Open source roots Professional results
Finds endpoints others miss with deep extraction, tuned heuristics, and context-aware path probing.
One-time purchase, $199 · Lifetime license · Includes 12 months of updates
Get started in 3 steps
Purchase, activate, then scan.
Buy a lifetime license
One-time purchase, perpetual use. Includes 12 months of updates; optionally renewable.
Verify your download
Download the build for your platform. Confirm the provided SHA-256 checksum before running the binary.
Activate
Generate a one-time local challenge token, upload it to the portal, then install the vendor-signed activation token.
High-signal discovery at scale
Our extractors and semantic analyzers prioritize high-confidence paths, while tiered discovery and provenance tracking reduce false positives and speed triage. Scan wide, but keep the signal.
Modern, Purpose-Built Internals
A ground-up rewrite built on the feroxfuzz open source project, with a composable, structure-aware async core and open internals that enable higher throughput, lower resource usage, and reproducible runs.
High-Signal Extractors
Specialized extractors for structured sources like OpenAPI specs, OIDC metadata, Service Workers, manifests, and framework artifacts that other scanners ignore.
Semantic JavaScript Analysis
AST-level parsing with dataflow analysis to recover dynamically constructed URLs and endpoints that regex-based extraction consistently misses.
Discovery Provenance
Records the source and discovery method for every URL, making results explainable, auditable, and easy to diff and validate when paths are derived from application signals.
Tiered Wordlists & Discovery-Driven Hints
Run multiple wordlists, in order, while the controller injects high-confidence paths derived from discovered signals, increasing hit rate without noisy blind probing.
Find what's new. Skip the rest.
Scan diffing turns repeat scans into targeted follow-up. Compare two runs, isolate what actually changed, and zero in on new attack surface.
- Spot newly exposed APIs and schemas between releases
- Catch client-side config drift that reveals high-value routes and feature flags
- Spend time on new paths, not comparing scans by hand
Distribute the work. Centralize the control.
Distributed Runtime gives you a control plane for long-running recon. Steer active scans from the TUI, keep work moving when nodes drop, and reattach to sessions without losing context.
- Launch and steer active scans from a live TUI. Scan, agent, and results views in one place
- Work reassigns automatically when an agent drops. No babysitting, no lost progress
- Detach and reattach to long-running scans without losing context
- Enroll agents with controller-issued credentials, stored encrypted at rest
More endpoints. Less noise.
Feroxbuster Pro finds what other scanners miss: endpoints hiding in JS, specs, and framework artifacts your wordlist can't reach.