Autonomous pentest agents are proliferating fast. We ship two today — pentagi and strix — and we're tracking another seven on the open-source page. Tachi is one of those seven, and it's worth a closer look.
davidmatousek/tachi is an MIT-licensed autonomous penetration testing agent. What makes it interesting isn't any single capability — it's the closed loop. Most OSS pentest tools stop after recon, or specialize in exploitation, or focus on post-exploitation reporting. Tachi runs the full lifecycle in one autonomous agent: vulnerability detection, exploitation attempt, and post-exploitation reconnaissance — feeding each phase into the next.
Where Tachi Sits in Our Roster
On the /open-source dashboard, tachi appears in OSS · 04 (Autonomous pentest, gated) under a Deferred pill. That's a deliberate label, not a placeholder. Here's what it means in practice:
The pentest_agent meta-connector ships with two providers in its dispatch table — pentagi and strix. Both have published Docker images pinned by digest, sandbox profiles tested in production, and customer engagements behind them. Tachi has all the right shape, but until a customer asks us to enable it, we don't speculatively wire its image into PROVIDER_IMAGES. Adding placeholder entries without a verified Docker build silently fails — image-pull errors surface as confusing "container exited" messages instead of a clean "provider not enabled."
So tachi today: connector entry exists, dashboard surfaces it, the policy bundle covers it. The dispatch wiring activates the moment a real engagement requires it.
How ARX Supports Tachi
The interesting part of this post: when tachi is enabled, the governance layer around it is not bespoke. Tachi inherits the same controls every autonomous pentest agent inherits. Here's the wrap:
The pentest_agent meta-connector pattern. Tachi plugs in as one provider next to pentagi and strix — same operations (recon:run, scan:run, exploit:run), same policy ruleset, same audit shape. Your security team writes the rules once; the rules apply to every provider. No per-tool retraining of risk classification.
Hard governance gates baked into the connector. Before any tachi operation can run, the connector itself enforces four refusals — these aren't suggestions, they're early returns:
authorization_artifact— a signed scope document URI is required. Refuses to run without it._session_context.initiated_by_user_id— every op must have an attributable human initiator. Autonomous unattended runs are denied at the connector layer.max_llm_spend_usd— numeric ceiling enforced before invocation. Stops a runaway exploitation loop from racking up a $10k OpenAI bill.exploit:runauto-ESCALATEs — the policy engine routes exploitation operations to a human reviewer by default; the connector still enforces its own gates after PERMIT.
Sandboxed runtime. Tachi runs under the community-oss sandbox profile: no host volume mounts, scoped LLM API keys (not your shared org key), container image pinned by digest in production, and network egress controlled per workflow. The agent can do its job; it can't reach what it shouldn't.
Immutable audit trail. Every recon, scan, and exploit op gets logged with the runtime call graph, the LLM spend total, the signed authorization artifact reference, and the human reviewer ID if escalation occurred. When your CISO or auditor asks "what did this agent actually do," there's one source of truth.
Free ARX for Anyone Running Tachi
The same offer from our previous open source post applies here: any organization running tachi (or any of the OSS pentest agents we list) gets a free ARX seat with the full governance wrapper around it. Free seat. No credit card. No trial clock.
The only thing standing between an MIT-licensed autonomous pentest agent and enterprise deployment is an audit trail, a policy layer, and a sandbox. ARX provides all three. Tachi provides the actual offensive testing.
How to Get Started
If you want tachi enabled in your ARX workspace, email mershard@arxsec.io with the scope you'd like to test. We'll spin up a 14-day workspace, wire tachi into PROVIDER_IMAGES with a verified digest-pinned image, sign the authorization artifact, and put it under your team's policy controls. Day 14 you have a working autonomous pentest with a compliance package generated from its actual runtime.
— Mershard J.B. Frierson, Founder · ARX · mershard@arxsec.io · 945-372-8711