Strix
    26.1K
    Strix LogoStrix26.1K
    DemoDSign upS

    Continuous SecurityOn Every Deploy.

    Secure your entire stack with autonomous pentesting.
    Find and fix vulnerabilities 24/7.

    Used by security teams at

    AWSPayPalUberCiscoCheggFortinet

    Your full-stack security platform

    One platform to secure your code, APIs, web apps, infrastructure, and cloud.

    PentestStatusIssuesDate
    api.example.com
    Completed
    3
    7
    4
    2h ago
    staging.app.io
    Running
    1
    3
    2
    Now
    auth-service
    Completed
    2
    5
    8
    1d ago
    payments-api
    Completed
    1
    3
    3d ago
    dashboard.app.io
    Completed
    1
    2
    5
    5d ago

    APIs & Web Apps

    Full-coverage pentesting across REST, GraphQL, and web apps - with proof-of-exploit for every finding.

    strix-securitybot

    🔴 IDOR in invoice download endpoint

    Severity: HIGH · CWE-639

    The GET /api/invoices/:id/pdf handler fetches the invoice by id from the global scope without scoping it to req.org . Any authenticated user can download invoices belonging to other organizations.

    Suggested change
    47const inv = await Invoice . findById ( id );
    47const inv = await Invoice . findOne ({
    48_id : id , org : req . org . _id });
    Commit suggestion ▾

    Code & Pull Requests

    Analyze code and pull requests for security issues in your CI pipeline. Catch vulnerabilities at the source.

    IssueSeverityCVSSTested
    S3 bucket public access
    Critical
    9.81h ago
    IAM wildcard policy
    Critical
    9.13h ago
    SSH open to 0.0.0.0/0
    High
    8.11d ago
    RDS unencrypted at rest
    Medium
    5.32d ago
    CloudTrail logging disabled
    Medium
    4.73d ago

    Infrastructure & Cloud

    Find misconfigurations and exposures across cloud environments and infrastructure before attackers do.

    "Strix is a game-changer for our security toolbox. It's fast, easy to configure, and finds great stuff. Continuous external testing, year-round."
    Chegg

    Jim Hebert

    Head of Application Security, Chegg, Inc.

    From issue to fix in seconds

    Find critical issues, auto-validate, and auto-fix with merge-ready PRs.

    Issues / STR-00847

    SSRF via URL Parameter in /api/proxy

    OpenHigh · 8.6CWE-918

    TL;DR

    The /api/proxy endpoint accepts a user-supplied URL without validation. An attacker can access internal services, read cloud metadata, and exfiltrate credentials.

    Impact

    Access to cloud metadata at 169.254.169.254 , potential credential theft, and internal network scanning.

    Location

    acme/api · proxy-handler.ts:23
    GET/api/proxy?url=

    Severity

    High

    CVSS

    8.6

    Fix Effort

    Low

    Discovered

    2h ago

    Discover & Validate

    Pentests your entire attack surface continuously. Reproduces each finding, confirms exploitability with proof, and prioritizes by real impact.

    FixReproduction

    How do I fix it?

    Validate and restrict the target URL using an allowlist of permitted hostnames. Reject private/internal IP ranges and enforce HTTPS-only.

    proxy-handler.ts:23-29 Copy
    2323const targetUrl = req.query.url;
    24const resp = await fetch(targetUrl);
    const parsed = new URL(targetUrl);
    if (!ALLOWED_HOSTS.has(parsed.hostname))
    throw new ForbiddenError("blocked");
    const resp = await fetch(parsed.href);
    2529return res.json(await resp.json());
    Fix verified — vulnerability no longer exploitable
    PR #247 fix/ssrf-proxy-handler ready to merge

    Auto-Fix

    Generates a fix, retests to confirm the vulnerability is gone, and delivers a merge-ready PR. Review, merge, done.

    Deploy with confidence

    Ensure nothing vulnerable reaches production. Every vulnerability discovered, validated, and resolved before it reaches production.

    Every PR reviewed

    Catches vulnerabilities at the source. Every pull request is reviewed before it can be merged.

    Blocks vulnerable deploys

    Plugs into your CI/CD pipeline. Vulnerable code never reaches production.

    Monitors your attack surface

    New CVEs tested against your systems. Latest threats flagged instantly.

    Runtime validation

    Each finding ships with a PoC and reproduction steps. Proven against your live environment.

    Context-aware pentesting

    Knows your stack, architecture, and business logic. Tests tailored to your environment.

    Continuous learning

    Learns from past findings and how you fixed them. Every pentest builds on the last.

    Ship fast without compromising security

    Everything you need to track your security posture, validate findings, and ship fixes — without slowing your team down.

    Real-time security posture

    Enterprise-grade security

    Built for teams that need full control over deployment, data privacy, and compliance.

    Self-Hosted Deployment

    Deploy in your own VPC, on-premise, or air-gapped environment with complete control over your infrastructure.

    Internal Infrastructure Pentesting

    Go beyond external attack surfaces. Test internal networks, services, and infrastructure from inside your environment.

    Zero Data Retention

    Your source code is never stored or used for model training. All model providers operate under zero data retention agreements.

    Dedicated Support & SLA

    Dedicated support, custom SLAs, priority Slack channel, and hands-on onboarding. SOC 2 Type II and ISO 27001 compliant.

    From the blog

    Security research, product updates, and insights from the Strix team.

    Start testing in minutes

    Connect your GitHub repos and domains, and get fully set up in a few clicks.