Most scanners detect. Xalgorix proves. An autonomous LLM agent works a full pentest methodology, then an independent verifier re-exploits every finding before it's reported — so you get proof, not a pile of maybes to triage. Self-hosted, private, and bring-your-own-LLM. Built in Go + TypeScript.
Quick Start · Why Xalgorix · Features · Use Cases · Hosted Cloud · Docs
Install (one line):
curl -sSL https://www.xalgorix.com/install | bashThis downloads the prebuilt binary for your platform (Linux amd64/arm64) from the latest release. Then point it at your LLM provider in ~/.xalgorix.env:
XALGORIX_LLM=minimax/MiniMax-M3
XALGORIX_API_KEY=your_provider_api_keyLaunch the dashboard and open http://127.0.0.1:9137:
xalgorix --webOr run with Docker — batteries included, no toolchain needed:
docker run --rm -p 9137:9137 \
-v xalgorix-data:/data \
xalgord/xalgorix:latestOpen http://localhost:9137. You don't need an LLM key to start — the dashboard launches without one; set the model + API key under Settings → LLM (it persists to the /data volume). If you don't pass XALGORIX_USERNAME/XALGORIX_PASSWORD, a random admin password is generated and printed to the container logs on first run.
Easiest — Docker Compose (maps the port + a persistent volume for you):
curl -sSLO https://raw.githubusercontent.com/xalgord/xalgorix/main/docker-compose.yml
docker compose up -d
docker compose logs -f # shows the generated admin password on first startThe image ships an extensive offensive-security toolset preinstalled (nmap, nuclei, httpx, subfinder, katana, ffuf, gobuster, sqlmap, masscan, dalfox, feroxbuster, and more) and keeps every package manager (apt, go, cargo, pipx, npm) available so the agent can still auto-install anything missing at runtime. It runs as root inside the container by design — treat the container as a disposable, network-isolated scanning sandbox and never expose the dashboard without auth. (amd64 image; the installer above covers arm64.)
Or build from source (needs Go 1.25+ and Node.js):
git clone https://github.com/xalgord/xalgorix.git
cd xalgorix
make build
sudo install -m 755 build/xalgorix /usr/local/bin/xalgorixTip
Prefer zero setup? A fully managed version runs at www.xalgorix.com — click-to-scan, no install or API keys required.
Want a security review on every pull request with zero setup? Install the Xalgorix GitHub App. It reads each PR's diff and comments a security review — injection, broken auth/IDOR, SSRF, secrets, unsafe patterns — right on the pull request. Updates in place on new commits, and you can comment @xalgorix review to re-run on demand. No workflow file, no API key, no account — and it's free.
For merge gating and full exploit-verified pentests in CI, use the hosted scanner or the GitHub Action.
Important
Use Xalgorix only on systems you own or have explicit permission to test.
Tip
Prefer not to self-host? A fully managed version is available at www.xalgorix.com — click-to-scan, no install or API keys required.
- Quick Start
- Overview
- Why Xalgorix
- Use Cases
- Screenshots
- Features
- Installation
- Configuration
- Upgrading from previous versions
- Running
- Service Mode
- Web UI Workflow
- Scan Modes
- Methodology
- Reports
- Settings
- Environment Variables
- Provider Prefixes
- CLI Reference
- API Summary
- Data Storage
- Development
- Safety Notes
- License
- Links
Xalgorix is a self-hosted AI penetration testing platform for authorized security testing, vulnerability assessment, and bug bounty workflows. It combines an LLM-driven autonomous agent, browser automation, terminal tooling, a comprehensive 22-phase testing methodology, live WebSocket telemetry, finding management with CVSS scoring, branded PDF report generation, and integrations for AgentMail, Discord, and Telegram.
Unlike cloud-only DAST scanners, Xalgorix runs entirely on your machine. You bring your own LLM provider (OpenAI, Anthropic, DeepSeek, Gemini, Groq, Ollama, MiniMax) and control the model, reasoning effort, rate limits, and proxy configuration. No scan data, API keys, or target information leaves your infrastructure.
The default experience is the Web UI. From one local dashboard you can start scans, monitor active runs, inspect findings, configure model/provider settings, manage environment variables, generate branded PDF reports, and delete or resume historical scans.
Most scanners detect. Xalgorix proves. An autonomous agent works through a 22-phase methodology, then an independent verifier re-tests every candidate finding before it is reported — so you get exploit-verified results with evidence, not a wall of "maybes" to triage.
- 🧠 An AI agent, not a template engine — reasons about auth flows, business logic, IDOR/BOLA, and chained exploits that signature scanners miss.
- ✅ Exploit-verified findings — a separate verifier independently reproduces each finding; inconclusive ones are flagged for review, never dressed up as confirmed.
- 🔒 Self-hosted and private — runs on your machine with your own LLM key; no target data, keys, or findings leave your infrastructure.
- 🧩 Bring your own LLM — OpenAI, Anthropic, DeepSeek, Gemini, Groq, Ollama, or MiniMax — or any OpenAI-compatible gateway like LiteLLM (GitHub Copilot, Codex, OpenRouter, Azure). You control model, reasoning effort, and cost.
- 📄 Audit-ready reports — branded PDFs with CVSS scores, proof-of-concept, and remediation.
| Xalgorix | Template scanners (e.g. Nuclei) | Crawling scanners (e.g. OWASP ZAP) | Commercial DAST | |
|---|---|---|---|---|
| Approach | Autonomous AI agent | Signatures / templates | Spider + active rules | Signatures + heuristics |
| Business logic / IDOR / auth-bypass coverage | ✅ | Limited | Limited | Partial |
| Exploit-verified (proves impact) | ✅ independent verifier | ❌ | ❌ | Partial |
| False-positive load | Low (proven) | Template-dependent | High | Medium |
| Self-hosted / data stays local | ✅ | ✅ | ✅ | Usually cloud |
| Bring-your-own LLM | ✅ | — | — | ❌ |
| Branded PDF reports | ✅ | ❌ | Basic | ✅ |
| Cost | Open source + your LLM | Free | Free | $$$ |
Directional comparison — Nuclei and ZAP are excellent at what they do. Xalgorix adds the reasoning-heavy discovery and exploit-verification layer on top.
If Xalgorix saves you a triage cycle, please ⭐ star the repo — it genuinely helps others find it.
| Use Case | How Xalgorix helps |
|---|---|
| Penetration testing | Run a full 22-phase methodology against authorized targets. The AI agent handles reconnaissance, vulnerability discovery, injection testing, SSRF, IDOR, auth bypass, race conditions, and more — then verifies findings before reporting. |
| Bug bounty hunting | Point Xalgorix at an in-scope target and let the agent enumerate the attack surface, test for common vulnerability classes, and surface verified findings with CVSS scores and proof-of-concept evidence. |
| Red team operations | Use wildcard and multi-target scan modes to map an organization's external attack surface. Browser-assisted DAST handles auth flows, forms, and runtime behavior that static scanners miss. |
| Security research | The novel-vulnerability-discovery phase pushes the agent beyond known template matching. Bring your own LLM (OpenAI, Anthropic, DeepSeek, Gemini, Ollama, MiniMax) to control reasoning depth and cost. |
| Continuous security testing | Run as a system service with xalgorix --start. Scan on a schedule, stream findings to Discord or Telegram, and generate branded PDF reports for stakeholders. |
| DAST automation | Browser-driven testing for web applications — auth flows, forms, JavaScript-rendered content, and runtime behavior. Integrates with Caido for proxy traffic inspection. |
| Overview dashboard | Scan detail | Findings |
|---|---|---|
![]() |
![]() |
![]() |
| Area | Capabilities |
|---|---|
| Dashboard | Local Web UI on 127.0.0.1:9137 by default, scan management, live status, bulk scan actions, and historical scan recovery. |
| Scanning | Single target, DAST, wildcard, and multi-target flows with selectable methodology phases. |
| Live telemetry | Tool calls, agent messages, findings, errors, HTTP activity, and LLM activity over WebSockets. |
| Findings | Scan detail pages, severity filters, CVSS details, finding index, and verified finding workflows. |
| Reporting | Branded PDF reports with target/company name, uploaded logo, report list, open/download/delete actions. |
| Integrations | AgentMail test inboxes, verification emails, OTP flows, email triage events, Discord and Telegram notifications. |
| Configuration | Dashboard settings for LLM, AgentMail, Discord, Telegram, proxy, runtime, browser, auth, rate limits, and resources. |
| Runtime safety | Resource-aware instance limits and loopback-only binding unless external access is explicitly configured with auth. |
The fastest paths need no toolchain at all.
curl -sSL https://www.xalgorix.com/install | bashDownloads the latest release binary for your platform (Linux amd64/arm64) and installs it to /usr/local/bin (or ~/.local/bin without sudo). Override with XALGORIX_INSTALL_DIR or pin a version with XALGORIX_VERSION=vX.Y.Z.
docker run --rm -p 9137:9137 \
-e XALGORIX_LLM=minimax/MiniMax-M3 \
-e XALGORIX_API_KEY=your_provider_api_key \
-v xalgorix-data:/data \
ghcr.io/xalgord/xalgorix:latestThe image is batteries-included: an extensive offensive-security toolset is preinstalled (nmap, nuclei, httpx, subfinder, dnsx, naabu, katana, ffuf, gobuster, dalfox, feroxbuster, sqlmap, masscan, nikto, whatweb, hydra, and more), plus Chromium for browser-assisted DAST. It also keeps the full package-manager set (apt, go, cargo, pipx, npm) available, so the agent auto-installs anything missing at runtime. Scan data persists to the /data volume, and the server binds 0.0.0.0 inside the container — set XALGORIX_USERNAME/XALGORIX_PASSWORD before exposing it beyond localhost.
The container runs as root by design (the engine only enables runtime auto-install for uid 0, and apt/go/cargo installs need system write access). Treat it as a disposable, network-isolated scanning sandbox. It's published for amd64; use the one-line installer for arm64 hosts.
On first run, if you don't set dashboard auth the container generates a random admin password and prints it to the logs (the image binds 0.0.0.0, which the engine won't do without auth). Set XALGORIX_USERNAME + XALGORIX_PASSWORD (or XALGORIX_PASSWORD_HASH) to use your own. The binary never self-updates inside the container (XALGORIX_NO_AUTO_UPDATE=1) — pull a new image tag to upgrade.
| Requirement | Notes |
|---|---|
| Linux | Primary supported platform. |
| Go | 1.25 or newer. |
| Node.js + npm | Required when building the bundled React Web UI from source. |
| Security tools | Installed on demand only when auto-install is enabled. |
Check your Go version:
go versiongit clone https://github.com/xalgord/xalgorix.git
cd xalgorix
make build
sudo install -m 755 build/xalgorix /usr/local/bin/xalgorixmake build builds the React Web UI into internal/web/static, then builds the Go binary.
GOPROXY=direct GOSUMDB=off go install github.com/xalgord/xalgorix/v4/cmd/xalgorix@latestXalgorix loads configuration in this order. Later sources override earlier ones.
| Order | Source |
|---|---|
| 1 | /etc/xalgorix.env |
| 2 | /home/<sudo-user>/.xalgorix.env when launched through sudo |
| 3 | ~/.xalgorix.env |
| 4 | Environment variables already present in the process |
Create the local environment file:
nano ~/.xalgorix.envXALGORIX_LLM=minimax/MiniMax-M3
XALGORIX_API_KEY=your_provider_api_keyOpenAI:
XALGORIX_LLM=openai/gpt-5.4
XALGORIX_API_KEY=sk-...Custom OpenAI-compatible provider:
XALGORIX_LLM=custom/security-model
XALGORIX_API_BASE=https://your-provider.example/v1
XALGORIX_API_KEY=your_provider_api_keyLiteLLM / OpenAI-compatible gateways (GitHub Copilot, Claude Opus, Codex, OpenRouter, Azure, local models)
Because XALGORIX_API_BASE accepts any OpenAI-compatible /v1/chat/completions endpoint,
Xalgorix works with a LiteLLM proxy out of the box — no
Xalgorix-side changes needed. LiteLLM handles the upstream provider auth (Copilot device
login, Azure keys, OpenRouter, Ollama, etc.); Xalgorix just talks OpenAI to the gateway.
Run LiteLLM (example config.yaml):
model_list:
- model_name: claude-opus-4-8
litellm_params:
model: github_copilot/claude-opus-4.8 # or openrouter/…, azure/…, ollama/…
general_settings:
master_key: sk-local-litellm-keyPoint Xalgorix at it — use the custom/ prefix so the model name is sent verbatim and the
OpenAI chat-completions protocol is used:
XALGORIX_LLM=custom/claude-opus-4-8 # the LiteLLM model_name
XALGORIX_API_BASE=http://localhost:4000/v1 # your LiteLLM proxy
XALGORIX_API_KEY=sk-local-litellm-key # LiteLLM master_key / virtual keyThe same pattern covers GitHub Copilot Business/CLI, Claude Opus, Codex-style models,
OpenRouter, Azure OpenAI, and local Ollama models — anything LiteLLM can route. Keep the
custom/ (or openai/) prefix and a non-Anthropic/Gemini XALGORIX_API_BASE so Xalgorix
uses the standard OpenAI request shape that LiteLLM expects.
GEMINI_API_KEY=AIza...
AGENTMAIL_POD=am_us_pod_47
AGENTMAIL_API_KEY=ak_...
XALGORIX_DISCORD_WEBHOOK=https://discord.com/api/webhooks/...
XALGORIX_DISCORD_MIN_SEVERITY=highXALGORIX_USERNAME=admin
XALGORIX_PASSWORD=change-this-passwordTip
Prefer XALGORIX_PASSWORD_HASH for production deployments.
This release ships a stability and workspace-isolation pass with one breaking change and a few new knobs worth knowing about.
Scan output, notes, schedules, and other generated artefacts now live under ~/.xalgorix/data/ instead of $CWD (the directory the binary was launched from).
To retain the previous behavior, point XALGORIX_DATA_DIR at your current working directory:
export XALGORIX_DATA_DIR=$(pwd)A [MIGRATION] warning is emitted at startup when legacy markers (notes.json, _schedules/, vulnerabilities.json, or YYYY-MM-DD/scan-* directories) are detected in $CWD and XALGORIX_DATA_DIR is unset. Xalgorix never reads, copies, or deletes those legacy files automatically; the warning is informational and only fires once per process.
| Variable | Default | Description |
|---|---|---|
XALGORIX_LLM_MAX_INFLIGHT |
4 × EffectiveMaxInstances |
Caps simultaneous outbound LLM calls across all running scans. Minimum 1. Cancelled waiters do not consume a slot. |
GET /api/status now exposes:
| Field | Meaning |
|---|---|
panics_recovered |
Goroutine, HTTP handler, and tool panics that were recovered without crashing. |
path_rejections |
Filesystem writes refused by Path_Policy (outside data_dir / ~/.xalgorix/ / /tmp). |
watchdog_kills |
Subprocesses terminated by the per-tool hard-timeout watchdog. |
admission_refusals |
Scan admission requests denied due to the concurrency ceiling. |
llm_inflight_cap |
Effective XALGORIX_LLM_MAX_INFLIGHT value for this process. |
data_dir |
Resolved Data_Dir in use. |
allow_list |
Filesystem roots accepted by Path_Policy. |
xalgorix --webOpen:
http://127.0.0.1:9137
Use a different port:
xalgorix --web --port 8080Bind to another interface only after enabling dashboard authentication:
XALGORIX_USERNAME=admin XALGORIX_PASSWORD=change-this xalgorix --web --bind 0.0.0.0Warning
The server refuses external binding without dashboard authentication.
xalgorix --target https://example.comWith custom instructions:
xalgorix --target https://app.example.com --instruction "Focus on SQL injection, IDOR, and auth bypass. Avoid destructive tests."Install and start as a system service:
sudo xalgorix --startManage the service:
sudo xalgorix --restart
sudo xalgorix --stop
sudo xalgorix --uninstallView logs:
journalctl -u xalgorix -fExpose the service to remote browsers only after enabling dashboard auth:
sudo tee -a /root/.xalgorix.env >/dev/null <<'EOF'
XALGORIX_BIND=0.0.0.0
XALGORIX_USERNAME=admin
XALGORIX_PASSWORD=change-this
EOF
sudo xalgorix --restartThen open http://<server-ip>:9137.
If the process is listening but the page still does not load remotely, allow TCP port 9137 in the server firewall or cloud security group.
- Open the dashboard at
http://127.0.0.1:9137. - Go to Settings and confirm the LLM provider, API key, rate limits, and optional integrations.
- Create a scan from New Scan.
- Choose a scan mode.
- Select methodology phases when you want a focused run.
- Set severity filters when only certain severities should be reported live. The filter affects the real-time dashboard feed and notifications only; the PDF report and
/api/findingsalways include every vulnerability the agent discovered. - Add company name and upload a logo for branded reports.
- Monitor progress from Overview, Scan Detail, or Live Feed.
- Open finding details, download reports, or manage historical scans from Scans and Reports.
| Mode | Best for |
|---|---|
| Single target | Testing one known URL or host. |
| Wildcard / multi | Enumerating related targets and scanning the discovered attack surface. |
| DAST | Browser-assisted testing for web apps, auth flows, forms, and runtime behavior. |
Point Xalgorix at a codebase — a Git URL, a local path, or an uploaded zip — and it scans the source directly. No deployed URL, no infrastructure to stand up.
# Source review (SAST): audit the code, no running target required
xalgorix --source ./my-app --code-scan review
# Provision + DAST: build & run the app locally, then pentest the running instance
xalgorix --source https://github.com/org/app.git --code-scan provision| Code-scan mode | What it does | Verification level |
|---|---|---|
review |
Reads the source, traces user input from entry point → dangerous sink, and reports reachable vulnerabilities. No live target. | Source-verified — proven reachable in code (clearly labeled as not runtime-exploited). |
provision |
Inspects the repo, builds and runs the app on a loopback port, then runs whitebox-guided DAST against the running instance. Falls back to review if the app can't be built. |
Exploit-verified — reproduced against the running app. |
--sourceaccepts a Git URL (shallow-cloned), a local directory, or a path to an uploaded/extracted archive. In the Web UI / hosted app you can also upload a.zipof your codebase (POST /api/upload-source).- You can still combine a repo and a live target for classic whitebox augmentation — that path is unchanged. Code-scan modes are for when the codebase is the whole subject.
Provision mode runs your app's build/start commands in the agent's sandbox and only pentests the single loopback port it stood the app up on — the dashboard and everything else on the machine stay out of scope.
Xalgorix organizes autonomous testing into 22 phases.
| Phase | Focus |
|---|---|
| 1 | Reconnaissance |
| 2 | Manual vulnerability discovery |
| 3 | Directory and file discovery |
| 4 | CORS and cookie analysis |
| 5 | Authentication and session testing |
| 6 | Injection testing |
| 7 | SSRF testing |
| 8 | IDOR and broken access control |
| 9 | API and GraphQL testing |
| 10 | File upload testing |
| 11 | Deserialization and RCE |
| 12 | Race conditions and business logic |
| 13 | Subdomain takeover |
| 14 | Open redirect testing |
| 15 | Email security testing |
| 16 | Cloud and infrastructure |
| 17 | WebSocket testing |
| 18 | CMS-specific testing |
| 19 | Broken link hijacking and content spoofing |
| 20 | Exploit verification |
| 21 | Novel vulnerability discovery |
| 22 | Final report |
Phase selection in the Web UI lets you run every phase or only the subset needed for a specific engagement.
Reports are generated as PDF files and can include:
| Section | Included content |
|---|---|
| Summary | Executive summary, target metadata, scan metadata, and severity overview. |
| Findings | Verified findings, CVSS details, technical analysis, and exploitation proof. |
| Evidence | Proof of concept commands, scripts, payload notes, and supporting observations. |
| Remediation | Fix guidance and prioritized next steps. |
| Branding | Company/target name and uploaded logo. |
Reports are available from the scan detail page and the Reports page. Report rows support opening, downloading, and deletion.
Most operational settings can be changed from the Web UI under Settings.
| Area | Examples |
|---|---|
| Engagement | Dashboard request rate limits |
| LLM | Model, API key, API base, reasoning effort, retries, max iterations |
| AgentMail | Pod and API key |
| Notifications | Discord webhook and minimum severity, Telegram bot token, chat ID, and minimum severity |
| Proxy | Proxy URL, proxy file, rotation, TLS verification |
| Runtime | Workspace, browser path, auto-install controls |
| Security | Dashboard username, password, password hash, bind address |
| Resources | CPU/RAM/disk thresholds and scan concurrency budget |
Some settings require a restart because they affect process startup or server binding. The UI marks those fields.
| Variable | Default | Description |
|---|---|---|
XALGORIX_LLM |
none | Provider-native model ID used for LLM requests. |
XALGORIX_LLM_PROVIDER |
none | Provider selected by the dashboard, stored separately from the model ID. |
XALGORIX_API_KEY |
none | Required LLM provider API key. |
XALGORIX_API_BASE |
provider default | Custom OpenAI-compatible API base URL. |
XALGORIX_REASONING_EFFORT |
high |
Reasoning effort: low, medium, high, or xhigh. |
XALGORIX_LLM_MAX_RETRIES |
5 |
Retry count for transient LLM failures. |
XALGORIX_MEMORY_COMPRESSOR_TIMEOUT |
30 |
Timeout in seconds for context compression. |
XALGORIX_MAX_ITERATIONS |
0 |
Agent iteration cap. 0 means unlimited. |
GEMINI_API_KEY |
none | Optional Gemini key for web-search enrichment. |
| Variable | Default | Description |
|---|---|---|
XALGORIX_BIND |
127.0.0.1 |
Web server listen address. |
XALGORIX_USERNAME |
none | Dashboard username. |
XALGORIX_PASSWORD |
none | Dashboard password. |
XALGORIX_PASSWORD_HASH |
none | Preferred bcrypt password hash. |
XALGORIX_WORKSPACE |
current directory | Workspace root for scan execution. |
| Variable | Default | Description |
|---|---|---|
AGENTMAIL_POD |
none | AgentMail pod identifier. |
AGENTMAIL_API_KEY |
none | AgentMail API key. |
XALGORIX_DISCORD_WEBHOOK |
none | Global Discord webhook. |
XALGORIX_DISCORD_MIN_SEVERITY |
none | Minimum severity sent to Discord. |
XALGORIX_TELEGRAM_BOT_TOKEN |
none | Telegram bot token from @BotFather. |
XALGORIX_TELEGRAM_CHAT_ID |
none | Telegram chat/channel ID (numeric or @username). |
XALGORIX_TELEGRAM_MIN_SEVERITY |
none | Minimum severity sent to Telegram. |
CAIDO_PORT |
0 |
Caido proxy port. 0 means auto-detect. |
CAIDO_API_TOKEN |
none | Caido API token. |
| Variable | Default | Description |
|---|---|---|
XALGORIX_RATE_LIMIT_REQUESTS |
60 |
Dashboard requests per window. |
XALGORIX_RATE_LIMIT_WINDOW |
60 |
Dashboard rate-limit window in seconds. |
XALGORIX_RATE_RPS |
10 |
Sustained outbound request rate. |
XALGORIX_RATE_BURST |
20 |
Outbound burst size. |
XALGORIX_USE_PROXY |
false |
Enable proxy routing. |
XALGORIX_PROXY_URL |
none | Single proxy URL. Overrides proxy file. |
XALGORIX_PROXY_FILE |
none | File containing one proxy per line. |
XALGORIX_PROXY_ROTATION |
roundrobin |
Proxy rotation strategy: roundrobin or random. |
XALGORIX_TLS_SKIP_VERIFY |
false |
Skip TLS verification for testing traffic. |
XALGORIX_DISABLE_BROWSER |
false |
Disable browser automation. |
XALGORIX_BROWSER_PATH |
auto | Custom Chrome/Chromium executable path. |
XALGORIX_ALLOW_AUTO_INSTALL |
root only | Permit automatic package installation. |
XALGORIX_AUTO_INSTALL_SUDO |
false |
Permit sudo-prefixed auto-installs. |
When XALGORIX_API_BASE is empty, Xalgorix infers provider defaults from the model prefix.
| Prefix | Default API base |
|---|---|
openai/ |
https://api.openai.com/v1 |
anthropic/ |
https://api.anthropic.com |
deepseek/ |
https://api.deepseek.com/v1 |
groq/ |
https://api.groq.com/openai/v1 |
google/ |
https://generativelanguage.googleapis.com/v1 |
gemini/ |
https://generativelanguage.googleapis.com/v1 |
ollama/ |
http://localhost:11434/v1 |
minimax/ |
https://api.minimax.io/v1 |
Model names are not hard-coded to this list. The Settings page accepts typed model IDs so newer provider models can be used without waiting for a UI dropdown update.
| Flag | Alias | Description |
|---|---|---|
--web |
-w |
Start the Web UI. |
--port <port> |
-p |
Web UI port. Default: 9137. |
--bind <addr> |
none | Bind address. Default: 127.0.0.1. |
--target <target> |
-t |
Target URL, host, IP, or path. Repeatable. |
--instruction <text> |
-i |
Custom scan instructions. |
--model <model> |
-m |
Override XALGORIX_LLM for this run. |
--update |
-up |
Update to the latest release. |
--version |
-v |
Print version. |
--start |
none | Install and start the system service. |
--stop |
none | Stop the system service. |
--restart |
none | Restart the system service. |
--uninstall |
none | Remove the system service. |
--help |
-h |
Show help. |
| Method | Endpoint | Purpose |
|---|---|---|
POST |
/api/scan |
Start or save a scan. |
POST |
/api/stop |
Stop all running scans. |
GET |
/api/status |
Current global status. |
GET |
/api/scans |
List scans. |
GET |
/api/scans/:id |
Get scan detail. |
DELETE |
/api/scans/:id |
Delete a scan and its report data. |
GET |
/api/findings |
List all findings (deduplicated across scans). |
GET |
/api/findings/summary |
Severity tally across all scans. |
GET |
/api/report/:id |
Download a PDF report. |
GET |
/api/instances |
List live and historical instances. |
GET |
/api/instances/:id/events |
Get buffered event history. |
POST |
/api/instances/:id/stop |
Stop a specific instance. |
POST |
/api/instances/:id/start |
Start a saved or completed scan as a new run. |
POST |
/api/instances/:id/restart |
Restart with the same configuration. |
POST |
/api/instances/:id/pause |
Pause a running scan. |
POST |
/api/instances/:id/resume |
Resume a paused scan. |
POST |
/api/upload-logo |
Upload a report logo. |
POST |
/api/upload-targets |
Upload a target list. |
GET |
/api/settings/environment |
List editable environment settings. |
POST |
/api/settings/environment |
Save environment settings. |
GET |
/api/settings/llm |
Get LLM settings. |
POST |
/api/settings/llm |
Save LLM settings. |
GET |
/api/settings/agentmail |
Get AgentMail settings. |
POST |
/api/settings/agentmail |
Save AgentMail settings. |
GET |
/ws |
WebSocket live event stream. |
Web-mode scan data is stored under:
~/xalgorix-data/
|-- _saved/
|-- logos/
|-- queue_state.json
`-- <target>/
`-- <date>/
`-- <scan-id>/
|-- scan.json
`-- report.pdf
The server keeps historical scan records on disk so the UI can recover after refresh or restart.
| Task | Command |
|---|---|
| Install Web UI dependencies | make webui-install |
| Build everything | make build |
| Run tests | go test ./... |
| Run Web UI from source | go run ./cmd/xalgorix --web |
| Run frontend dev server | make webui-dev |
- Use Xalgorix only against authorized targets.
- Do not run active testing against third-party systems without permission.
- Review scan instructions before launching.
- Configure rate limits and proxy settings to match engagement rules.
- Exposing the dashboard externally requires authentication.
- Auto-install is disabled by default for non-root users and should be enabled only when you trust the environment.
Xalgorix is released under the MIT License. See LICENSE.
| Resource | Link |
|---|---|
| Hosted (Cloud) | www.xalgorix.com |
| Documentation | docs.xalgorix.com |
| Issues | github.com/xalgord/xalgorix/issues |
| Support | buymeacoffee.com/xalgord |



