Go · Rust · Postgres · NATS
Hellion
Distributed HTTP security testing — YAML test packs, scoped Rust workers, Go control plane, and a built-in web UI.
Authorized testing only.
Only scan systems you own or have explicit written permission to test. Unauthorized access is illegal.
Only scan systems you own or have explicit written permission to test. Unauthorized access is illegal.
~2.4k/send-to-end at 10k runs (single worker)
~98k/sbulk queue ingest at 100k runs
YAML packshttp, assert, extract, finding steps
DockerCompose stack with Juice Shop sample target
What it does
ScopesAllowed origins and methods enforced per worker.
Test packsMulti-step HTTP checks defined in YAML.
RunsSubmit targets via REST API or web UI; track events and outcomes.
ScaleNATS job queue, horizontal worker replicas, Postgres state.
Plain English: Hellion queues HTTP security checks against targets you are allowed to hit, runs them in parallel across Rust workers, and stores findings and run history in Postgres.
Start here
- Quick start —
docker compose up, web UI, first run - Architecture — components, flows, lifecycle
- API reference — endpoints and events
- Test packs — writing check workflows
- Performance — benchmarks and tuning
Repository: github.com/AllanGallop/Hellion