Vigolium: Open-source vulnerability scanner combines deterministic scanning with AI-driven auditing
Vigolium, a new open-source vulnerability scanner that merges deterministic scanning with AI-driven auditing, has been released with over 235 scanner modules and an autonomous agent runtime.
Vigolium, an open-source vulnerability scanner that combines deterministic scanning with AI-driven auditing, launched its initial open-source release this month. The project ships 235+ scanner modules and an in-process agent runtime called olium that handles autonomous endpoint discovery, attack planning, and finding triage. The tool exposes two scanning paths: `vigolium scan` runs a multi-phase deterministic pipeline covering content discovery, browser-based spidering, and active and passive auditing, while `vigolium agent` hands control to an LLM-driven harness that selects and executes modules autonomously.
The deterministic pipeline in Vigolium is designed for thorough, repeatable assessments. It includes content discovery to map application endpoints, browser-based spidering to crawl JavaScript-heavy single-page applications, and both active and passive auditing to identify vulnerabilities such as SQL injection, cross-site scripting (XSS), and misconfigurations. This mode is ideal for penetration testers who need consistent results without the variability of AI-driven approaches.
The agent mode, powered by an LLM harness, introduces a new level of automation. The olium runtime autonomously discovers endpoints, plans attack sequences, and triages findings, adapting its approach based on the target's responses. This AI-driven capability can accelerate testing by handling routine tasks and identifying complex attack chains that might be missed in deterministic scans. However, the tool's documentation notes that AI-driven results may vary and should be validated manually.
Vigolium is positioned as a defensive security tool for penetration testers and security teams, offering a flexible alternative to commercial scanners. Its open-source nature allows for community contributions and customization, and the project is hosted on GitHub under a permissive license. The initial release includes comprehensive documentation and examples to help users get started quickly.
The release of Vigolium reflects a broader trend in cybersecurity toward integrating AI into security tools. By combining deterministic and AI-driven approaches, the scanner aims to provide both reliability and adaptability, addressing the growing complexity of modern web applications and APIs. As AI-driven security tools become more prevalent, Vigolium's hybrid model could serve as a template for future vulnerability assessment platforms.
Security teams evaluating Vigolium should consider its dual-mode architecture for different use cases: deterministic scanning for compliance and repeatable audits, and agent mode for exploratory testing and red team exercises. The tool's open-source license also enables integration into custom pipelines and CI/CD workflows, making it a versatile addition to the security toolkit.
As with any security tool, users should verify findings manually and ensure that scanning activities are authorized. Vigolium's developers emphasize that the tool is intended for defensive purposes and should be used responsibly. The project's GitHub repository includes a responsible disclosure policy and guidelines for contributing.