Cheat Sheet

Full automated audit (just give me results)

Smart WAF-aware scan (adapts to detected WAF)

Zero-install scan via npx

Zero-install scan via Docker

Identify WAF vendor (197+ signatures)

Detect WAF + protocol info in one pass

Batch detection from a URL list

Scan for SQLi + XSS only

Scan multiple targets from file

Pipe targets from another tool

Scan with proxy (Burp, ZAP)

Scan behind authentication

Scan OpenAPI / Swagger spec (auto-detected)

Scan from a remote spec URL

Scan Postman Collection with environment

Postman with variable overrides

Scan HAR recording from DevTools

Scan AsyncAPI (WebSocket)

Scan specific endpoint group only

Dry-run: preview endpoints without scanning

Deep intensity (more payloads per endpoint)

Test gRPC service via reflection

Test SOAP/WSDL endpoint

Discover GraphQL endpoints

Only show critical and high findings

Exclude low-severity noise

Match specific categories in output

Exclude URL patterns (regex)

Include only matching paths

Stop after first finding

Per-host rate limiting

Retry with exponential backoff

Respect robots.txt

Full stealth: low rate + robots + stop on first

Find bypasses with auto tamper selection

Full mutation matrix (2,080 variants per payload)

Stealth bypass (low rate, random UA)

Bypass with custom tamper profile

List all available tamper scripts

90+ scripts: unicode normalization, case toggling, comment insertion, encoding chains, and more.

Apply a specific tamper to payloads

Chain multiple tampers

Use custom tamper scripts directory

Load tamper scripts from a custom directory alongside built-in ones.

Enterprise WAF assessment (F1, precision, MCC)

Assessment with false positive testing

Compare WAF before/after rule changes

Enforce a security policy (fail on violations)

Define minimum detection rates per category. Exits non-zero on violations — use in CI gates.

OWASP Top 10 compliance mapping

Maps findings to OWASP Top 10 categories with coverage percentages.

Assessment with Nuclei template grading

Grades WAF using Nuclei templates with severity-weighted scoring.

Full discovery (crawl + JS + sitemap + Wayback)

Three-step intelligent scan

Content fuzzing (ffuf-compatible)

JavaScript analysis for endpoints and secrets

Cloud resource discovery

Headless scan (renders JS before testing)

Launches a headless browser to handle SPAs, JS-rendered forms, and anti-bot challenges.

Event-driven crawl (click, scroll, interact)

Discovers endpoints by clicking buttons, filling forms, and triggering JS events.

Limit interactions per page

Screenshot on findings

Captures browser screenshots as visual evidence for each finding.

SARIF for GitHub Code Scanning

Interactive HTML report with evidence

GitLab SAST format

JUnit XML for Jenkins/Azure DevOps

CycloneDX VEX for supply chain

Multiple outputs in one run

Generate GitHub Actions pipeline

Generate GitLab CI config

CI scan with streaming + exit code

Slack notification on findings

Start MCP server for AI agents (stdio)

Start MCP server over HTTP/SSE (for n8n)

VS Code / Cursor MCP config

Local spec file

Auto-detects OpenAPI 3.x, Swagger 2.0, Postman, HAR, AsyncAPI, gRPC, GraphQL.

Remote spec URL

Fetch and parse a spec from a URL. Supports JSON and YAML.

Postman environment

Resolve {{variables}} in Postman collections from an environment file.

Variable override

Override individual variables. Takes precedence over environment file values.

Scan specific group

Only scan endpoints tagged with this group (from spec tags or folders).

Skip a group

Exclude endpoints in this group from the scan.

Path filter (glob)

Only scan paths matching this glob pattern. Supports * and ** wildcards.

Scan intensity

Controls payloads per endpoint. Quick: top 5, standard: 20, deep: all.

Preview without scanning

Show the scan plan (endpoints, attacks, estimated requests) without sending traffic.

Skip confirmation prompt

Auto-confirm the scan plan. Required for non-interactive / CI usage.

Per-endpoint config file

Fine-tune auth, headers, and skip rules per endpoint path.

Target URL

Single target. Required for most commands unless using -l or --stdin.

URL list file

One URL per line. Scans all targets with shared settings.

Read from stdin

Pipe URLs from other tools. Pairs well with grep, subfinder, httpx.

Concurrency

Parallel workers. Default 25. Lower for rate-limited targets.

Rate limit (req/s)

Cap requests per second. Default 150. Use 10-20 for production.

Skip TLS verification

Ignore certificate errors. Needed for self-signed certs or proxies.

HTTP/SOCKS5 proxy

Route traffic through a proxy. Supports HTTP, HTTPS, SOCKS4, SOCKS5.

Custom header

Add or override HTTP headers. Repeat -H for multiple headers.

Send cookies

Attach cookies to every request. Use for authenticated scanning.

Random User-Agent

Rotate through a pool of real browser User-Agent strings per request.

Realistic browser headers

Add Accept, Accept-Language, and other headers that mimic real browsers.

JSON output

Machine-readable output. Shortcut for -format json.

Output to file

Write results to a file instead of stdout. Works with any format.

Verbose

Show detailed request/response info. Useful for debugging blocked payloads.

Silent (no progress)

Suppress progress bars and banners. Only output results.

Quick validation

Fast sweep with top payloads only. Good for smoke tests and CI gates.

Standard (default)

Balanced coverage and speed. Tests all categories with WAF-tuned payloads.

Maximum coverage

Every payload, every mutator, every category. Slow but thorough.

Bypass-focused

Prioritizes evasion chains and mutation combos over broad coverage.

Stealth (production-safe)

Low rate, randomized timing, realistic headers. Safe for live production.

sqlmap: sqlmap -u "url?id=1" --dbs

WAFtester tests the WAF, not the database.

Nuclei: nuclei -u url -t cves/

Uses Nuclei-compatible YAML templates.

ffuf: ffuf -u url/FUZZ -w wordlist.txt

Same FUZZ keyword and filter syntax.

Nikto: nikto -h url

Probe covers headers, TLS, WAF, and tech detection.

WordPress

Tests wp-admin, wp-login, xmlrpc.php, REST API, and plugin paths.

Drupal

Targets Drupalgeddon paths, node endpoints, and admin routes.

Next.js

Tests _next/data, API routes, middleware bypass, and SSR injection.

Flask

Targets Jinja2 SSTI, debug console, and Werkzeug endpoints.

Django

Tests admin panel, debug pages, ORM injection, and CSRF handling.

Rails

Targets Active Record injection, ERB SSTI, and asset pipeline.

Laravel

Tests Blade SSTI, debug mode, Eloquent injection, and telescope.

Spring

Targets Spring4Shell, actuator endpoints, SpEL injection, and Boot paths.