Xalgorix is an open-source, self-hosted AI penetration testing platform that employs an autonomous large language model (LLM) agent alongside an independent exploit verifier to deliver confirmed vulnerability findings. Unlike traditional scanners that often produce potential issues requiring manual verification, Xalgorix’s approach ensures that each identified vulnerability is re-exploited and validated before inclusion in reports, providing security teams with concrete proof-of-concept evidence.
Comprehensive 22-Phase Testing Methodology
Central to Xalgorix is its extensive 22-phase testing methodology, designed to emulate the workflow of experienced penetration testers. This structured approach allows security teams to conduct thorough assessments or focus on specific phases relevant to their objectives. The methodology encompasses:
- Phases 1–5: Reconnaissance, manual vulnerability discovery, directory and file enumeration, analysis of CORS and cookies, and evaluation of authentication and session mechanisms.
- Phases 6–12: Testing for various injection vulnerabilities, server-side request forgery (SSRF), insecure direct object references (IDOR) and broken access controls, API and GraphQL assessments, file upload vulnerabilities, deserialization and remote code execution (RCE), race conditions, and business logic flaws.
- Phases 13–19: Subdomain takeover, open redirect testing, email security evaluations, cloud and infrastructure assessments, WebSocket testing, content management system (CMS) specific tests, and broken link hijacking.
- Phases 20–22: Exploit verification, discovery of zero-day vulnerabilities, and comprehensive report generation.
Notably, Phase 20 focuses on exploit verification, ensuring that only vulnerabilities that can be independently reproduced are included in the final report, thereby reducing false positives and enhancing the reliability of findings.
Technical Architecture and Features
Developed using Go and TypeScript, Xalgorix is available as a self-contained binary or Docker image, incorporating a suite of offensive-security tools such as nmap, nuclei, httpx, subfinder, katana, ffuf, gobuster, sqlmap, and masscan. The platform supports integration with various LLM providers, including OpenAI, Anthropic, DeepSeek, Gemini, Groq, Ollama, and MiniMax, allowing organizations to utilize their preferred models while maintaining control over scan data and API keys within their infrastructure.
The local web-based dashboard, accessible on port 9137, offers real-time WebSocket telemetry, displaying tool executions, agent reasoning, and findings as scans progress. Beyond standard web application penetration testing, Xalgorix supports wildcard and multi-target scans for comprehensive attack surface mapping. Additionally, its source-code scanning mode enables direct auditing of code repositories without the need for deployment.
For pre-deployment assessments, the “provision” mode builds and runs applications locally before conducting penetration tests on the live instance, ensuring exploit-verified results even for code not yet deployed. Findings are compiled into branded PDF reports featuring CVSS scoring, proof-of-concept evidence, and remediation guidance. The platform also offers integrations with communication tools like Discord, Telegram, and AgentMail to facilitate continuous monitoring workflows.
As an open-source project available on GitHub, Xalgorix provides a robust and flexible solution for organizations seeking to enhance their security testing capabilities. Its comprehensive methodology and autonomous verification processes address common challenges in vulnerability assessment, offering a reliable tool for security professionals.
In the evolving landscape of cybersecurity, tools like Xalgorix represent a significant advancement by automating complex penetration testing tasks and reducing the burden of manual verification. By delivering validated findings, Xalgorix enables security teams to focus on remediation efforts, thereby improving overall security posture and response times.