Open-source Burp-Suite-class desktop pentest suite.

Download for your OS View on GitHub
Everything in one suite

Pentest-grade tooling, modern UX

Each module is built from scratch in Rust + React. No Burp plugins, no Java runtime — just a single native binary that boots in under a second.

01 / Capture · Edit · Forward

Intercepting Proxy

HTTPS · WebSocket · JA3 / JA4 impersonation
Full HTTPS interception with on-the-fly request & response editing. match & replace rules, a body-bridge for binary payloads, WebSocket capture, Chrome JA3 / JA4 TLS impersonation so origin servers see the fingerprint of a real browser — not a vanilla reqwest stack.
02 / Craft · Send · Compare

Repeater

Multi-tab editor · per-tab history
Multi-tab request crafting with per-tab history. Native JSON, form, hex and params editors. Copy as cURL, Python, Node fetch — each with the real headers and body, ready to drop into your scripts.
03 / Fuzz · Cluster · Score

Intruder & Scanner

grep-rules · response clustering · scope
Payload fuzzing with grep-rules, response clustering, scope-aware active scanner. Turbo-mode for high-volume runs — with built-in throttling so you don’t trip the WAF on hostile targets.
04 / Connect · SYN · UDP

Port Scanner

adaptive timing · idle scan · CDN exclude
Service banner-grab, adaptive timing, idle scan, CDN exclude. A 3-layer smart FIFO cap so scanning 65k ports across N hosts never OOM’s the renderer — the engine drops closed/filtered entries first, open ports survive longest.
05 / Map · Enumerate · Recon

Site Map & Discovery

subdomains · content · params · JS audit
Live tree from proxy traffic, subdomain enumeration, content discovery with wordlists, hidden-parameter discovery, JS library audit and link finder — everything you need to map a target before you point Intruder at it.
06 / Entropy · Randomness

Sequencer

hex / base64 / base64url auto-detect
Token entropy analysis with encoding auto-detect (hex, base64, base64url). FIPS 140-2 + NIST SP 800-22 randomness tests, plus lag-1 autocorrelation to flag a broken RNG the moment it leaks sequential predictability.
07 / Decode · Inspect · Test

Tools & Codec

JWT · regex · hash · IP utils · headers
Smart decoder, JWT inspector, hash bench, regex tester, IP utils, password generator, header analyzer. Ten tabs of standard pentest utility in one place — no more flipping between five browser windows of CyberChef and online JWT debuggers.
08 / OOB · Blind · Async

OAST & Sessions

blind SSRF / XSS · cookie jar · auth macros
Out-of-band testing for blind SSRF / XSS, header-everywhere payloads that fan into 14+ HTTP headers (Referer, X-Forwarded-For, …). Session cookie jar plus macros for auth refresh, with per-project match & replace rules attached.
09 / Persist · Restore · Snapshot

Project Workspace

30 s autosave · crash recovery · scoped state
Per-project state on disk: traffic, findings, scope, repeater tabs, port-scan config. 30-second autosave, restore-on-open, never lose a draft. Open a different project and the workspace swaps cleanly — no cross-project leakage.
For AI Agents

Drop one URL.
Your agent gets every tool.

WonderSuite ships an embedded Model Context Protocol server. Every module — proxy, repeater, scanner, port-scanner, recon — becomes a tool your AI agent can call directly. No glue scripts, no API keys, no plugins.

claude mcp add wondersuite http://127.0.0.1:3100/mcp

Works with Claude Code · Cursor · Windsurf · Gemini-CLI · any MCP client.

Once connected, the agent can
  • read the accessibility tree of any page the bundled browser visits
  • send the currently-selected request straight to Repeater or Intruder
  • run an active scan against the discovered scope, return findings as structured JSON
  • decode every JWT in traffic, verify signatures, flag alg:none
  • pull subdomains via crt.sh / wayback / hackertarget — deduped, scope-filtered
  • race the same request 100× to surface TOCTOU bugs
  • fuzz an endpoint with a custom wordlist + grep-rule
  • generate a Markdown findings report ready to drop into the engagement deliverable

91 tools total — the full list lives in mcp/mod.rs.

Get the latest build

One installer per platform

Builds are produced by GitHub Actions and signed where the platform supports it. The desktop app auto-updates from the GitHub Releases feed — no telemetry, no account.

Windows
10 / 11 · x64
.msi / .exe installer →
macOS
Intel · Apple Silicon
.dmg universal & arm64 →
Linux
Ubuntu / Debian
.deb / AppImage →

Or grab any asset from GitHub Releases. Latest tag: v0.3.20

Live from GitHub

Changelog

Fetched live from github.com/sfr-development/WonderSuite-Ai-Bug-Bounty. Each release expands inline.

Full markdown source in CHANGELOG.md.

A craft from

Powered by SFR Development

WonderSuite is designed, built and maintained by SFR Development. Visit sfr-development.de for more projects.

Visit SFR Development