Toolkit

The stack we actually use.

Tools do not find critical bugs. People do. But the tools we pick say something about how we work — so here they are, by engagement type.

Category Web & API

Burp Suite Pro

Primary intercepting proxy, active scanning, custom extensions

Caido

Lightweight alternate proxy for secondary trails and collaboration

ffuf / feroxbuster

Content and parameter discovery

nuclei (scoped)

Targeted template scans for known-CVE exposure checks

Postman / Hoppscotch

API flow modelling and replay

mitmproxy

Protocol-level inspection, mobile traffic interception

GraphQL Voyager / graphw00f

GraphQL schema introspection and engine fingerprinting

Category Smart Contracts

Foundry

Test runner, fuzzing, invariant testing, PoC delivery

Halmos

Symbolic execution and formal property checking

Slither

Static analysis, inheritance graphs, pattern detection

Echidna

Property-based fuzzing for Solidity invariants

Certora Prover

Formal verification against written specifications

Aderyn / 4naly3er

Rust-based static analyzers for Solidity, fast pre-audit passes

Category Source Code Review

Semgrep

Custom rules for auth, sinks, dependency patterns

CodeQL

Data-flow queries for authorization and injection patterns

trufflehog / gitleaks

Secret detection across git history

ast-grep

Structural code search for review checklists

Category Cloud & Infra

Prowler

AWS / GCP / Azure misconfiguration baselines (CIS)

ScoutSuite

Multi-cloud configuration audits

Pacu

AWS post-exploitation scenario testing

terrascan / checkov

Infrastructure-as-code review

Philosophy

Tools are means, not evidence.

We read code before we run tools.
Every scanner finding is validated by hand before it reaches a report.
We prefer open-source tools we can verify and extend.
We build bespoke scripts for engagements that demand them — and share the non-sensitive ones upstream.