VYPR
researchPublished Jul 10, 2026· 1 source

Xalgorix AI Platform Automates Penetration Testing with Exploit Verification

The new open-source Xalgorix platform uses an AI agent and an independent verifier to confirm vulnerabilities, offering a distinct approach to automated penetration testing.

Xalgorix has emerged as a novel open-source, self-hosted AI penetration testing platform designed to provide verified vulnerability findings rather than mere indicators. Unlike traditional scanners that often generate numerous false positives, Xalgorix employs an autonomous Large Language Model (LLM) agent coupled with an independent exploit verifier. This "detect, then prove" methodology ensures that every flagged vulnerability is independently re-exploited before being included in a report, thereby delivering actionable proof-of-concept evidence and reducing the triage burden on security teams.

The platform is engineered to tackle complex vulnerabilities that often elude signature-based scanners. It can reason through intricate authentication flows, business logic flaws, Insecure Direct Object References (IDOR), Broken Object Level Authorization (BOLA) issues, and chained exploits. This advanced capability stems from its comprehensive 22-phase testing methodology, which is structured to emulate the systematic approach of a skilled human penetration tester, progressing from initial reconnaissance through to detailed reporting.

The 22-phase methodology covers a broad spectrum of security testing. Phases 1-5 focus on reconnaissance, manual vulnerability discovery, directory and file enumeration, CORS and cookie analysis, and authentication/session testing. Phases 6-12 delve into injection testing, Server-Side Request Forgery (SSRF), IDOR and broken access control, API and GraphQL testing, file upload vulnerabilities, deserialization and Remote Code Execution (RCE), and race conditions/business logic flaws.

Further phases, 13-19, address subdomain takeover, open redirect testing, email security, cloud and infrastructure testing, WebSocket security, Content Management System (CMS)-specific testing, and broken link hijacking. Crucially, phases 20-22 are dedicated to exploit verification, novel vulnerability discovery, and final report generation. The dedicated exploit verification phase is pivotal, ensuring that only findings the verifier can independently reproduce are presented as confirmed, while others are flagged for manual review.

Xalgorix is built using Go and TypeScript and is distributed as a self-contained binary or Docker image. It bundles a comprehensive suite of offensive security tools, including nmap, nuclei, httpx, subfinder, katana, ffuf, gobuster, sqlmap, and masscan. A key feature is its support for bring-your-own-LLM models, allowing users to connect with providers such as OpenAI, Anthropic, DeepSeek, Gemini, Groq, Ollama, or MiniMax. This self-hosted approach ensures that sensitive scan data, API keys, and target information remain within the organization's own infrastructure.

Beyond standard web application penetration testing, Xalgorix offers advanced capabilities like wildcard and multi-target scans for red team attack-surface mapping. It also includes a source-code scanning mode that audits repositories directly, without requiring a deployed target. Its "provision" mode further enhances its utility by building and running an application locally before pentesting the live instance, enabling exploit-verified results even for code not yet deployed.

Findings are compiled into branded PDF reports that include CVSS scoring, proof-of-concept evidence, and remediation guidance. Optional integrations with Discord, Telegram, and AgentMail facilitate continuous monitoring workflows. The project's open-source availability on GitHub has garnered significant attention from the security community, particularly following demo showcases and a feature on Hacker News that highlighted its unique verification-first approach.

Xalgorix enters a growing landscape of AI-driven penetration testing tools. However, its strong emphasis on independent exploit verification, combined with a commitment to completely self-hosted and private operation, distinguishes it from both traditional open-source scanners and commercial Dynamic Application Security Testing (DAST) platforms, positioning it as a potentially significant advancement in automated security assessment.

Synthesized by Vypr AI