Documentation
Vex Raptor
Self-hosted autonomous offensive security — deploy, pentest, verify, and report inside your perimeter.
-
Quickstart Deploy with Docker and run your first scan in ~15 minutes.
-
Run a pentest Web, API, or authenticated — pick a depth and go.
-
Confidence pipeline How Vex Raptor separates confirmed exploits from noise.
-
Self-hosting Runs on your infrastructure. Your attack surface never leaves.
What Vex Raptor is¶
A single engine that runs a multi-phase pentest against an authorized target: reconnaissance, TLS and header analysis, crawling, and active attacks (injection, XSS, SQLi, SSRF, auth bypass, business logic, and more). Confirmed findings ship with a reproducible proof of concept. The whole run streams live and ends in a report you can hand to an auditor.
It is designed to run on your own infrastructure (Docker, self-hosted), which makes it usable in air-gapped and regulated environments where sending your attack surface to a third-party cloud is not an option.
What Vex Raptor is not¶
Scope
Vex Raptor is a pentest tool, not a QA suite or an uptime monitor. It is not a replacement for a human red team on novel, business-logic-heavy engagements — independent 2025 benchmarks show autonomous agents still miss exploits that experienced humans find. Vex Raptor gives you speed, breadth, and reproducible verification; treat it as a force multiplier, not an oracle.
How it verifies findings¶
Vex Raptor does not report a vulnerability from a single hint. A finding is only promoted to CONFIRMED when a second, independent signal reproduces it (a re-probe, an out-of-band callback, or a second tool). Everything else is labelled by confidence level so you know exactly what was proven versus what needs a human look. See Confidence pipeline.
Where to go next¶
- New here? Start with the Quickstart.
- Want to understand the engine? Read Scan depths and Findings & severity.
- Deploying for a team? See Docker Compose.
- Automating in CI? See the CI Gate.
Authorized testing only
Only scan systems you own or have explicit written permission to test. See Responsible use.