Penetration Testing as a ServiceContinuous, validated, and yours to run.
Traditional pentests describe a system that no longer exists by the time the report lands.
Strix runs penetration testing as a service — autonomous agents that test every deploy, prove what's exploitable, and ship the fix.
Trusted by security teams at
What is penetration testing?
A penetration test is an authorized, scoped simulated attack on your systems — run to find and prove exploitable vulnerabilities before real attackers do. Unlike a vulnerability scan, which catalogs known weaknesses against a signature database, a penetration test chains weaknesses together to demonstrate real-world impact: not "this admin panel exists," but "this admin panel plus a weak credential exposes the full database." Penetration testing as a service (PTaaS) delivers that testing continuously through a platform instead of as a once-a-year project, so coverage matches the pace you ship code.
The types of penetration testing
Pentests divide two ways — by how much the tester knows, and by which surface they target.
Black, white & gray box
Defined by tester knowledge: black box simulates an external attacker with zero information, white box has full source and architecture access, and gray box — the most commonly commissioned — sits in between.
Web application
Tests the app layer for the OWASP Top 10 — injection, broken authentication, and access-control flaws — using the OWASP Web Security Testing Guide.
API
Probes REST and GraphQL endpoints for the OWASP API Security Top 10: broken object-level authorization, excessive data exposure, and auth gaps.
Network & infrastructure
Internal and external network testing — PCI DSS Requirement 11.4 mandates both at least annually for in-scope environments.
Cloud
Tests cloud configuration, IAM, and workload exposure across AWS, GCP, and Azure environments.
Continuous (PTaaS)
Testing that runs on every deploy and pull request rather than once a year, closing the ~180-day gap between when a vulnerability ships and when it's found.
Penetration testing as a service, the Strix way
PTaaS reimagines the annual pentest for teams shipping weekly. Here is what continuous, autonomous testing delivers.
Continuous coverage
Autonomous agents test on every deploy and pull request, so new code is exploited and fixed before it ships — not once a year.
Validated with real PoCs
Every finding is exploited and proven, so your team triages confirmed risk instead of scanner noise.
Merge-ready fix PRs
Findings ship as a reproduction plus a ready-to-merge pull request — outcomes that land in the dev workflow, not a static PDF.
Full-stack coverage
Code, APIs, web apps, infrastructure, and cloud — all tested from one autonomous pentester.
Runs inside your perimeter
Open-source and self-hostable, fully air-gappable, and BYO-LLM — so source code, credentials, and findings never leave your network.
Free to start
Begin with the open-source core or usage-based hosted plan with no credit card — versus $25k–$96k/yr incumbents.
Traditional pentest vs penetration testing as a service
How a continuous, autonomous PTaaS model compares to the point-in-time consultant engagement.
| Capability | Strix PTaaS | Traditional pentest |
|---|---|---|
| Testing cadence | Continuous — every deploy and pull request | Point-in-time, usually once a year |
| Time to first result | Minutes | Weeks to schedule and deliver |
| Findings delivery | Live platform plus merge-ready fix PRs | Static PDF report at the end |
| Validated with proof-of-concepts | ✓ | ✓ |
| Auto-fix with merge-ready PRs | ✓ | — |
| Coverage between tests | Always-on | None until the next engagement |
| Surfaces covered | Code, APIs, web apps, infrastructure, and cloud | Scoped per engagement |
| Self-hostable or air-gapped | ✓ | — |
| Starting price | Free open-source core; usage-based hosted | ~$5,000–$30,000+ per engagement |
| Compliance evidence | Continuous across the audit period | Single point-in-time snapshot |
| Best for | Teams shipping continuously | One-off scoped or compliance-only needs |
From issue to fix in seconds
Find critical issues, auto-validate, and auto-fix with merge-ready PRs.
SSRF via URL Parameter in /api/proxy
TL;DR
The /api/proxy endpoint accepts a user-supplied URL without validation. An attacker can access internal services, read cloud metadata, and exfiltrate credentials.
Impact
Access to cloud metadata at 169.254.169.254 , potential credential theft, and internal network scanning.
Location
acme/api · proxy-handler.ts:23Severity
CVSS
8.6Fix Effort
LowDiscovered
2h agoDiscover & Validate
Pentests your entire attack surface continuously. Reproduces each finding, confirms exploitability with proof, and prioritizes by real impact.
How do I fix it?
Validate and restrict the target URL using an allowlist of permitted hostnames. Reject private/internal IP ranges and enforce HTTPS-only.
| 23 | 23 | const targetUrl = req.query.url; |
| 24 | const resp = await fetch(targetUrl); | |
| const parsed = new URL(targetUrl); | ||
| if (!ALLOWED_HOSTS.has(parsed.hostname)) | ||
| throw new ForbiddenError("blocked"); | ||
| const resp = await fetch(parsed.href); | ||
| 25 | 29 | return res.json(await resp.json()); |
Auto-Fix
Generates a fix, retests to confirm the vulnerability is gone, and delivers a merge-ready PR. Review, merge, done.
Frequently asked questions
Common questions about penetration testing and PTaaS.
What is penetration testing?
Penetration testing is an authorized, scoped simulated attack on your systems, run to find and prove exploitable vulnerabilities before real attackers do. Unlike a vulnerability scan that lists known weaknesses, a pentest chains them together to demonstrate real-world impact with reproduction steps.
What is penetration testing as a service (PTaaS)?
Penetration testing as a service (PTaaS) is a platform-delivered, continuous approach to pentesting. Instead of a once-a-year project, testing cadence matches how often you deploy, findings land in real time, and evidence is continuous across the full compliance period rather than a single snapshot.
How is penetration testing different from a vulnerability scan?
A vulnerability scan automatically catalogs known weaknesses against a signature database. A penetration test exploits and chains those weaknesses to prove real-world impact — for example, combining an exposed admin panel with a weak credential to demonstrate full database access.
How often should you run a penetration test?
Traditional programs test annually and after major changes. Continuous PTaaS tests on every deploy and pull request, closing the roughly 180-day gap between when a vulnerability ships and when an annual test would find it.
Does SOC 2 require penetration testing?
SOC 2 does not explicitly require a penetration test, but in practice most auditors expect one as evidence that security controls work (CC4.1, CC6.1, and CC7.1–7.4). Organizations are expected to cover external and internal networks, web apps, APIs, and cloud at least annually and after major changes.
How much does penetration testing cost?
Traditional consultant-led engagements commonly run from about $5,000 to $30,000 or more per test, with enterprise programs higher. Strix offers a free open-source core and usage-based hosted pricing, so most teams can start continuous testing at no upfront cost.
Keep exploring
AI penetration testing
How autonomous AI agents enumerate, chain, and exploit vulnerabilities continuously — and prove every finding with a working PoC.
Learn more →Strix vs the field
Honest, sourced comparisons of Strix against XBOW, Cobalt, Aikido, NodeZero, and Pentera — and where each one wins.
Learn more →Start testing in minutes
Connect your GitHub repos and domains, and get fully set up in a few clicks.