Welcome to TSA Labs
Open-source offensive security tools built by TSA to empower penetration testers and security researchers worldwide.
AI PENTEST Toolkit
AI powered offensive security framework that automates and enhances the entire penetration testing workflow. Integrates large language models for intelligent target scoping, automated reconnaissance, vulnerability chaining, custom payload generation, exploit generation, natural language report writing, and attack path prediction.
DirRumble
Lightning-fast, completely raw HTTP directory and file fuzzing tool that sends exactly what you write - no normalization, no auto fixes, no hidden headers. Perfect for high-speed directory brute-forcing, API endpoint discovery, parameter fuzzing, and WAF bypass testing when you need full control over every single byte.
NexusTrace
High-speed DNS resolving and subdomain enumeration tool featuring concurrent brute-forcing, passive source scraping (CRT.sh, CertSpotter, DNSdumpster, etc.), custom resolver support, wildcard detection & filtering, DNSSEC validation, AXFR attempts, IPv6 support, and intelligent rate limiting.
GateWaySeeker
Lightning fast admin panel and hidden directory discovery tool with multi-threaded scanning, built-in and custom wordlists, extension brute-forcing (.php, .asp, .bak, etc.), HTTP status code filtering, response size analysis, stealth mode (random delays & User-Agent rotation), and colored console + JSON output.
SubScape
Advanced subdomain enumeration engine combining passive reconnaissance (certificate logs, search engines, threat intel feeds), DNS brute-forcing, permutation & alteration generation, takeover detection, custom DNS resolvers, rate-limit evasion, wildcard handling, and export in multiple formats (TXT, JSON, CSV).
Cicada
Fast, modular vulnerability scanner for web applications. Supports active and passive scanning, built-in payloads for SQLi, XSS, SSTI, LFI/RFI, SSRF, command injection, and open redirects. Features smart crawler with JavaScript rendering (headless Chrome), automatic parameter discovery, rate limiting, custom headers/cookie support, detailed vulnerability reports (JSON/HTML), and plugin-based payload engine.
XSS-Cobra
Ultra fast, payload-agnostic XSS vulnerability scanner with hybrid detection. Features automatic DOM based, reflected, and stored XSS testing, polyglot & context-aware payload generation (HTML, JS, SVG, event handlers, etc.), headless Chrome + static analysis for accurate DOM XSS, intelligent mutation engine (bypasses WAFs and filters), automatic parameter discovery & fuzzing, CSP analysis, detailed proof-of-concept generation, and export in JSON/HTML/TXT.
SQLStrike
High speed automated SQL injection detection and exploitation assistant. Supports error-based, blind (boolean/time-based), union-based, and stacked queries across MySQL, PostgreSQL, MSSQL, Oracle, and SQLite. Features intelligent payload crafting, tamper scripts (WAF bypass), automatic GET/POST/JSON/headers/cookie testing, customizable time delays, differential response analysis, built-in crawler for parameter discovery, database enumeration (version, users, tables, columns, dump), and detailed JSON/HTML report output.
Join Our Community
Open Source Contribution
Join our community of security researchers and contribute to open-source tools. Whether you're fixing bugs, adding features, or improving documentation—every contribution makes a difference.
TSA Library
Curated learning resources, frameworks, and practice labs designed to accelerate your cybersecurity journey. From foundational concepts to advanced exploitation techniques—everything you need in one place.