🚀 Just launched on Product Hunt

Security scanning
without the BS.

The open-source alternative to Burp Suite + OWASP ZAP. Scan any website for OWASP Top 10 vulnerabilities and get a beautiful report — in seconds.

$ pip install crabguard
Get Pro API Key View on GitHub
$ crabguard scan https://example.com
example.com
Passive scan · 2.3s
74
/100
🔒 Security Headers
70
🍪 Cookie Security
85
🌐 TLS / HTTPS
100
📋 Content Analysis
60
🔍 Info Disclosure
90
● 2 critical ● 3 high ● 4 medium ● 6 low Report saved → report.html
10+
Scanner categories
48
Sensitive paths probed
OWASP
Top 10 coverage
$0
To get started
What it does

Everything Burp Suite does.
None of the friction.

CrabGuard covers the OWASP Top 10 out of the box — passive scanning is free forever, active scanning is Pro.

🔒

Security Headers

Checks CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP and more. Flags missing or misconfigured headers with exact fix snippets.

🍪

Cookie Security

Detects session cookies missing HttpOnly, Secure, or SameSite flags. Flags sensitive cookie names exposed to JavaScript.

🌐

TLS / HTTPS

Validates SSL certificate expiry, hostname match, HSTS preload, and cipher quality. Alerts you before certs expire.

📋

Content Analysis

Catches mixed content, missing SRI on CDN scripts, vulnerable JS libraries (jQuery, Bootstrap, Lodash), and CSRF gaps in forms.

💉

SQL Injection Pro

Error-based and time-based blind SQLi detection across all URL parameters. Covers 8 payload variants per parameter.

Reflected XSS Pro

Injects XSS canary payloads and checks if they reflect in the response — catches the most common XSS attack vector.

🗂️

File Discovery Pro

Probes 48 sensitive paths: .env, .git/config, wp-config.php, swagger docs, Spring Actuator, phpinfo and more.

🔄

SSRF Pro

Tests URL parameters for Server-Side Request Forgery — probes AWS and GCP metadata endpoints, localhost, and internal IPs.

📄

Beautiful Reports Pro for PDF

Score ring, OWASP Top 10 grid, per-category findings with remediation snippets. HTML free, PDF + white-label on Pro.

CLI & Python API

Works how you already work.

Drop-in CLI, Python API, JSON output for CI/CD, and proxy support for Burp Suite integration.

bash
$ pip install crabguard
Successfully installed crabguard-1.0.0
$ crabguard scan https://myapp.com
→ Fetching target...
→ Security headers...
→ Cookie security...
→ TLS / HTTPS...
→ Content analysis...
Score: 74/100 — Moderate Risk
Critical: 2 High: 3
Report saved → crabguard-myapp-20260621.html
# Active scan (Pro)
$ crabguard scan https://myapp.com \
--mode full --consent \
--api-key cg_live_...
# Python API
from crabguard import (
CrabGuardScanner,
CrabGuardConfig,
ScanMode
)
 
# Free passive scan
scanner = CrabGuardScanner(
"https://myapp.com"
)
report = scanner.scan()
scanner.save_report(report, "report.html")
 
# Pro active scan
config = CrabGuardConfig(
api_key="cg_live_...",
active_consent=True
)
scanner = CrabGuardScanner(
"https://myapp.com",
mode=ScanMode.FULL,
config=config
)
report = scanner.scan()
scanner.save_report(report, "report.pdf", fmt="pdf")
Pricing

Start free. Pay when you need more.

The passive scanner is open-source and free forever. Pro unlocks active scanning and PDF reports.

Free

$0 / forever

Open-source. No account needed.

  • Passive scanning (all 5 categories)
  • OWASP Top 10 coverage (passive)
  • HTML reports with CrabGuard branding
  • JSON output for CI/CD
  • Burp Suite / ZAP proxy support
  • Active scanning (SQLi, XSS, SSRF...)
  • PDF reports
  • White-label branding
Install Free

Enterprise

Custom

For security teams and consultancies.

  • Everything in Pro
  • Scan history & dashboard
  • Team seats & role management
  • API access & webhooks
  • Custom report branding
  • SLA + dedicated support
  • Accelerator / startup discounts
Contact Us

Scan your first site
in 30 seconds.

Free. No account. No credit card.

$ pip install crabguard
Get Pro for active scanning →