Beta PUBLIC BETA NOW OPEN — Gorgon Scout is free to download. Download for Windows →

Smarter Application
Security Testing

Gorgon Scout is a Windows-native DAST platform with broad OWASP coverage and none of the usual setup friction: no proxy configuration, no PAC files, no trust-store dialogs. Its built-in AI integration brings professional web-application security testing within reach of nearly everyone in the software lifecycle: developers, QA testers, DevOps, and security professionals.

Transparent interception, an intelligent crawler, a signed scriptlet library with 90+ OWASP-mapped probes, and an MCP server that lets your favourite agentic platform drive scans end to end.

Download for Windows
Gorgon Scout intercepting and analysing application traffic
90+
Signed OWASP-Mapped Probes
3
HTTP Versions Intercepted
7,500+
Technology Signatures
4
AI Surfaces in the Kill Chain

Why Scout

Three things make Scout different. They compound.

Zero-Config Capture

Network-layer interception means no PAC files, no --proxy-server switches, and no per-browser trust-store rituals. Open the app, name the target, hit record. HTTP/1.1, HTTP/2, HTTP/3, and WebSocket are all on by default.

MCP Server Out of the Box

Scout ships with an MCP server that exposes the full workflow as tools. Drive every step from your agent: profile creation, AI auto-record, scan execution, post-scan analysis, and report delivery. No glue code.

🔍

Field-Aware Probes

Every payload is gated on parameter type, name pattern, and authorisation tier. SQLi-auth-bypass never lands on a name field. Numeric boundaries never touch a UUID. The result is high signal, low noise.

Agentic-Native

An MCP Server, Right Out of the Box

Scout ships with an MCP server built in, so your favourite AI assistant can run it for you. Ask in plain language, for example “scan my web app at staging.example.com”, and the assistant drives the whole workflow: it sets up the target profile, records the app, runs the scan, and hands back a Word report. You do not need to be a security specialist to get a professional result.

That puts serious web-application security testing within reach of the whole delivery team, not just pen-testers. Developers, QA, and DevOps can run a professional scan by simply asking the assistant, and security professionals can take the findings further with deeper AI analysis. Under the hood the server exposes Scout as typed tools over the Model Context Protocol, so the agent receives structured progress and findings, never screen-scraped text.

  • Operator-confirmed scope and authorisation, captured in chat
  • AI auto-record with adaptive credential prompts
  • Live progress and findings returned as structured tool results
  • Word-format report path returned at completion
  • Optional post-scan AI analysis and synthesised probes

Learn how

Agentic AI platform driving Gorgon Scout via its bundled MCP server
Transparent Capture

Network-Layer Interception, Every Protocol

Scout sits below the browser's user-space proxy configuration. There is no PAC file to debug, no --proxy-server switch to remember, and no Firefox trusted-CA dance. VPN tunnels and corporate adapters are intercepted identically to direct traffic.

  • HTTP/1.1, HTTP/2, and HTTP/3 (QUIC) intercepted natively
  • WebSocket frame-level capture on plain and TLS connections
  • Domain mode follows a site across its CDN and login subdomains, no manual host list
  • IPv4 and IPv6 targets intercepted natively
  • Per-port and per-process scoping for shared hosts and native apps
  • Per-domain consent screen for explicit testing authorisation
  • Self-signed cert generation and one-click trust-store setup
Scout transparently intercepting application traffic at the network layer
Intelligent Crawler

An App-Aware Browser, Not a Link Spider

Scout drives a real Chromium via Playwright. The DOM renders, JavaScript executes, lazy-loaded routes fire. Every XHR, fetch, and form submit is captured before it leaves the browser, with the exact method, body, content-type, header set, and CSRF tokens.

  • Route-interception capture with full request fidelity
  • Hash-route enumeration for React, Angular, and Vue routers
  • Path-route enumeration plus semantics-tree walking on Flutter web
  • Semantic input filling with proper InputEvent dispatch
  • Cross-page form-identity dedup so portal navs are exercised once
  • Dangerous-path filter on logout, delete, purge, and reset URLs
Scout's headless Chromium crawler walking a single-page application

Built for Modern Stacks

Full support across single-page apps, classic multi-page apps, and pure-API targets.

SPAs

React, Preact, Angular, AngularJS, Vue, and Nuxt are first-class targets. Hash-route enumeration and XHR promotion turn client-side routers into scan surface.

Flutter Web

Detects Flutter via custom-element and library signatures. Walks the hidden semantics tree on CanvasKit and clicks every tappable widget, where traditional crawlers find nothing.

REST and GraphQL

API mode skips the crawler and works from recorded traffic plus an OpenAPI 3.x spec. GraphQL gets introspection, query-field mutation, depth bombs, and batch rate-limit bypass.

Real-Time Transports

Socket.IO and long-poll captured via WebSocket MITM. Server-Sent Events captured as streaming HTTP/1.1 responses.

Backend-as-a-Service

Browser-origin calls to managed backend platforms are surfaced for explicit per-host scan authorisation, then probed for rule misconfigurations: anonymous read, anonymous write, anonymous delete.

Static and Multi-Page

Classic link extractor and form enumerator. Select-option iteration turns a 20-option dropdown into 20 form submits to capture every dispatcher endpoint.

Four AI Surfaces

AI Across the Kill Chain

Scout integrates AI at four distinct points across the kill chain, shown here. Each surface answers a different question, runs at a different cost tier, and is independently optional. Free-plan operators run the full scan pipeline without invoking any of them.

Synthesised probes remain reviewable, signature-gated, and tier-labelled before they fire. The operator stays in control end to end.

Want to drive all of this from Claude? Learn how

Four AI surfaces across the Scout kill chain: auto-record, triage, attack planner, deep planner

AI That Keeps Your Scans Current

The four surfaces above run during a scan. Scout's AI also works between scans: every night the backend reviews newly published CVEs and the latest CWE catalogue, finds gaps in its own probe library, and drafts new tests to close them. Your next scan covers threats that did not exist when you installed.

Daily CVE and CWE Review

Every night the backend pulls the latest NVD CVE feed and the MITRE CWE catalogue, alongside vulnerable-library and technology fingerprints. Scout's intelligence refreshes on a schedule, so coverage never quietly goes stale.

Autonomous Probe Synthesis

When a testable weakness has no probe, Scout drafts a new one with AI and forces it through hard safety gates: non-destructive mutations only, safe-tier payloads, capped scope, and a medium-severity ceiling until it earns confirmed findings. Nothing destructive ever ships automatically.

Signed, Gated, Live Next Scan

Generated probes are Ed25519-signed with a dedicated AI-synth key, flagged as machine-generated, and deployed to the cloud library as passive canaries. They appear the next time you scan, with no app update and no redeploy.

OWASP Coverage

90+ signed scriptlets cover every OWASP Top 10 2021 category and the OWASP LLM Top 10 2025 to varying depth.

A01 Broken Access Control

Auth-scope probes, HTTP verb tampering, path traversal, IDOR with observed-id mining from the recording, and three rule probes for managed backend platforms.

A03 Injection

SQL injection across five variants, NoSQL, LDAP, XPath, OS command, reflected and stored XSS, server-side template injection with multi-engine detection, header injection, parameter pollution, and XXE.

A05 Misconfiguration

Security headers, cache-control audit, host header injection, CORS misconfig and null-origin, deep CSP audit, error disclosure, deprecated API versions, and subdomain takeover fingerprinting.

A07 Authentication Failures

JWT alg confusion and weak key, CSRF token absence and cross-origin, credential dictionaries, MFA bypass via cookie strip, OAuth state, PKCE downgrade, code reuse, and WebSocket cross-origin hijack.

A10 SSRF and Cloud

Generic SSRF, cloud-metadata SSRF across AWS, GCP, Azure, Kubernetes, Alibaba, and DigitalOcean, plus Log4Shell JNDI with five obfuscation variants and HTTP request smuggling.

OWASP LLM Top 10

Five tier-gated probes against LLM-input-shaped requests: canary echo, system-prompt leak, jailbreak, out-of-band fetch (Excessive Agency), and indirect injection via poisoned-document RAG.

API and GraphQL

Introspection probe, 15-deep recursive traversal with 100-alias bomb, and 20-element batched-query rate-limit and account-lockout bypass.

Vulnerable Components

69 libraries, 613 known-vulnerable version bands, CVE references on every match. Plus 7,500-plus technology signatures with explicit evidence strings and CPE identifiers.

Secrets and Data Exposure

Live secret scan across a broad vendor-pattern library: AWS keys, GCP keys, Stripe keys, SSH private keys, GitHub PATs, leaked JWTs, and high-entropy generic secrets.

Detection That Earns Its Keep

On independent benchmark applications, Scout has matched and exceeded Burp Scanner in single-pass detection coverage, across both classic injection categories and modern OAuth, GraphQL, and DOM attack classes.

Engine Discipline

Every probe is signed, sandboxed, and field-aware. The result is high-confidence findings, not a wall of false positives.

Signed Scriptlets

Every probe is an Ed25519-signed JSON blob. Signature verification happens before the validator touches the sandbox. Two active pinned keys (a human signing key and a separate AI-synth key) plus a reserved rotation slot.

Sandboxed Validators

Verdict logic runs as plain JavaScript with no access to the host system, so a validator cannot reach the filesystem, processes, or network. A 2-second CPU budget, an 8 MiB memory cap, and a 50,000-statement limit ensure a malformed or runaway validator is terminated rather than left to escape or stall a scan.

Field-Aware Mutation

Probes target only parameters that match required field patterns and parameter types. Numeric boundaries never touch UUIDs; SQLi never lands on a name field.

Recording-Informed Probes

Real ids extracted from the captured traffic feed scriptlet payloads. IDOR fires one probe per observed id, hitting known-existing resources rather than fuzzing 1..100 blindly.

Smart Baseline

Every endpoint is replayed live at scan time and per-endpoint cached. Comparisons run against current origin behaviour, not stale recording-time responses.

Tier-Gated Payloads

Every payload is labelled safe, disruptive, or destructive. Destructive requires typed-hostname confirmation plus an explicit impact acknowledgement.

Out-of-Band Channel

Per-probe canary tokens issued from the cloud backend. Indirect-injection probes can poll past first hit and serve poisoned documents to confirm follow-on fetches.

CVE, CWE, Remediation

Every finding cites the relevant CWE and CVE references and ships a plain-language remediation section rendered into the report. Operators do not look these up.

Paired-Sentinel Oracle

Every reflection probe requires two distinct sentinels to land together. Organic reflections of a single value never trigger a finding.

Authentication and Session Handling

Real apps log testers out. Scout treats this as routine, not as an exception.

Three Replay Paths

Pure-HTTP byte-replay for fully repeatable sequences (1 to 2 seconds, no UI), browser-driven walk for non-repeatable inputs and OAuth profiles, and silent OAuth refresh when the saved IdP cookie is still alive.

OAuth Survival

Apps whose only login path is a third-party identity provider survive scan-start replay. A per-profile persistent user-data-dir keeps the IdP's session cookie alive across runs.

Per-Input Repeatability

The auth prompt ticks each field with a Repeatable flag. A profile with a repeatable username but a single-use password drives the right replay path automatically: form auto-fills the username, pauses for the password.

Session Heartbeat

Runs between scan phases. If a mutation trips logout, Scout pauses, replays auth, applies fresh cookies to every pending mutation, and resumes. The offending probe is auto-marked as a session invalidator.

Mid-Scan Recovery

When silent recovery cannot complete, Scout pops a headful Chromium so the operator manually re-authenticates. A live status dialog mirrors progress with an explicit completion override.

HTTP Basic and Multi-Method

HTTP Basic synthesises a fresh credential header for every staged step. Multi-method pages show form rows alongside a banner for the social path; either choice completes the challenge.

CAPTCHA and Bot-Check Aware

Scout detects reCAPTCHA, hCaptcha, Turnstile, and Cloudflare or DataDome interstitials. During AI auto-record it pauses and hands you the browser to solve the challenge, then resumes; during a scan it defers those pages so a probe never burns a one-shot clearance or trips the WAF. It never tries to solve a CAPTCHA for you.

Imported Session Cookie

For logins that cannot be scripted, federated SSO, MFA, CAPTCHA gates, or client-side credential encryption, sign in out-of-band, paste your session cookie, and the scan inherits the live session. Pair it with fail-fast so an expired cookie ends an unattended run cleanly instead of degrading to an unauthenticated scan.

Resilient Scans

Long scans hit ugly conditions. Scout is built to survive them and finish the report anyway.

Target Crash Detection

Connection resets, timeouts, and refused connections after prior success trigger a confirmation pipeline. Three probes at 1-second, 5-second, and 15-second backoff distinguish transient hiccups from a genuine target crash.

Critical Findings on Crash

Every confirmed crash produces a Critical finding with the exact payload, endpoint, curl reproducer, and the count of successful probes before the crash. Surfaces at the top of the report.

Auto-Resume with Skip List

Restart the target and the scan picks up where it left off. The offending mutation is held in a skip list so the same test never re-crashes the target. No limit on iterations.

Reporting

A Deliverable, Not a CSV Dump

Scout produces consultant-grade Word reports with a real Word table-of-contents, customer and engagement metadata on the cover, executive summary, scope, methodology, and findings grouped by severity then probe with affected-endpoint tables and remediation.

  • Word, HTML, and JSON exports with mirrored content
  • Three vulnerable-component tracks: client libraries, infrastructure, JS dependencies
  • Optional open-port findings with service metadata and risk scoring
  • Curl reproducer on every finding for one-click verification
  • Per-profile report history for regression comparison across releases
Word-format Scout report with cover page and findings

Enterprise-Ready

Corporate Proxy Support

Authenticated CONNECT tunneling with challenge loops for Basic, NTLM via Windows SSPI, and Kerberos integrated with the operator's logon. No credential prompts on domain-joined machines.

System-Proxy Auto-Detect

Honours the Windows IE and Edge proxy configuration. Scout offers to adopt whatever the workstation is already using, with standard bypass-list syntax respected.

VPN Compatibility

Transparent. Interception operates below the virtual adapter, so tunneled traffic is captured identically to direct traffic.

One-Click Trust Setup

Self-signed root CA generated on first launch and installed into the Windows Trust Store with one click. Firefox compatibility via enterprise-roots auto-enable in a disposable profile.

Application Mode

Intercept a specific process's traffic only. Window picker like screen-sharing tools. Useful for desktop apps, Electron, and other native binaries that ignore system proxy.

Cloud-Backed Library

Signed scriptlet distribution, technology signatures, and out-of-band callback all live on a managed backend. Auto-updates without a client redeploy. New tests appear the next time you scan.

Workflow That Stays Out of the Way

Profile-Based

Name a target once. Scout remembers domain scope, protocol toggles, auth sequence, recording, discovery, and last-used timestamp. Multiple profiles per target variant: unauth, user, admin.

Per-Domain Authorisation

Every host the recording session called is listed for explicit consent. Off-target hosts are unticked by default. Mutations to non-consented hosts are dropped before replay.

Legal Authorisation Gate

Start Scan disabled until a checkbox confirms the operator is authorised to probe the target. Free-text authorisation reference persists on the report for audit.

Live Progress

Mutation count, findings-so-far, per-phase activity, and the currently-executing probe with its injection point. Cancel anywhere; partial findings archive automatically.

Navigation Gating

Pages unlock progressively as pre-requisites accumulate. Operators cannot accidentally skip a step or scan an under-prepared profile.

Static-Asset Filter

Images, CSS, JS, fonts, and media are never recorded on GET. Recording stays focused on app flow: HTML, XHR, fetch, and form submits.

Simple Pricing

Gorgon Scout is a subscription product. New accounts get a 30-day free trial limited to two target applications. After the trial, continued use is USD 20 per month, billed monthly. AI surfaces are independently priced through a token wallet; the full scan pipeline runs without spending any AI tokens.

Download for Windows

Legal

By creating a Gorgon Scout account you agree to our terms of service and acknowledge our privacy policy.

Terms of Service Privacy Policy Contact Us