VXControl
Dubai · Est. 2025·17.2k+ on GitHub

Security engineering for the agentic-AI era.

VXControl builds open-source autonomous-agent tooling for offensive security teams. Self-hosted, transparent, MIT-licensed.

  • Multi-agent orchestration across 10+ LLM providers
  • 20+ sandboxed pentest tools, isolated in Docker
  • Self-hosted infrastructure — your keys, your runs
Explore PentAGIGitHub

For authorized security testing only. See our Terms of Service.

About

A studio for offensive-security R&D.

VXControl exists because offensive security tooling has not kept pace with how attackers operate today. Defenders working on real targets cannot wait for proprietary vendors to ship AI-augmented capabilities. We build the open-source autonomous-agent infrastructure they need — self-hosted, sandboxed, MIT-licensed — so any team can run agentic security operations on their own infrastructure, with their own keys, against their own targets.

VXControl L.L.C-FZ is a security engineering studio incorporated in the Meydan Free Zone, Dubai. We design and ship open-source software that helps security professionals automate offensive workflows with large language models — from reconnaissance to exploitation, in full agentic loops.

Our work spans agent orchestration, knowledge graphs, sandboxed tool execution, and the infrastructure required to run these systems safely on real targets. We publish under permissive licenses, develop in the open, and operate from the United Arab Emirates.

Founded
2025
Headquarters
Dubai, UAE
OSS License
MIT

Licensed activities

  • 6201.94Computer Systems & Communication Equipment Software Design
  • 6202.98Managed Cyber Security Services Provider
  • 6311.97Cloud Service & Datacenters Providers

Operating principles

How we work, every day.

  • Open-source by default

    Every line of code we ship is published under MIT. We do not hold capabilities back behind a commercial fork.

  • Self-hosted, always

    Our software runs on your infrastructure. We do not operate hosted services and never see your prompts, targets, or findings.

  • Sandbox everything

    Each tool invocation runs inside an isolated container. Agents never touch the host; egress is filterable per run.

  • No telemetry, no calling home

    We do not collect usage data, do not phone home, and do not maintain bulk-extraction tooling. The only thing we count is GitHub stars.

  • Built for defenders

    We ship for the security teams that protect real systems — not for vendors selling marketing scans or pay-to-unlock features.

Timeline

Since 2025.

  1. Oct 2025
    Incorporated in Meydan Free Zone

    VXControl L.L.C-FZ formed under Trade Licence No. 2538161.01, Government of Dubai.

  2. 2025 Q4
    PentAGI v1.0 + 4 supporting OSS libraries shipped

    Multi-agent pentest platform published on GitHub alongside Kali image, Graphiti Go client, langchaingo fork, and PentAGI taxonomy — all under MIT.

  3. 2026 Q1
    10,000 GitHub stars on vxcontrol/pentagi

    Crossed five-figure community adoption; 10+ LLM providers integrated; 20+ pentest tools sandboxed.

  4. May 2026
    Distributed team formed across three timezones

    Design and growth leadership joined; the team now operates from Dubai, Phuket, and Bucharest at 17.2k+ stars.

Leadership

The people behind VXControl.

VXControl is a privately held studio. Our founder is the sole shareholder and manager of the licensed entity; the team brings together design, engineering, and growth.

  • Dmitrii Nagibin
    Founder & Director
    Dubai, UAE
  • Sergey Kozyrenko
    Head of Design
    Phuket, Thailand
  • Yoraan Reuben
    Sales Growth Lead
    Bucharest, Romania

How it works

An autonomous pentest, end to end.

Every PentAGI run flows through a deterministic multi-agent pipeline — from intent to a structured finding — with sandboxed execution at every step. No human in the loop, no shell on the host.

Orchestrator

Plans the run

Researcher

Recon & search

Developer

Writes exploits

Executor

Runs in sandbox

Report

Structured output

LLM providers
10+
Knowledge graph
Graphiti
Pentest tools
20+
Runtime
Docker
Interfaces
REST + GraphQL
Products·Flagship · Open Source

PentAGI

An autonomous AI-powered penetration testing platform. An orchestrator delegates to research, developer, and execution agents that wield 20+ classic pentest tools inside sandboxed Docker containers, under any major LLM provider.

  • Multi-agent orchestration (orchestrator + researcher + developer + executor)
  • Long-term memory backed by Graphiti / Neo4j
  • 10+ LLM providers (OpenAI, Anthropic, Google, Bedrock, Ollama, DeepSeek, Qwen, GLM, Kimi)
  • REST + GraphQL APIs, Bearer auth, CI/CD-ready
  • Full observability: Grafana, Prometheus, Jaeger, Loki, Langfuse
pentagi.comView on GitHub

Tech stack

  • BackendGo · PostgreSQL · pgvector
  • FrontendReact · TypeScript · Vite
  • RuntimeDocker Compose · Podman
  • LicenseMIT
17.2k+stars on GitHub

as of May 2026

Supporting open source

kali-linux-image
Curated headless Kali Linux Docker images used as the execution layer for PentAGI agents.
Shell
pentagi-taxonomy
Structured taxonomy of vulnerabilities, techniques, and tooling categories used across PentAGI runs.
Python
graphiti-go-client
Go client for the Graphiti knowledge graph that backs PentAGI's long-term memory.
Go
langchaingo
Fork of LangChain for Go with patches required by PentAGI's multi-provider LLM stack.
Go

By the numbers

Last 12 months of growth

As of May 2026

GitHub stars
17.2k+
across vxcontrol/pentagi
LLM providers
10+
OpenAI, Anthropic, Google …
Pentest tools
20+
pre-integrated, sandboxed
Open-source repos
5
PentAGI + supporting libraries

For whom

Built with security practitioners in mind.

Offensive security teams
Automate reconnaissance, vulnerability discovery, and exploit development across full agentic loops, while keeping the workflow on your own infrastructure.
SOC & AppSec engineers
Stand up reproducible internal red-team capabilities, integrate findings with your observability stack, and trigger runs from CI/CD pipelines via REST or GraphQL.
Security researchers
Experiment with agentic AI on real targets in sandboxed environments. Bring your own LLM provider, customize prompts and tool definitions, publish reproducible runs.

Trust & compliance

Built on transparent foundations.

Licensed in Dubai's Meydan Free Zone, operating under permissive open-source licenses, with security controls inherited from the offensive-security community we serve. Documentation available on request.

Meydan Free Zone licence

Verified

Free Zone Limited Liability Company licensed by Meydan Free Zone, Government of Dubai. Trade licence and constitutional documents available on request.

No. 2538161.01

UAE tax registration

Verified

Registered with the UAE Federal Tax Authority. Tax invoices and VAT documentation issued in compliance with UAE federal law.

TRN 105221694000001

MIT open source

Verified

All flagship code — PentAGI, the Kali image, the Graphiti client, the LangChain-Go fork — is published under the MIT License. No tracking, no telemetry, no lock-in.

100% permissive

Sandboxed execution

Verified

Every pentest tool runs inside an isolated container (Docker or Podman). Agents never touch the host. The runtime is fully self-hosted in your infrastructure.

Docker · Podman

Responsible disclosure

Verified

Dedicated security mailbox for vulnerability reports against VXControl-maintained software. Coordinated disclosure with credit, no legal threats.

[email protected]

Authorized testing only

Verified

Use of PentAGI requires explicit, documented permission to test the target. Our Terms of Service make that a contractual obligation — not a recommendation.

TOS-enforced

Trade licence, registration documents, and tax certificates issued on request to [email protected].

Contact our legal desk

Frequently asked

Questions security teams ask first.

Legal, licensing, sandboxing, provider support, and where the company is incorporated — covered here so your procurement and security teams don't have to ask twice.

PentAGI is an autonomous, multi-agent penetration testing platform. An orchestrator agent decomposes a target into sub-tasks and delegates them to specialized research, developer, and execution agents, which together wield 20+ classic pentest tools inside sandboxed Docker containers. Everything runs under your choice of LLM provider, in your own infrastructure, under the MIT License.

Read on GitHubTalk to us

Contact

Get in touch with VXControl.

We respond within one business day. For security disclosures, please use the security alias.

Registered office
VXControl L.L.C-FZ
Meydan Grandstand, 6th floor
Meydan Road, Nad Al Sheba
Dubai, United Arab Emirates
Phone
+1 (650) 648-4895

International calls welcome. Voicemail outside business hours.

Email
[email protected]
  • press@ — media & partnerships
  • legal@ — legal & licensing
  • security@ — responsible disclosure
  • law@ — law-enforcement requests
Business hours
Mon–Fri, 09:00–18:00 GST (UTC+4)

Public holidays in the UAE excluded. Open-source community channels are monitored continuously via GitHub.

Company information

VXControl L.L.C-FZ is a Free Zone Limited Liability Company registered in the Meydan Free Zone, Government of Dubai, United Arab Emirates. Established 2025. Trade license and registration documents available on request to [email protected].

License No.
2538161.01
Tax Registration No.
105221694000001
Licensing Authority
Meydan Free Zone
Formation Date
2 October 2025