Web security proxy

A local-first proxy for modern web security testing.

Crusader captures web app traffic into one local project, then lets you replay, compare, search, scan, import, extend, and automate it without handing your client traffic to a hosted workspace.

HTTP/2 and WebSocket capture Repeater, Comparer, Decoder Read-only SQLite investigation No account for Free

What the proxy is built to do

Crusader is meant for the middle of an authorized web assessment: capturing browser or API traffic, organizing it into a project, and turning interesting requests into proof. The Free tier is the daily driver; Hunter Pro adds active proof workflows, mobile, identity replay, JA3 transport, hosted Beacon, and full automation.

Capture

HTTP traffic with project memory

Requests, responses, headers, bodies, findings, endpoint metadata, and full-text indexes live in one local SQLite project.

Replay

Precise manual testing

Send any exchange to Repeater, edit raw requests or structured views, replay as saved identities, and compare response deltas.

Investigate

Ask questions over history

Use read-only SQL or natural-language query generation to inspect every captured exchange and pivot rows straight into testing tools.

Extend

Plugins and agent tools

Hot-reload JavaScript plugins, expose tools over MCP, and let agents inspect history without automatically firing network actions.

Recommended workflow

Start with a clean project, capture only the authorized target, define scope, then triage the highest-signal requests before you run active proof. This is the safe path for bug bounty, consulting, internal appsec, and product security work.

1. Capture traffic with Crusader as the local proxy
2. Define target scope and trust boundaries
3. Use Site Map, History, SQL, and passive scanner triage
4. Send promising requests to Repeater or identity replay
5. Promote evidenced bugs into findings and reports

How Crusader differs from a basic proxy

The proxy is the base layer, but the advantage is the surrounding workflow: identity-aware replay for authorization bugs, mobile interception, browser-like JA3 transport, plugins, and agent-safe automation over the same project database.

Import

Bring existing traffic

Import Burp, Caido, HAR, and Fiddler SAZ projects so old captures become searchable Crusader workspaces.

Passive first

Scanner triage before proof

Find common web issues from already-captured traffic before sending any active verification request.

Local-first

Traffic stays on your machine

Free uses no account, email signup, or app telemetry. Update checks and license checks are separate from project capture.

Automation

CLI and MCP

Script captures, query history, expose read-only project context to agents, and gate active/write operations by license and scope.

Related topic hubs

Use these pages to navigate the bigger Crusader feature set by the problem you are trying to solve.

Start with the free proxy.

Download Crusader, capture an authorized target, and keep working locally. Start the 14-day Hunter Pro trial inside the app when you want mobile, identity replay, JA3 transport, hosted Beacon, and active proof workflows.

Download Crusader