Intruder
Automated payload attacks at full speed — four modes, 21 generators, 32 processors, and a Turbo mode with raw-TCP batching.
What it does
four attack modes
Sniper, battering ram, pitchfork and cluster bomb — one position or many at once.
21 generators
Lists, numbers, dates, brute-force and case permutation, composable per position.
32 processors
Encode, hash, prefix/suffix and transform payloads in a chain before they're sent.
Turbo mode
Raw-TCP request batching for race-grade throughput — Community runs it un-throttled.
Prove it's not luck
Mark a position, feed Intruder a payload list, fire a sniper attack and sort by length — the bypasses and the database errors separate themselves from the noise. The auth-bypass lab walks the whole thing.
The rest of the toolkit
Intercepting proxy
Every request your browser makes, on your terms — pause it, rewrite it, release it. HTTP/1.1, HTTP/2, HTTP/3 and WebSocket, with on-the-fly TLS.
Vulnerability scanner
An active and passive scanner that ships free — OWASP and API Top 10, with blind out-of-band detection.
Repeater
Send it once. Change one field. Send it again. The careful, hand-driven probe — request and response side by side, over and over.
AI agent & MCP PRO
Set a budget, hit explore, and an autonomous agent drives every tool over 169 MCP tools — or wire opencode, Cursor or your own agent straight in.
Race conditions PRO
Beat check-then-act windows the proxy can't reach — single-packet attacks, last-byte sync and barrier coordination.
Synaps WASM modules PRO
Extend the scanner without trusting the code — community modules compiled to WebAssembly and run in a hard sandbox.
WAF bypass & antibot PRO
Look like real Chrome to every WAF and anti-bot system — TLS JA3/JA4, HTTP/2 SETTINGS, navigator, WebGL, canvas and fonts all match a coherent browser profile. Challenge scripts execute natively and set the bypass cookie.