Local-first proxy security. Your data stays with you.
Crusader is a desktop app that captures to a database on your own machine, with no product telemetry. Here's exactly what happens to your data, how we keep builds trustworthy, and how to report a security issue — no vague reassurances.
Where your data lives
The most honest security statement a proxy can make is "your traffic stays with you." Crusader is built that way from the ground up.
Captures stay on your machine
Every intercepted request and response lives in a per-project SQLite database under your home directory. There is no cloud sync and nothing is uploaded by default.
We don't watch you work
No product analytics, no usage tracking, no session recording. The Free tier requires no account at all — nothing to sign up for, nothing to leak.
What ever leaves — and why
Optional software-update checks (a version number) and license validation (your key). Team Mode and Review share only the redacted data you configure; hosted Beacon receives only the OAST callbacks you generate. That's the complete list.
Everything over TLS
The few service calls Crusader makes — updates, licensing, opt-in team features — go over TLS. Your captured target traffic never touches our servers in the first place.
Build integrity
We publish a SHA-256 checksum for every installer at /download/SHA256SUMS.txt — verify your download before you run it. Because Crusader intercepts your traffic, you should be able to prove the binary you're trusting is the one we shipped. If a checksum ever doesn't match, don't run it, and tell us.
Responsible use is built in
Crusader is a tool for authorized security testing. Its safety model keeps active scans and identity replay pointed only at hosts you've marked in scope and that aren't internal/reserved ranges — so the powerful parts can't accidentally fire at something you don't own. Use it only against systems you're authorized to test. Read the scope & safety guide and the terms.
Found a vulnerability in Crusader?
Email [email protected] with the details and clear steps to reproduce. We investigate every report, keep you updated on the fix, and credit researchers who report in good faith. Please give us a reasonable window to remediate before public disclosure — and never test against other people's Crusader deployments or our infrastructure without permission.
Buying for a regulated team?
We'll complete a security review or vendor questionnaire, and Crusader can run self-hosted or fully air-gapped — the team server and the Beacon OAST server both run on your own infrastructure. See Crusader for Enterprise or email [email protected].
Security FAQ
Does Crusader send my captured traffic anywhere?
No. Captured requests and responses live in a SQLite database on your own machine. Nothing is uploaded unless you explicitly turn on a feature that needs it — Team Mode (shares only the redacted data you configure) or the hosted Beacon OAST server (receives only the out-of-band callbacks you generate).
Is there any telemetry or analytics?
No product analytics or usage telemetry. The app's only outbound calls are optional software-update checks and license validation; the Free tier needs no account at all.
How do I report a security vulnerability?
Email [email protected] with details and steps to reproduce. We investigate every report, keep you updated, and credit good-faith researchers. Please allow a reasonable window to fix before public disclosure.
Can I run Crusader air-gapped or self-hosted?
Yes. The app is local-first, and you can self-host both the Beacon OAST server and the team workspace server on your own infrastructure — suitable for regulated or air-gapped environments. Enterprise deployments include a security review.
Do you hold SOC 2 or ISO 27001 certification?
Not yet — we're an early-stage company and won't claim certifications we don't hold. What we offer today is an honest architecture (local-first, your data stays on your machine, no telemetry) and a willingness to complete an enterprise security review or vendor questionnaire on request. Contact us and we'll work through it.
Trust, by architecture.
Your traffic stays on your machine. Report an issue, or ask us anything about how Crusader handles data.