ShadowStrike is an advanced AI-powered security testing platform built on top of Strix. It combines autonomous AI hacking agents with static analysis, memory systems, exploit chaining, and professional reporting — all in one tool.
# Clone
git clone https://github.com/Hafiz380/shadowstrike.git
cd shadowstrike
# Install with advanced features
pip install -e ".[advanced]"
# Verify installation
strix-advanced infoShadowStrike includes everything from Strix plus these advanced capabilities:
- Auto-fix & reporting to accelerate remediation
- Application Security Testing - Detect and validate critical vulnerabilities in your applications
- Rapid Penetration Testing - Get penetration tests done in hours, not weeks, with compliance reports
- Bug Bounty Automation - Automate bug bounty research and generate PoCs for faster reporting
- CI/CD Integration - Run tests in CI/CD to block vulnerabilities before reaching production
Prerequisites:
- Docker (running)
- An LLM API key from any supported provider (OpenAI, Anthropic, Google, etc.)
# Install Strix
curl -sSL https://shadowstrike.dev/install | bash
# Configure your AI provider
export STRIX_LLM="openai/gpt-5.4"
export LLM_API_KEY="your-api-key"
# Run your first security assessment
strix --target ./app-directoryNote
First run automatically pulls the sandbox Docker image. Results are saved to strix_runs/<run-name>
Try the Strix full-stack security platform at app.shadowstrike.dev - sign up for free, connect your repos and domains, and launch a pentest in minutes.
- Validated findings with PoCs and reproduction steps
- One-click autofix as ready-to-merge pull requests
- Continuous monitoring across code, cloud, and infrastructure
- Integrations with GitHub, Slack, Jira, Linear, and CI/CD pipelines
- Continuous learning that builds on past findings and remediations
Strix agents come equipped with a comprehensive security testing toolkit:
- Full HTTP Proxy - Full request/response manipulation and analysis
- Browser Automation - Multi-tab browser for testing of XSS, CSRF, auth flows
- Terminal Environments - Interactive shells for command execution and testing
- Python Runtime - Custom exploit development and validation
- Reconnaissance - Automated OSINT and attack surface mapping
- Code Analysis - Static and dynamic analysis capabilities
- Knowledge Management - Structured findings and attack documentation
Strix can identify and validate a wide range of security vulnerabilities:
- Access Control - IDOR, privilege escalation, auth bypass
- Injection Attacks - SQL, NoSQL, command injection
- Server-Side - SSRF, XXE, deserialization flaws
- Client-Side - XSS, prototype pollution, DOM vulnerabilities
- Business Logic - Race conditions, workflow manipulation
- Authentication - JWT vulnerabilities, session management
- Infrastructure - Misconfigurations, exposed services
Advanced multi-agent orchestration for comprehensive security testing:
- Distributed Workflows - Specialized agents for different attacks and assets
- Scalable Testing - Parallel execution for fast comprehensive coverage
- Dynamic Coordination - Agents collaborate and share discoveries
# Scan a local codebase
strix --target ./app-directory
# Security review of a GitHub repository
strix --target https://github.com/org/repo
# Black-box web application assessment
strix --target https://your-app.com# Grey-box authenticated testing
strix --target https://your-app.com --instruction "Perform authenticated testing using credentials: user:pass"
# Multi-target testing (source code + deployed app)
strix -t https://github.com/org/app -t https://your-app.com
# White-box source-aware scan (local repository)
strix --target ./app-directory --scan-mode standard
# Focused testing with custom instructions
strix --target api.your-app.com --instruction "Focus on business logic flaws and IDOR vulnerabilities"
# Provide detailed instructions through file (e.g., rules of engagement, scope, exclusions)
strix --target api.your-app.com --instruction-file ./instruction.md
# Force PR diff-scope against a specific base branch
strix -n --target ./ --scan-mode quick --scope-mode diff --diff-base origin/mainRun Strix programmatically without interactive UI using the -n/--non-interactive flag-perfect for servers and automated jobs. The CLI prints real-time vulnerability findings, and the final report before exiting. Exits with non-zero code when vulnerabilities are found.
strix -n --target https://your-app.comStrix can be added to your pipeline to run a security test on pull requests with a lightweight GitHub Actions workflow:
name: strix-penetration-test
on:
pull_request:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Install Strix
run: curl -sSL https://shadowstrike.dev/install | bash
- name: Run Strix
env:
STRIX_LLM: ${{ secrets.STRIX_LLM }}
LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
run: strix -n -t ./ --scan-mode quickTip
In CI pull request runs, Strix automatically scopes quick reviews to changed files.
If diff-scope cannot resolve, ensure checkout uses full history (fetch-depth: 0) or pass
--diff-base explicitly.
export STRIX_LLM="openai/gpt-5.4"
export LLM_API_KEY="your-api-key"
# Optional
export LLM_API_BASE="your-api-base-url" # if using a local model, e.g. Ollama, LMStudio
export PERPLEXITY_API_KEY="your-api-key" # for search capabilities
export STRIX_REASONING_EFFORT="high" # control thinking effort (default: high, quick scan: medium)Note
Strix automatically saves your configuration to ~/.strix/cli-config.json, so you don't have to re-enter it on every run.
Recommended models for best results:
- OpenAI GPT-5.4 -
openai/gpt-5.4 - Anthropic Claude Sonnet 4.6 -
anthropic/claude-sonnet-4-6 - Google Gemini 3 Pro Preview -
vertex_ai/gemini-3-pro-preview
See the LLM Providers documentation for all supported providers including Vertex AI, Bedrock, Azure, and local models.
Get the same Strix experience with enterprise-grade controls: SSO (SAML/OIDC), custom compliance reports, dedicated support & SLA, custom deployment options (VPC/self-hosted), BYOK model support, and tailored agents optimized for your environment. Learn more.
ShadowStrike combines capabilities from Strix, strix-advanced, and concepts from Shannon:
- CPG Builder — tree-sitter based Code Property Graph (6 languages: Python, JS, TS, Go, Java, PHP)
- Data Flow Analyzer — Source → Sink taint tracing
- Sanitizer Analyzer — LLM-guided sanitizer effectiveness validation
- 20+ vulnerability types with CWE/OWASP/CVSS mappings
- Scan Memory — Per-scan SQLite storage
- Global Memory — Cross-scan knowledge accumulation
- Dedup Engine — Finding deduplication across scans
- Skill Generator — Auto-generate skills from scan experience
- Exploit Chain Builder — Multi-vulnerability chaining (10 known patterns + novel discovery)
- Auth Automator — 2FA/TOTP/SSO/OAuth2/JWT handling
- Race Condition Detector — Concurrent request engine for TOCTOU bugs
- Logic Fuzzer — Business logic invariant testing
- WAF Bypass — 15+ evasion techniques for SQLi, XSS, SSRF, Path Traversal
- Recon Agent — Subdomain enum, DNS, tech fingerprinting, endpoint discovery
- Exploit Agent — SQLi, XSS, SSRF, RCE, SSTI, Path Traversal exploitation
- Analysis Agent — Static analysis integration
- Report Agent — Professional security reports with executive summary
- Coordinator Agent — Full scan orchestration pipeline
- 5 Vuln Classes in Parallel — Injection, XSS, Auth, Authorization, SSRF run concurrently
- Vuln→Exploit Pairs — Each class has sequential analysis→exploitation
- Static-Dynamic Correlation — Static findings fed to dynamic exploitation agents
- Workspace System — Checkpoint/resume interrupted scans (SQLite-backed)
- Deliverable System — Structured intermediate reports per pipeline phase
- Instinct-Based Learning — Auto-learn from scan sessions with confidence scoring (0.3–0.9)
- Memory Persistence — Cross-session context with bounded loading (prevents memory explosion)
- Skill Evolution — High-confidence instincts evolve into reusable skills
- Project-Scoped Learning — Separate project-specific and global instincts
- Bounty-Focused Scanning — Only reports findings that bounty platforms accept
- Skip Patterns — Filters out local-only, CLI-only, and header-only issues
- PoC Suggestions — Each finding includes suggested exploit approach
- Priority Ranking — Critical/High/Medium/Low based on bounty-worthiness
- 5 Quality Gates — Finding Validation, Exploit Verification, Dedup, Confidence, Report Quality
- Auto-Dedup — Fingerprint-based duplicate detection
- Confidence Scoring — Rates findings by evidence strength
- Python — Django, FastAPI, Flask patterns
- JavaScript/TypeScript — React, Next.js, Express patterns
- Java — Spring Boot, JPA patterns
- Go, PHP, Rust, Ruby — Language-specific security patterns
- Common Rules — Secrets management, input validation, auth, error handling
- API Discovery — Swagger/OpenAPI parsing, GraphQL introspection, brute-force, JS extraction
- Supply Chain — npm/pip/go/cargo dependency scanning, typosquat detection
- Infrastructure — DNS, SSL/TLS, security headers, CORS, cookies, cloud storage
- Custom Rules — 15+ built-in rules, YAML/JSON rule loading, directory scanning
# Install with advanced dependencies
pip install shadowstrike[advanced]
# Full security scan
strix-advanced scan https://target.com
# Code-only scan (white-box)
strix-advanced scan https://target.com --code ./src --type code
# Quick scan
strix-advanced scan https://target.com --type quick --depth quick
# Static analysis only
strix-advanced analyze ./src
# Reconnaissance only
strix-advanced recon https://target.com --depth deep
# Custom rules
strix-advanced rules list
strix-advanced rules scan ./code
strix-advanced rules export --output rules.yaml
# System info
strix-advanced info
# Parallel vulnerability pipeline (Shannon-inspired)
strix-advanced pipeline https://target.com
strix-advanced pipeline https://target.com --classes injection xss ssrf
strix-advanced pipeline https://target.com --code ./src --workspace my-audit
strix-advanced pipeline https://target.com --no-exploit
# Workspace management
strix-advanced workspace list
strix-advanced workspace resume my-audit
strix-advanced workspace delete my-audit
# Bounty-focused vulnerability scan
strix-advanced bounty ./src
strix-advanced bounty ./src --output bounty_report.md| Vuln Type | CWE | OWASP |
|---|---|---|
| SQL Injection | CWE-89 | A03 |
| XSS | CWE-79 | A03 |
| RCE | CWE-78 | A03 |
| SSTI | CWE-1336 | A03 |
| SSRF | CWE-918 | A10 |
| Path Traversal | CWE-22 | A01 |
| IDOR | CWE-639 | A01 |
| CSRF | CWE-352 | A01 |
| XXE | CWE-611 | A05 |
| Deserialization | CWE-502 | A08 |
| Open Redirect | CWE-601 | - |
| NoSQL Injection | CWE-943 | A03 |
| Auth Bypass | CWE-287 | A07 |
| Race Condition | CWE-362 | A04 |
Full documentation is available at docs.shadowstrike.dev - including detailed guides for usage, CI/CD integrations, skills, and advanced configuration.
We welcome contributions of code, docs, and new skills - check out our Contributing Guide to get started or open a pull request/issue.
Have questions? Found a bug? Want to contribute? Join our Discord!
Love Strix? Give us a ⭐ on GitHub!
Strix builds on the incredible work of open-source projects like LiteLLM, Caido, Nuclei, Playwright, and Textual. Huge thanks to their maintainers!
Warning
Only test apps you own or have permission to test. You are responsible for using Strix ethically and legally.