Using Strix Open‑Source AI Hacker for Automated Penetration Testing (Windows)

Overview

• OS: Windows
• Tool: Strix (open‑source AI hacker)
• LLM Provider: Google Vertex AI
• Model: vertex_ai/gemini-2.5-pro
• Authentication: Google Cloud Application Default Credentials
• Target Application: Dummy web application

Prerequisites

Ensure the following are installed and running:

• Python
• Docker
• Google Cloud SDK
• LLM Provider Access

Authentication Notes

• No API key required
• Authentication handled via Google Cloud Application Default Credentials

Step 1: Install Strix

Since this setup uses Gemini models via Vertex AI, install Strix with Vertex support:

pipx install "strix-agent[vertex]"

If you plan to use OpenAI or Claude instead, install Strix without extras:

pipx install strix-agent

Step 2: Create or Select a Google Cloud Project

Vertex AI requires a Google Cloud project.

Option A: Use an Existing Project

If you already have projects in GCP:

gcloud projects list

Select one from the list.

Option B: Create a New Project (Recommended)

gcloud projects create my-strix-project
gcloud config set project my-strix-project

Step 3: Enable Vertex AI

Enable the Vertex AI API for the selected project:

gcloud services enable aiplatform.googleapis.com

Alternatively, enable it through the Google Cloud Console:

https://console.developers.google.com/apis/api/aiplatform.googleapis.com/overview?project=<your_project>

Enable Billing

Vertex AI requires billing to be enabled for the project:

https://console.developers.google.com/billing/enable?project=<yourproject>

Step 4: Configure Environment Variables

Set the required environment variables in Command Prompt (cmd.exe):

set STRIX_LLM=vertex_ai/gemini-2.5-pro
set VERTEXAI_PROJECT=my-strix-project
set VERTEXAI_LOCATION=us-central1

Step 5: Authenticate with Google Cloud

Authenticate using Application Default Credentials:

gcloud auth application-default login

This allows Strix to securely access Vertex AI without storing API keys.

Running Strix Against the Target Application

Run with Inline Instructions

strix --target https://dummy-app.example.com --instruction "perform authenticated testing using credentials: username:password"

Run with an Instruction File

strix --target https://dummy-app.example.com --instruction-file ./instructions_pentest.md

Sample Penetration Testing Instructions File

Below is a sample instructions_pentest.md file:

# Penetration Test Instructions

## Credentials
- Admin: admin_user / StrongPassword@123

## Focus Areas
1. Injection Attacks – SQL, NoSQL, command injection
2. Server-Side Issues – SSRF, XXE, deserialization flaws
3. Infrastructure – Misconfigurations, exposed services
4. Client-Side – XSS, prototype pollution, DOM vulnerabilities

## In Scope
/app-audit
/admin-console
/vendor-dashboard

## Out of Scope
- Third-party integrations

Why Gemini 2.5 Pro for Security Scanning?

• ✅ Latest stable Pro‑grade Gemini model
• ✅ Deep reasoning and long‑context understanding
• ✅ Strong performance in code analysis and vulnerability discovery
• ✅ Ideal for security scanning where quality matters more than speed

Final Thoughts

Using Strix with Vertex AI Gemini 2.5 Pro provides a powerful, automated approach to penetration testing. By relying on Google Cloud’s authentication and managed AI infrastructure, you avoid API key management while benefiting from high‑quality security analysis.

Always ensure you have explicit authorization before running security scans against any application.

✅ Disclaimer

This content is for educational and authorized security testing purposes only.