Open Source · v3 · MIT License

Xalgorix

The most powerful open-source AI autonomous pentesting agent.|

Get Started ★ Star on GitHub
85+ Security Tools
Multi-LLM Support
100% Free
xalgorix — terminal
$ xalgorix --web __ __ _ _ __ / /___ _ / / ___ _ ___ (_) _ __ | |/_/ / // __ `/ / / / __ `/ / _ \ / / | |/_/ _> < / // /_/ / / /_ / /_/ / / __// / _> < /_/|_| /_/ \__,_/ /_/(_)\__, / \___//_/ /_/|_| /____/   [✓] LLM connected: openai/gpt-5.4 [✓] 85 tools loaded [✓] Web UI running on :1337 [→] Dashboard: http://localhost:1337   $ Scanning target.com... [VULN] Critical SQL Injection found [VULN] High IDOR on /api/users/{id} [✓] PDF report generated ✓
85+
Security Tools
20
Phase Methodology
7+
LLM Providers
Free Forever
System.features

Everything You Need for Autonomous Pentesting

Give it a target URL, and Xalgorix will find vulnerabilities, generate a professional PDF report, and send Discord alerts — all automatically.

🤖

Autonomous Agent

LLM-driven pentesting with a comprehensive 20-phase methodology. No human intervention needed — set a target and watch it work.

🌐

Web UI Dashboard

Dark mode dashboard with live real-time feed, chat with the agent during scans, and complete token tracking. Works on mobile.

🧠

Multi-LLM Support

Works with OpenAI, Anthropic, DeepSeek, Google, Groq, Ollama, MiniMax — or any custom provider. Your choice, your keys.

📊

PDF Reports

Professional pentest reports auto-generated with cover page, executive summary, CVSS scoring, PoC, and remediation steps.

🔔

Discord Alerts

Get notified instantly on scan start, vulnerability discovery, and completion. Never miss a critical finding.

🔧

Auto-Install Tools

85+ tool-to-package mappings across Go, APT, PIP, Cargo, Gem, and NPM. Missing a tool? Xalgorix installs it automatically.

🛡️

Safety First

Blocks destructive commands, detects encoding bypass attempts (Base64, hex, URL), and rate limits to protect your IP.

🔌

Circuit Breaker

Auto-blocks failing tools after 5 consecutive failures for 60 seconds. Prevents wasting time on broken integrations.

💬

Chat During Scan

Send messages to the agent while a scan is running. Guide it, ask questions, or redirect focus in real-time.

💾

Scan Persistence

Resume interrupted scans after restart. Multi-target queue system processes targets sequentially with full state recovery.

🔍

Built-in Research

CVE search via NIST NVD, exploit search via Exploit-DB, web search via Gemini/Brave/Google. All integrated natively.

📧

AgentMail

Built-in email system for sign-up verification and OTP retrieval. Test authenticated flows without manual intervention.

Scan.modes

Three Ways to Attack

From single targets to full wildcard subdomain enumeration — choose the depth that fits your mission.

single_scan.sh

⚡ Single Scan

Target a single URL or IP Full vulnerability testing 20-phase methodology Auto PDF report generation Best for: Quick assessments
dast_scan.sh

🔍 DAST Scan

Deep URL vulnerability testing Crawl → Param Discovery Nuclei on all discovered URLs Manual exploitation phase Best for: Web app pentesting
wildcard_scan.sh

🌐 Wildcard Scan

Passive + active subdomain enum DNS resolution on all subdomains Each subdomain gets full scan DAST-level testing per target Best for: Bug bounty programs
Agent.methodology

20-Phase Attack Methodology

A comprehensive, systematic approach to penetration testing — from reconnaissance to reporting.

01
🔍
Recon
02
🦠
Vuln Scan
03
📂
Content
04
🔐
SSL/TLS
05
🔑
Auth
06
💉
Injection
07
🔄
SSRF
08
🚪
IDOR
09
🌐
API
10
📤
Upload
11
⚙️
RCE
12
⏱️
Race
13
🌟
Takeover
14
📧
Email
15
☁️
Cloud
16
🔌
WebSocket
17
🏗️
CMS
18
🔗
Links
19
📦
Supply Chain
20
📝
Report
LLM.providers

Works With Any LLM

Bring your own API key. Xalgorix supports 7+ providers out of the box — or connect any custom endpoint.

OpenAI
Anthropic
DeepSeek
Google Gemini
Groq
Ollama (Local)
MiniMax
Custom Endpoint
Benchmark.compare

How Xalgorix Stacks Up

A comprehensive feature-by-feature comparison with every major open-source alternative.

Feature Xalgorix Shannon Strix PentestGPT HexStrike PentAGI Nebula
Self-Hosted ⚠ SaaS
Web UI Dashboard
Live Real-Time Feed ⚠ Term
Chat During Scan
PDF Reports (Auto) ⚠ Manual
Discord Alerts
Auto-Install Tools ✓ 85+ ⚠ Docker ⚠ Docker ⚠ MCP ⚠ Docker ⚠ CLI
Rate Limiting
Multi-Target Queue
Circuit Breaker
DAST Mode
Wildcard Scan ⚠ Manual ⚠ Manual
CVE Search Built-in
Browser Automation
Init.quickstart

Up and Running in 3 Steps

From zero to scanning in under 2 minutes. Xalgorix handles the rest.

01

Install

One command to install via Go — or build from source.

# Install via Go (recommended) GOPROXY=direct go install -v \ github.com/xalgord/xalgorix/v4/cmd/xalgorix@latest
02

Configure

Set your LLM provider and API key.

# ~/.xalgorix.env XALGORIX_LLM=openai/gpt-5.4 XALGORIX_API_KEY=sk-your-key
03

Run

Launch the Web UI or scan directly from CLI.

# Launch Web UI xalgorix --web # Or scan directly xalgorix --target https://example.com
UI.preview

See It In Action

A real-time dashboard that puts you in control — dark mode, live feed, and full scan visibility.

Web UI Dashboard
Xalgorix Web UI Dashboard
Live Feed & Vulnerabilities
Xalgorix Live Feed
Vulnerability Details
Xalgorix Vulnerability Details
Execute.now

Ready to Hack?

Deploy Xalgorix on your machine and let AI do the pentesting. Open source. Free forever. No limits.

⚡ Get Xalgorix 📖 Read the Docs