (strix.ai) So the story is less about one more scanner and more about where security testing is moving: from periodic audits to every pull request, from “possible issue” reports to reproduced exploits, and from separate security work to checks that sit next to build and deploy jobs. Strix’s pitch is that those steps can now be packaged as software teams run every day. (docs.strix.ai) (docs.strix.ai)
