Xalgorix is an open-source, self-hosted AI-powered platform designed for autonomous web application security testing. It targets penetration testers and bug bounty hunters, offering a streamlined workflow from scan initiation to branded report generation. The primary benefit is automating complex security assessments with live feedback and detailed, actionable findings.

How It Works

Xalgorix employs an LLM-driven agent orchestrating a multi-stage, 22-phase security testing methodology. It combines browser automation, terminal tooling, and live WebSocket telemetry to execute dynamic application security testing (DAST). The approach integrates findings management and generates branded PDF reports, offering a comprehensive, automated security assessment pipeline. This design aims to provide detailed, actionable insights with reduced manual effort.

Quick Start & Requirements

• Installation: Build from source using make build and sudo install, or install via Go: go install github.com/xalgord/xalgorix/v4/cmd/xalgorix@latest.
• Prerequisites: Linux, Go 1.24.2+, Node.js, and npm. Common security tools are installed on demand if auto-install is enabled.
• Configuration: Environment variables are loaded from /etc/xalgorix.env or ~/.xalgorix.env. Minimum required variables are XALGORIX_LLM and XALGORIX_API_KEY.
• Running: Start the Web UI with xalgorix --web (defaults to http://127.0.0.1:9137).
• Documentation: docs.xalgorix.com

Highlighted Details

• Features a comprehensive 22-phase testing methodology, allowing for focused or exhaustive security assessments.
• Generates branded PDF reports, incorporating target-specific details and uploaded company logos for professional deliverables.
• Provides live telemetry via WebSocket, offering real-time visibility into agent actions, tool calls, and LLM interactions during scans.
• Integrates with AgentMail for email verification flows and Discord webhooks for configurable notifications, enhancing workflow automation.
• Offers a local Web UI for scan management, configuration, and findings review, accessible at 127.0.0.1:9137 by default.

Maintenance & Community

The project is hosted on GitHub with an issues tracker available for bug reports and feature requests. Support and contributions are encouraged via a "Buy Me a Coffee" link.

Licensing & Compatibility

Xalgorix is released under the MIT License. This license permits commercial use and integration into closed-source projects without copyleft restrictions.

Limitations & Caveats

Usage is restricted to authorized targets; explicit permission is required for testing third-party systems. Exposing the dashboard externally necessitates authentication. Auto-installation of dependencies is disabled by default for non-root users and requires careful consideration of the execution environment's trust level.