The intercepting proxy
Every request your browser makes, on your terms — pause it, rewrite it, release it. HTTP/1.1, HTTP/2, HTTP/3 and WebSocket, with on-the-fly TLS.
What it does
every protocol
HTTP/1.1, HTTP/2, HTTP/3 (QUIC) and WebSocket through one MITM engine, with an auto-generated CA certificate.
intercept & edit
Hold a request or response, edit it by hand, then forward or drop it — interception you can actually read.
match & replace
Rewrite headers and bodies on the wire with rules, so you don't re-edit the same thing on every request.
scope & sitemap
One scope is shared by the scanner, intruder and crawler — and the sitemap builds itself from what flows through.
Native, not a JVM
One native binary — no JVM, no Electron, sub-second startup, low memory. The same engine feeds the scanner, repeater and intruder, so anything in history is one keystroke from any other tool.
The rest of the toolkit
Vulnerability scanner
An active and passive scanner that ships free — OWASP and API Top 10, with blind out-of-band detection.
Repeater
Send it once. Change one field. Send it again. The careful, hand-driven probe — request and response side by side, over and over.
Intruder
Automated payload attacks at full speed — four modes, 21 generators, 32 processors, and a Turbo mode with raw-TCP batching.
AI agent & MCP PRO
Set a budget, hit explore, and an autonomous agent drives every tool over 169 MCP tools — or wire opencode, Cursor or your own agent straight in.
Race conditions PRO
Beat check-then-act windows the proxy can't reach — single-packet attacks, last-byte sync and barrier coordination.
Synaps WASM modules PRO
Extend the scanner without trusting the code — community modules compiled to WebAssembly and run in a hard sandbox.
WAF bypass & antibot PRO
Look like real Chrome to every WAF and anti-bot system — TLS JA3/JA4, HTTP/2 SETTINGS, navigator, WebGL, canvas and fonts all match a coherent browser profile. Challenge scripts execute natively and set the bypass cookie.