Strix: the AI hacker that ships you a fix PR

Strix is an open-source swarm of autonomous AI agents that attack your app like a real hacker. It spins up an HTTP proxy to mangle requests, drives a browser to probe for XSS and CSRF, opens terminal sessions to run commands, and writes custom exploits in Python. The part that matters: it doesn't dump a pile of maybe-bugs on you. Every finding gets validated with a real proof-of-concept first, and only then does it hand you a ready-to-merge fix PR. 26.6k stars, and it tore up GitHub trending again this week even though it first dropped back in November 2025.

Why it's catching fire now is the whole point. Most security scanners are static analysis. They flood you with alerts you then have to go verify one by one. Strix runs your code dynamically, proves the vuln actually works before it says a word, and lives inside CI/CD so every PR gets the treatment. The architecture is a graph: it assigns specialized agents to different targets and runs them in parallel, and as one agent turns up a new lead the others re-route to chase it.

Say it plainly. This is the offensive-security version of the same thesis we keep watching land everywhere else. The agent doesn't advise you, it runs the entire find-prove-fix loop itself. And it pairs almost too neatly with the defensive wave we've been covering, Agent Browser Shield, NeuralTrust, ArgusRed. The attack surface and the attackers are both going autonomous at the same time, which is either reassuring or terrifying depending on which side of the PR you're on. Link: github.com/usestrix/strix