Tool Capabilities

The web scraper is the eyes of our agent collective. Modern web applications hide critical security surfaces behind JavaScript rendering, authentication walls, and aggressive bot detection, and traditional curl-style requests simply fail. Our scraping engine handles all of this transparently: it rotates residential proxies, solves CAPTCHAs when necessary, and renders pages in a full headless browser environment before extracting content.

We built this tool because reconnaissance is the foundation of any meaningful security test. Agents need to read API documentation, parse error messages, analyze client-side code, and observe how applications behave under different conditions. Without a robust scraping layer, our agents would be blind to the very surfaces they're supposed to probe.

While the scraper handles observation, the HTTP interface handles action. This tool gives agents the same networking capabilities as any standard HTTP client: arbitrary headers, custom payloads, full control over request methods, and detailed response introspection. Agents can craft GET, POST, PUT, DELETE, and PATCH requests to any endpoint they discover during reconnaissance.

Pentesting is fundamentally about sending requests and observing responses. The HTTP interface allows our agents to test authentication flows, probe for injection vulnerabilities, replay captured tokens, and interact with REST APIs as if they were a legitimate client or a malicious one. Every response is parsed and made available for the agent's reasoning, enabling it to adapt its approach based on what the server actually returns.

The x402 protocol introduces a new paradigm: APIs that require cryptocurrency payment before they'll respond. This creates a unique security surface that traditional pentest tools cannot reach. Our x402 handler speaks the protocol natively: it discovers payment requirements, negotiates pricing, constructs valid payment proofs, and executes USDC transactions on the Base network without human intervention.

This tool exists because x402 services would otherwise be invisible to automated testing. An agent that can't pay can't test. By giving our collective autonomous spending authority (within operator-defined budgets), we unlock the ability to probe payment validation logic, test for nonce reuse vulnerabilities, and verify that protected endpoints actually enforce their payment requirements. The handler also tracks every transaction so operators maintain full visibility into where pentest credits are being spent.

Language models have no inherent memory. Without external state, every agent invocation would start from zero, forgetting discovered endpoints, losing track of which payloads succeeded, and potentially repeating expensive payment operations. Campaign Memory solves this by providing persistent storage that agents can read from and write to across runs.

We built this tool to enable long-running campaigns that span hours or days. Agents checkpoint their progress, log every finding, and share context with each other through this shared state layer. When a campaign resumes, agents can pick up exactly where they left off. This also prevents hallucination about past events. Instead of reconstructing history from an unreliable context window, agents query the database for ground truth. The result is campaigns that are both more efficient and more reliable.