Pentesting is becoming a pipeline stage

Strix, an open source AI pentest agent, is trending. The interesting question for enterprises is not the tooling, it is who approves what the agent attacks.

Strix, an open source AI penetration testing agent, added 2,800 GitHub stars in a single day this week and sits around 40,000 overall. The pitch is simple: point an agent at your application and it probes for vulnerabilities the way a human pentester would, then hands you findings with reproduction steps.

The reason this matters to a large company has nothing to do with the specific repo. It is what the category does to a familiar operating rhythm.

The annual PDF model

Most enterprises still buy penetration testing as an event. Scope a statement of work, wait for a testing window, receive a PDF three weeks later, file the findings into a backlog where they compete with feature work. By the time the report lands, the application has shipped several releases the report never saw.

That model made sense when adversarial testing required scarce human specialists. It stops making sense when a capable agent can run continuously for the cost of compute.

Testing becomes a stage, not an event

The obvious end state is that adversarial testing joins linting, type checks, and end-to-end tests as a stage in the delivery pipeline. Every release candidate gets probed. Findings arrive as annotations on the change that introduced them, not as a quarterly archaeology project.

This mirrors what is happening across the whole engineering factory: work that used to be an expensive scheduled event (code review, QA passes, security audits) becomes a continuous, agent-executed pipeline stage with humans reviewing evidence instead of performing the labor.

The real blocker is authority, not capability

Here is the part most coverage skips. An agent that attacks your own systems is still an agent taking actions with real consequences. Before any enterprise turns this on, someone has to answer:

Who approves the scope of what the agent is allowed to attack? Which environments are in bounds, production or isolated previews? What happens when a probe succeeds and the agent is now holding a working exploit? Who reviews findings before they hit a ticket queue that contractors can read?

These are the same governance questions as agentic coding: authority boundaries, isolated environments, human approval gates, and evidence trails. The companies that already built those muscles for their development pipelines will adopt agentic security testing quickly. The ones that treat it as another tool purchase will run an uncontrolled red team against themselves.

Capability is arriving faster than the operating model. As usual, the operating model is the actual work.

Written by Adib Kadir. Product and engineering executive focused on rolling out AI at enterprise scale.

Start a conversation