every protocol
HTTP/1.1, HTTP/2, HTTP/3 (QUIC) and WebSocket through one MITM engine, with an auto-generated CA certificate.
Every request your browser makes, on your terms — pause it, rewrite it, release it. HTTP/1.1, HTTP/2, HTTP/3 and WebSocket, with on-the-fly TLS.
HTTP/1.1, HTTP/2, HTTP/3 (QUIC) and WebSocket through one MITM engine, with an auto-generated CA certificate.
Hold a request or response, edit it by hand, then forward or drop it — interception you can actually read.
Rewrite headers and bodies on the wire with rules, so you don't re-edit the same thing on every request.
One scope is shared by the scanner, intruder and crawler — and the sitemap builds itself from what flows through.
One native binary — no JVM, no Electron, sub-second startup, low memory. The same engine feeds the scanner, repeater and intruder, so anything in history is one keystroke from any other tool.
An active and passive scanner that ships free — OWASP and API Top 10, with blind out-of-band detection.
Send it once. Change one field. Send it again. The careful, hand-driven probe — request and response side by side, over and over.
Automated payload attacks at full speed — four modes, 21 generators, 32 processors, and a Turbo mode with raw-TCP batching.
Set a budget, hit explore, and an autonomous agent drives every tool over 162 MCP tools — or wire Claude Code, Cursor or your own agent straight in.
Beat check-then-act windows the proxy can't reach — single-packet attacks, last-byte sync and barrier coordination.
Extend the scanner without trusting the code — community modules compiled to WebAssembly and run in a hard sandbox.