Docs / Agent & automation / Investigate

Guide Agent & automation

Investigate and read-only SQL

~7 min - Free - SQLite - FTS5 - BYO model optional

The short version. Every Crusader project lives in one local SQLite file. The Investigate screen and crusader sql let you query captured exchanges, findings, endpoint_meta, Beacon tables, and Burp-import staging with read-only SQL. Type raw SQL, or ask in natural language and your configured bring-your-own model writes the SELECT for you. The generated SQL is shown before it runs, writes are blocked twice, and result rows can pivot straight into Repeater or an exchange viewer.

01The project database

The whole project is stored in one SQLite database under your local Crusader workspace. The main table is exchanges, with an exchange_fts FTS5 index for fast body/header search. The same file also holds findings, endpoint metadata, Beacon evidence, WebSocket data, request activity, and import staging tables.

Table familyWhat it is for
exchangesCaptured HTTP traffic: method, URL, host/path/query, status, headers, decoded bodies, raw blobs, timing, tags, and hashes.
exchange_ftsFTS5 index across URL parts, request/response headers, and request/response bodies.
findingsLocal finding records, evidence links, and review state.
endpoint_metaSite Map intelligence such as endpoint templates, auth hints, and ID-shaped paths.
beacon_*Out-of-band payloads, sessions, callbacks, and proof data.
burp_import_*Temporary/imported rows from Burp projects and related import flows.

Confirm the live set with crusader sql tables. The database evolves with the app, so the running project is the source of truth.

02The crusader sql CLI

The CLI exposes the same database as JSON on stdout:

crusader sql tables
crusader sql schema exchanges
crusader sql query "SELECT host, COUNT(*) n FROM exchanges GROUP BY host ORDER BY n DESC LIMIT 20"

Only SELECT, WITH, EXPLAIN, and PRAGMA statements are allowed. Writes are rejected by a SQL gate and by a read-only SQLite connection. That means a bad query can fail or return nothing, but it cannot mutate the project.

This is local database analysis, not SQL injection testing. crusader sql never touches a remote host; it only reads the project file on your machine.

03Fast full-text search

Use exchange_fts MATCH '<terms>' when you are searching words in request or response bodies and headers. Join on exchange_fts.rowid = exchanges.id to pull full exchange metadata:

crusader sql query "SELECT e.id, e.method, e.url, e.status FROM exchange_fts JOIN exchanges e ON e.id = exchange_fts.rowid WHERE exchange_fts MATCH 'password reset' ORDER BY e.id DESC LIMIT 50"

FTS is usually faster and more relevant than scanning decoded bodies with LIKE. Keep LIKE for punctuation-heavy patterns such as traversal strings, exact URL fragments, or non-word delimiters.

04The Investigate screen

In the GUI, open Investigate. It has two paths:

  • Ask - write a plain-English question. Crusader asks your configured model to produce one read-only SQL statement, shows the SQL, and then runs it only through the same read-only gate.
  • SQL - type the raw query yourself. No model is needed.

Results are not dead tables. Rows with exchange IDs can jump into Repeater for manual replay, or pop out into the cycling exchange viewer so you can inspect surrounding captures without losing the query context.

05Natural-language queries

Natural-language Investigate is bring-your-own model. Use a local OpenAI-compatible server such as Ollama, llama.cpp, LM Studio, vLLM, or your own hosted provider key. The raw SQL surface does not require a model.

  • Generated SQL is visible. The model writes the SELECT; you see what will run.
  • The database stays read-only. The same SQL gate and read-only connection are used for generated and hand-written SQL.
  • No hosted AI credits are bundled. Crusader does not silently include or spend model credits. Enterprise can arrange hosted AI separately.

06Example queries

Top captured hosts

crusader sql query "SELECT host, COUNT(*) n FROM exchanges GROUP BY host ORDER BY n DESC LIMIT 20"

Status distribution by host

crusader sql query "SELECT host, status, COUNT(*) n FROM exchanges GROUP BY host, status ORDER BY n DESC LIMIT 50"

Recent server errors

crusader sql query "SELECT id, method, url, status FROM exchanges WHERE status >= 500 ORDER BY id DESC LIMIT 50"

Full-text search for secrets

crusader sql query "SELECT e.id, e.url, e.status FROM exchange_fts JOIN exchanges e ON e.id = exchange_fts.rowid WHERE exchange_fts MATCH 'api_key OR token OR secret' LIMIT 50"

Duplicate response bodies

crusader sql query "SELECT body_hash, COUNT(*) n, MIN(url) sample FROM exchanges WHERE body_hash != '' GROUP BY body_hash HAVING n > 1 ORDER BY n DESC LIMIT 25"

07Tiers and boundaries

Investigate is part of the Free daily-driver surface: local proxy, history, Repeater, Decoder, Comparer, full local Site Map, read-only SQL, natural-language query generation with your own model, community plugins, basic CLI, read-only MCP, passive scanner checks, commercial use, and up to 10 active Match & Replace rules.

Hunter Pro adds the active and automation layer: hosted Beacon, active scanning/proof replay, Site Map smart auth/IDOR flags, mobile/Frida, JA3 transport, identity replay, full MCP and automation CLI, reporting, and advanced plugin APIs. Squad and Team Pro add team workspace controls on top.

Want a guide that is not here yet? Email hello@crusaderproxy.com.