Local-first application security tools for finding, triaging, and proving real vulnerabilities.
Nyx Sec builds developer-first security tools that run close to the code. The goal is simple: help teams find risky flows, verify what is exploitable, and keep the evidence local enough to be useful during development.
| Project | What it is | Status |
|---|---|---|
| Nyx | Open-source static security scanner with cross-file taint tracking, SARIF output, and a browser triage UI. | Public / GPL-3.0-or-later |
| Nyctos | Source-available local pentest product that uses Nyx, drives a dev app you control, verifies findings, and stores proof. | Public / pre-MVP |
| nyxscan.dev | Website and docs for the Nyx scanner. | Public |
Nyx finds suspicious source-to-sink flows in code and gives developers a local UI for triage.
Nyctos builds on that scanner output. It reads the repo, launches or attaches to a local target, explores routes and APIs, sends scoped probes, and only promotes findings when it can attach evidence.
In short:
Nyx -> find possible vulnerability sources in code
Nyctos -> verify them against a developer-controlled target and collect proof