Tools we build because the work needs them. Some bridge new substrate (Burp ↔ MCP, Kubernetes attack paths, agent recon). Some are sharper takes on commodity primitives (SnailPath replaces the gobuster step; ZenFlood is the modern Slowloris). All open source, all in active use on real engagements, all aligned to the same operating principle: structured, repeatable, reportable.
Model Context Protocol bridge for Burp Suite. Lets an LLM-powered analysis layer reason over live Burp traffic, with prompt-injection and tool-poisoning testing baked in. Designed for operators who already live in Burp and want to bring agentic analysis into the existing workflow rather than around it.
TypeScript / MCPAI-augmented bug bounty automation. Runs traditional security scanning in parallel with LLM analysis — the LLM triages, ranks, and writes the candidate report; the scanner provides the ground truth. Built for the boring 90% of recon so you can spend your time on the interesting 10%.
Python · LLMRed-team Kubernetes scanner. Walks the cluster from an unprivileged service account perspective, enumerates misconfigurations and attack paths (RBAC bindings, mountable secrets, hostPath escapes, kubelet exposures), and emits a graph of how to escalate. Pairs with the AATMF Toolkit's container chapter.
GoAutonomous credential intelligence platform for attack-surface recon. Continuously crawls public sources, correlates leaked credentials with target organizations, and surfaces the small subset that actually validates. Designed to feed an offensive program — not a generic threat-feed firehose.
Python · asyncPassive recon extension. Surfaces security headers, IP intel, fingerprinted technologies, and CPE→CVE enrichment as you browse. Zero active probes — everything is read from the response you already received. Ideal for sales-engineer-style recon during scoping calls.
Chrome MV3Async directory and route discovery. HTTP/2 native. Soft-404 suppression learned per-target. Mines JS bundles and source maps for endpoints that wordlists will never find. Built to replace the gobuster step in our recon pipeline.
Python · HTTP/2Modernized Slowloris. Low-bandwidth stress testing for HTTP/1.1 and HTTP/2. Useful for testing how a service degrades under realistic adversarial load — single laptop, no botnet, no plausible deniability problems.
PythonStructurally-aware code obfuscation engine. Operates on the AST, not strings — preserves semantics across renames, control-flow flattening, and constant unfolding. Built for offensive payload work and adversarial-evaluation research, not for shipping production code.
AST-based · multiCurated OSINT resource collection for offensive recon. Opinionated, maintained, pruned. Not the maximalist 'awesome-everything' list — only the sources that consistently turn up actionable intelligence on real engagements.
listEvery tool here exists because an engagement hit a wall that an existing tool couldn't get through. None of them are speculative.
If a good tool already exists for the job, we use that one. We only ship a new tool when the existing options have a structural limitation — wrong protocol, wrong threat model, wrong abstraction.
Every tool produces output that maps cleanly back to AATMF / SEF / P.R.O.M.P.T tactics. Reports stay consistent across the whole stack.
We'd rather ship 9 sharp tools you can read end-to-end than 1 monolithic platform you have to take on faith.