Vigolium combines web scanning with agentic security review

What this is about

Vigolium is an open-source vulnerability scanner for web applications. Help Net Security presented it in May 2026 as a new open-source security tool, and the project is available on GitHub and through its own documentation.

The reason it stands out: Vigolium combines deterministic scan modules with agentic review workflows. It is not only a chatbot reading code, and not only a classic scanner running a list of known checks.

What Vigolium actually does

According to the README, Vigolium offers a Native Scan and several agent modes. The Native Scan works with more than 235, and in newer README wording more than 250, modules for active and passive checks. The agent modes can discover endpoints, choose modules, plan scans, triage results and include code audits.

In practice, a team can test a URL, an API or a repository and limit the scan depending on the goal. The documentation shows native scans, Autopilot, Swarm and Audit modes. The license is GNU AGPL v3.0, which matters for companies that modify the tool, distribute it or operate it as a service.

Why it matters

Security teams in 2026 sit between two unsatisfying extremes. Classic scanners are fast and reproducible, but often miss context. LLM-assisted reviews can capture context, but are harder to bound and prove. Vigolium tries to combine both sides: fixed modules for speed and traceability, agents for planning, exploration and triage.

This is not a replacement for penetration tests. It is more useful as a pre-check tool, repeatable AppSec routine and change-focused scanner. The project's own warning is especially important: agent mode runs without a sandbox and can have shell, file and network access on the host. That honesty makes the tool more useful, because teams can contain it properly.

In plain language

Imagine a security walk-through in a building. A normal scanner walks through the rooms with a fixed checklist. An agent also looks at how doors connect, which path an intruder might take and which findings belong together. Vigolium tries to combine both in one inspection.

A practical example

A SaaS team wants to test its authentication area before a release. It runs a Native Scan against https://staging.example.com and limits the agentic scan to auth bypass. The scanner finds 18 signals, the agent triages 5 as relevant and links one API endpoint to a role check in the repository. The team does not get a guarantee, but it gets a better starting list for manual AppSec work.

Scope and limits

• Agent mode is risky. The project itself warns that there is no sandbox; tests belong in containers or VMs with clear scope limits.
• LLM-assisted triage can be wrong. Critical findings must be reproduced and manually assessed.
• The AGPL license is strong. Companies should check the obligations before internal modification, SaaS operation or redistribution.

SEO & GEO keywords

Vigolium, agentic vulnerability scanner, AI security tool, AppSec, web vulnerability scanner, AGPL security tool, OWASP Top 10, SAST, endpoint discovery, security automation, penetration testing workflow, DevSecOps