toolbox

Overview

Sectool is a collaborative workbench for application security testing that bridges the gap between human strengths in UI interaction and authentication, and agent capabilities in traffic analysis and mutation. The tool provides a wire-fidelity HTTP proxy (similar to Burp) that captures all browser traffic, while exposing MCP tools that allow AI agents to query flows, replay modified requests, crawl endpoints, test for out-of-band interactions, and detect reflections. This approach combines human expertise with AI automation to make security testing more thorough and less likely to miss subtle indicators.

Try asking AI

After installing, here are 5 things you can ask your AI assistant:

• workflow

  Select the appropriate workflow mode for security testing

  Try:Start an exploratory security testing workflowTry:Set up for validating a vulnerability report
• proxy_summary

  Review summary of captured proxy traffic

  Try:Show me a summary of what was captured in the proxyTry:List all requests to example.com
• replay_send

  Replay a captured request with modifications

  Try:Resend request flow 123 with modified headersTry:Replay flow 456 with an added header
• crawl_create

  Create a crawling session to discover endpoints

  Try:Crawl example.com starting from this URLTry:Create a crawling session from proxy history
• oast_create

  Set up out-of-band interaction testing session

  Try:Create an OAST session for testing blind vulnerabilitiesTry:Set up callback testing for potential SSRF
• diff

  Compare two flows to identify differences

  Try:Compare flow 123 and 456 to find differencesTry:Show me the differences between these two requests
• reflected

  Detect request parameters reflected in responses

  Try:Check for reflected parameters in flow 123Try:Find request values that appear in the response
• jwt

  Inspect and decode JWT tokens

  Try:Analyze this JWT token for meTry:Decode and show the payload of this token
• oast_poll

  Poll OAST session for callbacks

  Try:Check for callbacks in my OAST sessionTry:Poll the OAST session for any interactions
• notes_save

  Save observations linked to flows

  Try:Save this observation about potential vulnerabilityTry:Note this interesting behavior for flow 123
• notes_list

  List all saved notes

  Try:Show me all my saved observationsTry:List the notes for this session
• proxy_cookies

  Inspect cookies from captured traffic

  Try:Show me all cookies for example.comTry:List the session_id cookies from captured traffic

Comparable tools

Installation

go install github.com/go-appsec/toolbox/sectool@latest

sectool mcp

{
  "mcpServers": {
    "sectool": {
      "command": "sectool",
      "args": ["mcp"]
    }
  }
}

FAQ

How is this different from traditional security scanners?

Sectool is not a scanner but a collaborative workbench. It combines human expertise in handling authentication and UI interactions with AI capabilities for traffic analysis, making testing more thorough for complex applications.

Can I use this with Burp Suite?

Yes. Sectool can integrate with Burp Suite either by using Burp as the proxy frontend while running the MCP server, or by using the Burp MCP extension as a GUI to review the agent's actions.

Compare toolbox with