Indusagi
Referenceuse-cases/security-testing

Security Testing with Indus-strix

The indusagi package powers the web interface for Indus-strix, an AI-powered security testing platform. While Indus-strix's core engine is Python-based, it uses indusagi for the web dashboard and real-time monitoring.

Overview

Indus-strix uses a multi-agent architecture to automate security testing:

  • Security Agent — Main penetration testing agent
  • Reconnaissance Agent — Attack surface mapping
  • Vulnerability Specialist — Deep-dive on specific vulnerabilities
  • Exploitation Agent — PoC development and validation
  • Reporting Agent — Result aggregation and documentation

How indusagi is Used

Web Dashboard

The indusagi/webui module provides real-time scan monitoring:

import { ChatPanel } from "indusagi/webui";

// Create a chat panel for agent communication
const panel = new ChatPanel();
await panel.setAgent(securityAgent, {
  onApiKeyRequired: (provider) => promptForApiKey(provider),
  sandboxUrlProvider: () => "/sandbox.html",
});

Chat Interface

Agent communication flows through the ChatPanel component:

  • Real-time streaming of agent thoughts and actions
  • Tool execution visualization (bash commands, HTTP requests)
  • Attachment support for scan reports and screenshots
  • Message history with session persistence

Multi-Provider LLM

The indusagi/ai module enables frontend LLM interactions:

import { getModel, streamSimple } from "indusagi/ai";

// Use any supported provider for security analysis
const model = getModel("openai", "gpt-4.1-mini");
const stream = streamSimple(model, context, { apiKey });

Supported Vulnerabilities

Indus-strix can detect and validate:

Core Vulnerabilities

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Server-Side Request Forgery (SSRF)
  • Insecure Direct Object Reference (IDOR)
  • Authentication Bypass
  • Authorization Flaws
  • XML External Entity (XXE)
  • Remote Code Execution (RCE)

Advanced Vulnerabilities

  • Business Logic Flaws
  • Race Conditions
  • Mass Assignment
  • Subdomain Takeover
  • Path Traversal (LFI/RFI)
  • Open Redirect
  • Insecure File Uploads
  • CSRF

Integration Patterns

Custom Tool Renderers

Register custom renderers for security tools:

import { registerToolRenderer } from "indusagi/webui";

registerToolRenderer("nuclei_scan", {
  render: (params, result) => {
    // Custom rendering for Nuclei scan results
  },
});

Message Types

Define custom message types for security findings:

import { registerMessageRenderer } from "indusagi/webui";

registerMessageRenderer("vulnerability_finding", {
  render: (message) => {
    // Render vulnerability details with severity, CVSS, etc.
  },
});

Runtime Providers

Inject security context into sandboxes:

import { SandboxRuntimeProvider } from "indusagi/webui";

class SecurityContextProvider extends SandboxRuntimeProvider {
  getData() {
    return {
      targetUrl: this.targetUrl,
      sessionCookies: this.cookies,
    };
  }
}

Architecture

┌─────────────────────────────────────────────────────────────┐
│                      Web Dashboard                           │
│  ┌─────────────────┐  ┌─────────────────┐  ┌──────────────┐ │
│  │   ChatPanel     │  │  ArtifactsPanel │  │  Tool Render │ │
│  │   (indusagi)    │  │   (indusagi)    │  │  (indusagi)  │ │
│  └────────┬────────┘  └────────┬────────┘  └──────┬───────┘ │
│           │                    │                   │         │
│           └────────────────────┼───────────────────┘         │
│                                │                             │
│                     WebSocket / HTTP API                     │
└────────────────────────────────┼─────────────────────────────┘
                                 │
┌────────────────────────────────┼─────────────────────────────┐
│                      Backend (Python)                         │
│  ┌─────────────────┐  ┌───────┴───────┐  ┌─────────────────┐ │
│  │  Agent System   │  │  Tool Layer   │  │   Scheduler     │ │
│  │  (indusagi-strix│  │ (Playwright,  │  │  (Celery/Redis) │ │
│  │     -core)      │  │  Docker, etc) │  │                 │ │
│  └─────────────────┘  └───────────────┘  └─────────────────┘ │
└───────────────────────────────────────────────────────────────┘

Getting Started

  1. Install Indus-strix (Python package):

    pip install indusagi-strix

  2. Configure your LLM provider:

    export STRIX_LLM="openai/gpt-4"
export LLM_API_KEY="your-api-key"

  3. Run a security assessment:

    strix --target https://your-app.com

Responsible Use

⚠️ Only test applications you own or have permission to test

  • Follow responsible disclosure practices
  • Respect rate limits and terms of service
  • Use in isolated, authorized environments
On This Page
OverviewHow indusagi is UsedWeb DashboardChat InterfaceMulti-Provider LLMSupported VulnerabilitiesCore VulnerabilitiesAdvanced VulnerabilitiesIntegration PatternsCustom Tool RenderersMessage TypesRuntime ProvidersArchitectureGetting StartedRelated DocumentationResponsible Use