v2.4 — 22-phase methodology, now hosted

A verified pentest report
in minutes — from $1.

Xalgorix runs reconnaissance, injection, IDOR, SSRF, RCE, and 18 other offensive phases against your target — then ships a verified, evidence-backed report.

Run your first scan — $1 →See a sample report

credit packs from $1 · never expire

~ xalgorix scan #4f2a · target: app.acme.com

running phase 8/22

[01]reconnaissance✓ 47 subdomains, 12 origins

[04]cors & cookies! permissive CORS w/ credentials

[06]injection! blind SQLi confirmed (5012ms delta)

[08]idor! /api/invoices/:id leaks all tenants

[20]exploit verification… chaining sqli → admin token_

criticalIDOR allows reading any user's invoicesCVSS 9.1

proof · not a demo

What it found on a real target

We pointed Xalgorix at pentest-ground.com:9000 — a public, deliberately-vulnerable target. In 43 minutes it returned 6 findings and reproduced every exploit before reporting it.

6 verified findings3 criticalrisk rating CRITICAL 100/10043 min end-to-end

criticalCVSS 9.8

Remote Code Execution

Arbitrary commands as root via the /eval endpoint (uid=0 confirmed).

highCVSS 8.6

SQL Injection auth bypass

Logged in as any user on /tokens and dumped the database schema.

highCVSS 7.5

IDOR — password exposure

/user/{id} returned every account's password by incrementing the id.

Open the full report →

features

Everything you need for autonomous security testing.

From live scan telemetry to branded PDF reports — Xalgorix handles the full engagement lifecycle, hosted on our infrastructure.

Hosted Web Dashboard

No installs, no Go toolchain, no LLM keys. Sign in and launch your first scan in 60 seconds.

Live Scan Telemetry

WebSocket event stream: tool calls, agent messages, HTTP activity, phase progress — all in real time.

22-Phase Methodology

Run the full sweep or focus on recon, injection, auth, API, upload, cloud, or WebSocket phases.

Verified Findings

Every finding is exploit-verified before it lands in your report. Less noise, more signal.

Branded PDF Reports

Executive summary, severity breakdown, PoC, remediation steps — with your company logo.

Scan Modes

Single target or wildcard / multi-target. Credit-based, no surprise bills.

Schedules & Automation

Recurring scans on cron-style schedules. Continuous coverage of your attack surface.

Team & Sharing

Share findings and reports with stakeholders via signed links. No login needed for read-only views.

REST API

Programmatic scan creation, status, and report retrieval. Wire Xalgorix into your CI/CD.

Rate Limits & Safety

Configurable request rates, circuit breakers, and blocked destructive commands protect your infra.

Scan Persistence

Resume interrupted scans. Multi-target queues process sequentially with full state recovery.

Multi-LLM Backend

We run on top frontier models — GPT-5, Claude, Gemini. You don't manage providers or keys.

privacy & data protection

Your data stays yours.

Security testing means trusting us with sensitive targets and findings. We treat that data as private by design — isolated per customer, encrypted in transit, and never sold or used to train models.

Isolated by default

Every scan, finding, and report is scoped to your account with database row-level security. No other customer — or team — can read your data.

Encrypted in transit

All traffic runs over TLS. Reports are shared only through signed, expiring links that you create and can revoke at any time.

You stay in control

Export or delete your scans and reports whenever you want. We never sell your data, and we never train models on your targets or findings.

Authorized & logged

Scans run only against targets you confirm you're allowed to test, and every scan is tied to your account for a clear audit trail.

Read the details:Privacy Policy Data Processing Agreement Security

methodology

22 phases. Every engagement.

Pick the full sweep or focus on a single phase. Every finding is exploit-verified before it lands in your report.

phase 01

Reconnaissance

phase 02

Manual vulnerability discovery

phase 03

Directory and file discovery

phase 04

CORS and cookie analysis

phase 05

Authentication and session testing

phase 06

Injection testing

phase 07

SSRF testing

phase 08

IDOR and broken access control

phase 09

API and GraphQL testing

phase 10

File upload testing

phase 11

Deserialization and RCE

phase 12

Race conditions and business logic

phase 13

Subdomain takeover

phase 14

Open redirect testing

phase 15

Email security testing

phase 16

Cloud and infrastructure

phase 17

WebSocket testing

phase 18

CMS-specific testing

phase 19

Broken link hijacking and content spoofing

phase 20

Exploit verification

phase 21

Novel vulnerability discovery

phase 22

Final report

workflow

From signup to report in 7 steps.

Zero to scanning in under 60 seconds. We handle the infrastructure, methodology execution, and report generation.

Sign up

Create an account in seconds, then add credits from $1.

Add target

Paste a URL, hostname, or wildcard. We validate scope on submit.

Pick mode

Single or wildcard. Choose all 22 phases or a focused subset.

Launch

Scan kicks off instantly on our infrastructure. No queue, no waiting.

Monitor live

Watch tool calls, agent messages, and phase progress stream in real time.

Review findings

Verified findings with severity, evidence, CVSS, and remediation guidance.

Share report

Download a branded PDF or share a signed link with your team.

scan modes

Two ways to engage.

Single target

One URL or host. Fastest path to actionable findings.

Best for: known URLs, quick assessments

1 credit

Wildcard / multi

Enumerate attack surface, then scan everything discovered.

Best for: bug bounty, surface discovery

1 credit / scan

the xalgorix suite

More tools from Xalgorix.

A growing family of offensive-security products. Built by the same team, sharing the same methodology.

BountyLabs

live

Hands-on labs and CTF-style environments to sharpen your bug-bounty edge.

Visit site →

HuntFlow

coming soon

Workflow automation for bug-bounty hunters — recon, triage, and reporting in one pipeline.

not ready yet

BugReportly

coming soon

Beautiful, structured bug reports that program managers actually want to read.

not ready yet

live observability

Watch every scan in real time.

WebSocket-powered event stream surfaces tool invocations, agent reasoning, findings, HTTP activity, LLM token usage, and phase transitions — the second they happen.

147: Tool Calls
12: Findings
48.2k: LLM Tokens
2,341: HTTP Requests

live feed — scan:a3f8c2connected

00:12:34[TOOL]nuclei -t cves/ -u https://target.com

00:14:02[FIND]Critical: SQL Injection on /api/search

00:14:15[AGENT]Analyzing response patterns for auth bypass...

00:14:22[HTTP]POST /api/login → 200 (342ms)

00:14:30[LLM]openai/gpt-5.4 → 2,847 tokens

00:15:01[PHASE]Phase 6/22: Injection Testing — started

00:16:45[FIND]High: IDOR on /api/users/{id}

00:17:12[ERR]Tool timeout: sqlmap (30s, retrying)

findings & reports

From scan output to report-ready findings.

Centralized findings with severity filters, CVSS details, evidence, and branded PDF report generation.

Critical

High

Medium

Low

Critical · CVSS 9.8XAL-2026-001

SQL Injection in Search Parameter

https://target.com/api/search

Unauthenticated SQL injection via the 'q' parameter allows arbitrary database queries.

High · CVSS 7.5XAL-2026-002

IDOR on User Profile Endpoint

https://target.com/api/users/{id}

Authenticated users can access any user profile by modifying the ID parameter.

Medium · CVSS 5.3XAL-2026-003

Missing Rate Limiting on Login

https://target.com/login

No rate limiting on authentication endpoint allows brute-force attempts.

pricing

Simple. Credit-based.

Full pricing →

starter

$20/mo

50 scan credits · 2 concurrent

popular

pro

$49/mo

200 scan credits · 5 concurrent

team

$199/mo

1000 scan credits · 8 concurrent

one-time credit packs

1 credit · $110 credits · $950 credits · $29200 credits · $991000 credits · $399

No subscription — from $1. Credits never expire and stack on any plan.

Buy credits →

why xalgorix

How we compare.

The depth of a real pentest, the speed and price of a scanner — without the false positives of legacy DAST or the wait of an agency.

Capability

Xalgorix

Pentest agency

DAST scanner

Manual testing

Time to first results

Minutes to hours

Weeks

Hours

Days+

Entry cost

From $1

$1,000s / engagement

$$$ seats

Headcount

Exploit-verified findings

✓

—

✓

Adapts to business logic (AI)

✓

Human

—

Human

On-demand & self-serve

✓

—

✓

—

Scheduled re-scans

✓

—

✓

—

Client-ready branded report

✓

Limited

Manual

Open-source engine / self-host

✓

—

Comparison reflects typical offerings in each category; exact capabilities vary by vendor and tool.

hosted vs self-hosted

Two ways to run Xalgorix.

The engine is open source. This site is the hosted version — same methodology, zero setup. Or grab the CLI and run it on your own infrastructure.

Capability

Hosted (this app)

Self-hosted CLI

Hosted infrastructure

✓

—

Zero install / setup

✓

—

Managed LLM (no API keys)

✓

—

Live WebSocket telemetry

✓

22-phase methodology

✓

Verified findings + PDF reports

✓

REST API & scheduled scans

✓

—

Team sharing & signed links

✓

—

Runs on your own machine

—

✓

Open source (MIT)

—

✓

Prefer self-hosted? Get the open-source CLI on GitHub →

faq

Common questions.

Do I need to install anything?+

No. Xalgorix is fully hosted. Sign in, paste a target, click scan. The open-source CLI is available separately at github.com/xalgord/xalgorix if you'd rather run it locally.

How long does a scan take?+

Single-target scans typically finish in 10–30 minutes. Wildcard scans depend on attack surface and can run for several hours. You'll see live progress the whole time.

Are findings actually exploit-verified?+

Yes. Phase 20 is dedicated to exploit verification — findings that can't be reproduced don't reach your report. You get evidence, not noise.

Can I use this for bug bounty?+

Yes, on programs where you have authorization and the scope permits automated testing. Respect every program's rules of engagement.

What about authorization?+

Only scan systems you own or have explicit written permission to test. We log every scan and require you to confirm authorization on each target.

Where is my data stored, and who processes it?+

Your account, scans, findings, and reports live in our managed Postgres database with per-customer row-level isolation, and the app is hosted on Cloudflare. To run a scan, target details and findings are processed by the frontier LLM providers behind our agents (OpenAI, Anthropic, Google); transactional email is sent via Resend and billing is handled by Dodo Payments. We never sell your data or use your targets and findings to train models. Our Privacy Policy and DPA list every subprocessor and explain how to export or delete your data.

Which LLMs power the agents?+

We route across frontier models — GPT-5, Claude, Gemini — picking the best fit per phase. You don't manage providers, keys, or rate limits.

How does pricing work?+

Credit-based. Single = 1 credit, Wildcard = 1 credit per live subdomain (recon and dead hosts are free). Subscriptions include monthly credits; top-up packs are available. See the pricing page for details.

Is there an API?+

Yes. Create scans, poll status, fetch findings, and pull reports programmatically. Generate API keys from your dashboard settings.

Ship safer. Faster.

Spin up your first autonomous engagement in under 60 seconds.

Start for $1 →

A verified pentest reportin minutes — from $1.