We build infrastructure
and security tooling.

Everything is Rust. Everything is open source. Every crate is a library you can import, a CLI you can install, or both.

GitHub → crates.io How we operate Hall of Fame

27 Repositories

100% Open Source

Rust Language

MIT License

Featured

Compiler

vyre — the abstraction layer GPUs never got

Compiler-grade sequential logic on GPU, with workgroup-local coordination and a machine-verified conformance gate. Vyre unblocks the workloads every other GPU stack punts to CPU: lexers, parsers, borrow checkers, regex engines, and fixed-point dataflow analyzers.

Provides workgroup-local stacks, queues, hashmaps, state machines, typed arenas, string interners, dominator trees, union-find structures, visitor walks, and fixed-point dataflow engines as first-class primitives. Every primitive lowers to the shader a hand-optimizer would write, and the conformance gate rejects any backend that diverges by even one bit.

Targets: CUDA, WGPU, SPIR-V Parity: 100% Bit-Exact Frontend: C11 Architecture: Zero-overhead IR License: MIT / Apache-2.0

→

All projects

Security Tooling

Scanners, detection, reconnaissance, evasion testing, detonation, and secret management.

keyhog Tool →

Secret detection in source code, git history, archives, and CI pipelines. 896 provider-specific detectors with entropy validation. Hyperscan SIMD engine with optional GPU acceleration via Vyre. Outputs JSON, SARIF, and human-readable reports. 96% recall benchmark.

gossan Tool →

Reconnaissance framework. DNS enumeration, port scanning, service fingerprinting, web crawling. Async Rust with io_uring integration. Subdomain discovery, tech-stack fingerprinting via TrueStack, rate-limited scanning, and structured JSON output. Each capability is a standalone subcrate.

wafrift Tool →

WAF evasion testing toolkit. Grammar-based payload mutation and dialect-specific bypass generation. Adversarial mutation engine for testing WAF rule coverage. TOML-driven grammar definitions, 19+ encoding strategies, dialect-specific presets for ModSecurity/Cloudflare/AWS WAF. Uses AttackStr for payload generation.

envseal Tool →

Encrypted secret management for developer workflows. Replaces .env files. AES-256-GCM vault with master key derivation via Argon2id. CLI and desktop GUI (Tauri). Audit logging, team key sharing, granular access control. Designed for AI agent workflows where secrets need sandboxed injection.

truestack Tool →

Technology fingerprinting engine. Identifies frameworks, servers, CDNs, and services from HTTP responses. Header analysis, favicon hash matching, HTML/JS pattern detection. TOML-driven signature database — add a new fingerprint in 5 lines. Powers Gossan's tech-stack detection but works standalone.

procjail Library →

Process sandbox for untrusted code execution. Linux namespaces, seccomp-bpf, rlimits, watchdog timeout. Drop-in sandboxing for any subprocess. Network isolation, filesystem restrictions, syscall filtering, memory and CPU limits. Used by Sear for URL detonation and Keyhog for safe credential verification.

karyx Coming Soon

Template-based vulnerability scanner. YAML/TOML templates, HTTP probing, headless browser support. Orchestrates Gossan + WafRift + Keyhog into a unified scanning pipeline. Custom scan templates with conditional logic, extractors, and matchers. Targets web applications, APIs, and network services.

sear Coming Soon

URL detonation engine. Sandboxed browser execution for phishing analysis and malware detection. Headless Chromium inside a ProcJail sandbox. Captures network traffic, screenshots, DOM mutations, and JavaScript behavior. Designed for automated phishing triage and threat intelligence feeds.

Performance Infrastructure

General-purpose systems libraries. Not security-specific — anyone can use these.

dfajit Library →

JIT DFA compilation to native x86-64. Generates machine code for deterministic finite automata at runtime. Cranelift-based JIT compiler that converts DFA state tables to native code. Eliminates interpreter overhead for hot patterns. Plugs into the same matching API as Vyre and SimdSieve.

simdsieve Library →

AVX-512 / NEON multi-pattern matching. Vectorized Aho-Corasick with runtime CPU feature detection. SIMD-accelerated pattern matching for CPU-bound workloads. Automatic dispatch between AVX-512, AVX2, and NEON instruction sets. Benchmarked at 4+ GB/s throughput on commodity hardware.

ebpfkit Library →

eBPF kernel-space filtering. Load, manage, and interact with eBPF programs from safe Rust. Type-safe eBPF map access, program lifecycle management, and tracepoint attachment. Powers kernel-level filtering for network monitoring and syscall auditing without writing raw C.

ziftsieve Library →

Pattern matching inside compressed streams. Scan without decompressing. Search for patterns inside gzip, zstd, and brotli streams by matching against the decompression buffer without materializing the full output. Dramatically reduces I/O for archive scanning.

flashsieve Library →

Block-level pre-filtering. Skip files that can't possibly match before full scan. Bloom filter and n-gram based pre-screening. Reads file blocks and rejects non-matching files in microseconds, reducing the volume sent to the full matching engine by 10–100×.

wireshift Coming Soon

io_uring ring manager. Typed submit/wait/complete for async I/O on Linux. Safe, ergonomic Rust wrapper around Linux io_uring. Typed completion entries, multi-ring management, and zero-copy buffer pools. Designed for high-throughput network and disk I/O.

tenshift Coming Soon

ML data loader. Replaces PyTorch DataLoader in Rust — prefetch, shuffle, batch, transform.