July 10, 2026
Your bug bounty session has too many windows open. Crusader wants to fix that.
A first look at Crusader — a local-first web security proxy built for how people actually hunt in 2026.

By Crusader Security
5 min read
Picture the last serious web target you worked. There's the proxy holding your history. There's a Repeater tab where you're hand-editing a request and squinting at two responses to spot what changed. There's a terminal running some Frida script you half-remember writing. Maybe a fourth window where an LLM is "helping" by reading pasted-in text and hallucinating an endpoint that doesn't exist.
Four tools. Three windows stacked on top of each other. The same captured request copy-pasted between all of them, a bearer token smeared across a hundred places, and a running mental note of which thing is the source of truth this hour.
That workflow tax is the problem Crusader is built to erase. Its one-line pitch — "one project, every actor" — sounds like marketing until you realize it's actually an architectural claim. And the architecture is the interesting part.
One database, and everything reads from it
Under the hood, your Crusader project is a single SQLite database sitting on your own machine. That's it. No cloud sync, no account, no product telemetry phoning home.
The move that makes this matter is what's allowed to touch that database. The GUI reads from it. So does the command line. So does the plugin host. So does the built-in MCP server your AI agent connects to. So does the mobile sandbox. Every capture — whether it came from your browser, a piped curl, a phone with cert-pinning stripped out, or an agent — lands in the same shared history.
The practical consequence: nothing gets copy-pasted between tools, because there are no separate tools. A request you captured in the proxy is the exact same object you throw at Repeater, feed into the Intruder-style "Attack Studio," query with SQL, or hand to an agent over MCP. Same captured truth, different surface. The re-pasting just… stops.
The features that actually change the day
A feature list is a boring way to introduce a tool, so here are the four that genuinely alter a workflow rather than adding a button you didn't have.
Repeater with the diff built in. Resend a request and Crusader automatically compares the new response to a baseline — line-level insertions, deletions, and changed tokens highlighted inline. No more eyeballing two raw blobs to find the one flipped boolean. It also uses token placeholders, so you're not manually pasting an auth token into every variant.
Mobile testing without four other tools. Frida is built in. One click kills certificate pinning on an Android target, installs the CA, attaches to the app, and points traffic back at the proxy — the readme claims about eight seconds, and it's a genuinely miserable setup to do by hand. APK sandbox, ADB control, and mTLS extraction come along for the ride.
Replays that look like a browser. This one's clever. Cloudflare and Akamai fingerprint your TLS handshake (JA3/JA4), which is why proxy replays so often eat a 403 that your actual browser sails through. Crusader ships a browser-impersonation transport that sends your requests out with a real Chrome, Firefox, or Safari TLS fingerprint, auto-matched to the request's User-Agent. Your replays stop getting flagged for the crime of not looking like a browser.
Identity Shadow Replay. Capture a request as Alice, and Crusader replays it as another principal you've tagged — plus an unauthenticated control — with CSRF tokens auto-refreshed, then diffs the response shapes and files the finding. That's IDOR/BOLA and broken-auth testing turned from a fiddly manual chore into a first-class native action.
The part that makes 2026 feel like 2026
The agent story is where Crusader plants a real flag, and it's worth being specific about why, because "AI-powered security tool" is a phrase that has earned its eye-rolls.
Most so-called AI proxy integrations pipe text into a chat box and pray. Crusader does the opposite. Every CLI verb (there are 40-plus, including sql, hunt, and llm) emits structured JSON on stdout. Every MCP tool call returns that same JSON, synchronously enough for an agent to await the result and decide what to do next. And here's the elegant bit — every JavaScript plugin you write is automatically four things at once: a side-panel form, a right-click action, a CLI verb, and an MCP tool. Write it once, call it from anywhere.
So the chain you'd normally hand-write in bash —
crusader sitemap --host api.target.com --json \
| jq '...idor endpoints...' \
| crusader ext run id-fuzzer --range 1-100 \
| crusader hunt --triage --json > findings.jsonlcrusader sitemap --host api.target.com --json \
| jq '...idor endpoints...' \
| crusader ext run id-fuzzer --range 1-100 \
| crusader hunt --triage --json > findings.jsonl— is the same chain an agent can run unattended over MCP, awaiting each deterministic result and reasoning about it before the next call. That's the difference between an agent that does real, auditable work against your history and one that produces confident nonsense. Determinism, declared input schemas, and synchronous returns are unglamorous, and they're exactly what was missing everywhere else.
Yes, let's talk about Burp
There's no polite way to introduce a new web security proxy without addressing the 800-pound gorilla, so: Crusader is openly gunning for Burp Suite's spot in your workflow (while being clear it isn't affiliated with or endorsed by PortSwigger).
The pitch is refreshingly un-cute about it. Hunter Pro is $499/year — the exact same price as Burp Pro — so switching doesn't touch your AppSec budget. Crusader claims line-for-line parity on the Burp Pro checklist (Repeater, Intruder, active + passive scanner, OAST/Collaborator-equivalent "Beacon," match-and-replace, session handling, extensions, the lot), then adds the four things above that Burp doesn't ship at any price: native mobile, browser-grade TLS, Identity Shadow Replay, and the agent-native layer.
And the migration cost is deliberately near-zero: drag a .burp file onto the startup screen and your history, site map, scope, scanner issues, and notes import and re-index into a live workspace — your original file untouched on disk. Caido (beta), HAR, and Fiddler SAZ import the same way. If you've got a year of bounty work locked in a project file, the whole thesis is that you upgrade it rather than abandon it.
The honest caveats
Being straight about the state of things: Crusader is currently a 1.0.3 alpha. Windows and Debian/Ubuntu builds are live and downloadable today; macOS is listed as "coming within about two weeks" once signing and notarization wrap up. Team Mode ("Squad") is in early access — you can publish a shared project snapshot now, with live presence, soft locks, and claimable tabs still rolling out.
Alpha means alpha. But it also means the founder pricing is the cheapest this tool will ever be: $249/year for life for the first 500 seats, versus the $499 standard. And the free tier is genuinely usable as a daily driver — HTTP/2 + WebSocket proxy, history, Repeater-with-diff, Decoder, Comparer, unlimited JavaScript plugins, CLI basics, and project import, forever, with no account and no telemetry.
Worth a download
The most persuasive thing about Crusader isn't any single feature — it's the refusal to treat your proxy, your terminal, your phone, and your agent as four separate universes that happen to be looking at the same target. One project. One database. Every actor reading from it.
If your current hunt involves too many windows and too much copy-paste — and whose doesn't — it costs nothing to find out whether collapsing them into one workspace is the upgrade it sounds like. No card, no account, no sales call.
Disclosure: this is an introductory overview based on Crusader's public materials. Feature claims and pricing reflect the product at the time of writing (an early public alpha) and are worth verifying on the site, since alphas move fast.