Crabkit
Rust 1.70+ Tokio Async Authorized Use Only

Fast. Controlled.
Memory-safe.

High-performance offensive security framework built for authorized reconnaissance, endpoint discovery, and tactical fuzzing. Engineered where throughput and memory safety matter.

Get started View on GitHub
crabkit 
$ crabkit \
  --target https://api.internal.example \
  --wordlist ./wordlists/endpoints.txt \
  --concurrency 80 \
  --filter-status 200,204,301

[200] /api/v1/users         42ms   1842 bytes
[403] /admin               51ms    721 bytes
[301] /dashboard           38ms    128 bytes

Core principles

Built around one engineering principle: do more work with less overhead, without sacrificing control.

Memory Safety

Rust's ownership model eliminates entire classes of memory-related bugs at compile time.

Predictable Perf

No GC pauses. Tighter control over allocations and a deterministic async runtime.

Async-first

Tokio-powered task scheduling for maximum network throughput with semaphore-based backpressure.

Streaming IO

Wordlists processed incrementally via BufReader, supporting large files without loading them fully into RAM.

Typed Errors

Explicit error propagation using Rust's type system. Silent failures are not an option.

CLI-first

Designed for fast operational workflows. Pipeline-friendly JSON output included.

System architecture

Modular by design — each tactical capability can evolve independently.

IO
Wordlist Stream
Task Scheduler
Semaphore
HTTP Client
Reporter
src/core/engine.rs

Core::Engine

Request orchestration, concurrency control, retries, and execution flow. Powered by Tokio runtime.

src/net/client.rs

Net::Client

HTTP/S transport abstraction and configuration. Built on Reqwest with timeout and retry policies.

src/io/streamer.rs

IO::Streamer

High-performance wordlist reader using BufReader for incremental, low-RAM processing.

src/logic/mutator.rs

Logic::Mutator

Payload generation and mutation logic. Produces candidate paths and controlled variant sets.

src/output/reporter.rs

Output::Reporter

Normalizes results for terminal and machine-readable JSON output via stdout.

Installation

Requires Rust stable 1.70+ and Cargo. Works on Linux, macOS, and Windows.

01

Clone the repository

git clone https://github.com/CyberStill-GmbH/crabkit.git
cd crabkit
02

Build optimized release

cargo build --release
03

Install as global CLI

cargo install --path .
crabkit --help

If the command isn't found, ensure $HOME/.cargo/bin is in your PATH.

Usage

CLI-first. Every flag is intentional.

Flag Type Description
--targetURLBase URL to probe
--wordlistPATHPath to wordlist file
--concurrencyINTMax parallel tasks
--timeoutINTRequest timeout in seconds
--retriesINTRetry count on unstable responses
--filter-statusLISTComma-separated status codes to include

Full example

crabkit \
  --target https://api.internal.example \
  --wordlist ./wordlists/endpoints.txt \
  --concurrency 80 \
  --timeout 5 \
  --retries 2 \
  --filter-status 200,204,301,302,403

JSON output

{
  "target": "https://api.internal.example",
  "path": "/api/v1/users",
  "status": 200,
  "latency_ms": 42,
  "content_length": 1842
}

Roadmap

Phase 01 — Done

Core Engine

  • Async execution engine
  • Semaphore concurrency control
  • Streaming wordlist reader
  • HTTP/S probing + filtering
Phase 02 — In Dev

Tactical Fuzzing Layer

  • Controlled payload mutation
  • Bit-level mutation primitives
  • Latency anomaly detection
  • Structured JSON export
Phase 03 — Planned

Cloud-Aware Recon

  • AWS S3 bucket enumeration
  • Lambda proxy support
  • Result aggregation layer
Phase 04 — Planned

Detection & Reporting

  • HTML report generation
  • Baseline comparison
  • Noise reduction heuristics

Authorized use only

Crabkit must only be used in environments where explicit authorization has been granted. Acceptable use includes internal security assessments, authorized penetration testing, bug bounty programs within scope, and educational labs. The author assumes no responsibility for misuse.