I wanted to share a project I built in a strange but productive pair-programming "trip" with a large language model. The goal was to create my own automated "First Officer"—a tool that handles the tactical grunt work of finding common vulnerabilities while I focus on the strategic, human-led parts of a security assessment.
The result is Nightcrawler, an open-source CLI proxy and scanner built on Python & mitmproxy.
How it works: You run it and browse a target app through it. While you navigate, Nightcrawler passively finds insecure headers, outdated JS, and JWTs, while its active scanners autonomously test every discovered link and form for XSS, SQLi, Directory Traversal, and more.
The development process felt exactly like Captain Picard directing Commander Riker. I'd give the strategic orders ("We need to detect Stored XSS"), and the LLM would execute the tactical implementation. It was incredibly fast, but also highlighted the current limits of AI—it required constant human oversight to fix the subtle bugs and "hallucinations" it introduced.
The tool is still in beta (pip install nightcrawler-mitm). I'd love to get your feedback, bug reports, or ideas on what to build next.
Thanks for checking it out!