Xalgorix is an open-source, self-hosted AI penetration testing platform that uses an autonomous LLM agent paired with an independent exploit verifier to deliver proven, not just suspected, vulnerability findings.
Security teams can run the full sweep or select only the phases relevant to a specific engagement scope.
6–12 Injection testing, SSRF, IDOR and broken access control, API/GraphQL testing, file upload testing, deserialization and RCE, race conditions and business logic.
13–19 Subdomain takeover, open redirect testing, email security, cloud and infrastructure testing, WebSocket testing, CMS-specific testing, broken link hijacking.
Xalgorix AI Penetration Testing ToolBuilt in Go and TypeScript, Xalgorix ships as a self-contained binary or Docker image bundled with an extensive offensive-security toolset, including nmap, nuclei, httpx, subfinder, katana, ffuf, gobuster, sqlmap, and masscan.
Xalgorix is an open-source, self-hosted AI penetration testing platform that uses an autonomous LLM agent paired with an independent exploit verifier to deliver proven, not just suspected, vulnerability findings.
Most vulnerability scanners flag potential issues and leave security teams to sort real threats from false positives, but Xalgorix takes a different approach by having a separate verification layer re-exploit every candidate finding before it appears in a report.
This “detect, then prove” model means findings arrive with working proof-of-concept evidence rather than a triage backlog of maybes. The platform reasons through authentication flows, business logic flaws, IDOR/BOLA issues, and chained exploits that traditional signature-based scanners like Nuclei or OWASP ZAP typically miss.
The 22-Phase Testing Methodology
At the core of Xalgorix is a comprehensive 22-phase methodology that mirrors how a skilled human pentester would work through an engagement, moving from reconnaissance to final reporting. Security teams can run the full sweep or select only the phases relevant to a specific engagement scope.
Phase Range Focus Areas 1–5 Reconnaissance, manual vulnerability discovery, directory/file discovery, CORS and cookie analysis, authentication and session testing. 6–12 Injection testing, SSRF, IDOR and broken access control, API/GraphQL testing, file upload testing, deserialization and RCE, race conditions and business logic. 13–19 Subdomain takeover, open redirect testing, email security, cloud and infrastructure testing, WebSocket testing, CMS-specific testing, broken link hijacking. 20–22 Exploit verification, zero-day/novel vulnerability discovery, and final report generation.
Phase 20, dedicated exploit verification, is what separates confirmed findings from the report; anything the verifier cannot independently reproduce gets flagged for manual review rather than presented as confirmed.
Xalgorix AI Penetration Testing Tool
Built in Go and TypeScript, Xalgorix ships as a self-contained binary or Docker image bundled with an extensive offensive-security toolset, including nmap, nuclei, httpx, subfinder, katana, ffuf, gobuster, sqlmap, and masscan.
It supports a bring-your-own-LLM model, letting teams connect OpenAI, Anthropic, DeepSeek, Gemini, Groq, Ollama, or MiniMax so that no scan data, API keys, or target information ever leaves their own infrastructure.
A local Web UI dashboard on port 9137 provides live WebSocket telemetry of tool calls, agent reasoning, and findings as a scan progresses.
Beyond traditional web-application pentesting, Xalgorix supports wildcard and multi-target scans for red team attack-surface mapping, plus a source-code scanning mode that audits repositories directly without needing a deployed target.
Its “provision” mode goes further by building and running an application locally before pentesting the live instance, giving exploit-verified results even for code that hasn’t been deployed yet.
Findings are compiled into branded PDF reports with CVSS scoring, proof-of-concept evidence, and remediation guidance, with optional integrations for Discord, Telegram, and AgentMail for continuous monitoring workflows.
The project is fully open source and available on GitHub, drawing attention from the security community following demo showcases and a Hacker News feature highlighting its verification-first approach.
It joins a growing field of AI-driven pentesting agents, though its emphasis on independent exploit verification and completely self-hosted, private operation positions it distinctly against both open-source scanners and commercial DAST platforms.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide