Bowire as a cyber-security testing tool

Status: Tiers 1 + 2 shipped through v1.4.x. Tier 3's intercepting-proxy anchor shipped; remaining Tier 3 items + Tier 4 are open work tracked on the ROADMAP.

Why this is a distinct lane

Bowire ships today as a "multi-protocol API workbench" — discover, invoke, record, replay across gRPC / REST / GraphQL / SignalR / MCP / SSE / WebSocket / MQTT / OData / Socket.IO. Every cyber-security testing tool of repute already overlaps with this surface for one transport:

Burp Suite Pro / ZAP — HTTP-zentric. The gold standard for intercepting-proxy + repeater + intruder + scanner against REST/GraphQL. gRPC needs plugins + manual .proto wiring; SignalR / WebSocket / MQTT have at best community-contributed half-solutions.
Nuclei — YAML-template-driven, fast, multi-transport. But the template DSL is HTTP-first and the ~10k-template community library is overwhelmingly HTTP/CVE-focused.
Postman / Insomnia — REST + GraphQL functional testing, no security-specific surface.
42Crunch / Salt / Noname / Bright — enterprise API-Security-Posture-Management SaaS. Schema-compliance-heavy, weaker on active testing, no self-host story.

Bowire's sweet-spot — and the case for evolving it into a cyber-security tool — is the intersection of three properties no incumbent owns:

Multi-protocol-native, including the non-HTTP ones. A single tool that can hit a gRPC service via reflection, a SignalR hub via its typed methods, an OData endpoint via $metadata introspection, and an MQTT broker via topic enumeration — all in the protocol's own dialect, not as a polyfill over HTTP.
Schema-aware. The frame-semantics framework (v1.3.0) already classifies fields by kind (coordinate.latitude, image.bytes, audio.bytes, timestamp, …). A schema-aware fuzzer knows not to throw SQL injection payloads at a latitude field, knows that image.bytes deserves magic-byte mutation instead of XSS payloads, knows that an audio.sample-rate field is a numeric integer and not a string. None of the incumbents have this for non-HTTP protocols.
Recording → Replay as a first-class workflow. Already shipped. Recordings carry interpretations + schema-snapshots (Phase 5) so replay is deterministic across detector drift. This is the natural primitive for "vulnerability templates" — each known vulnerability becomes a captured-flow + an expected-vulnerable-response predicate.

The product positioning: "Burp Suite for the non-HTTP protocols, with schema-awareness, self-hosted, with AI-assisted threat modeling via MCP."

Capability tiers

Roadmap unfolds in four tiers. Each tier is sellable on its own; the upper tiers compound on the lower ones.

Tier 1 — Foundation — shipped

The minimum that makes Bowire a credible security tool at all. Covered by bowire scan + the seed templates in kuestenlogik/Bowire.VulnDb. Live items: active scanner subcommand with built-in passive checks (HTTP security-headers, TLS version + cipher enumeration, verbose-error detection, banner/version disclosure); vulnerability-template format (YAML + JSON DSL, multi-protocol-first, schema-aware); SARIF + HTML + console reporting for CI/CD integration; authentication profile (--auth-header); scope-awareness (--scope); vulnerable-by-design sample app for regression testing.

Tier 2 — Specialty — shipped

The differentiators that no other tool has. Live items: schema-aware fuzzing both as workbench right-click UI ("Fuzz this field ▸") and CLI (bowire fuzz with SQLi / XSS / path-traversal / command-injection categories, schema-aware skip for numeric/bool fields, baseline-diff oracle detection); JWT toolkit (bowire jwt decode + bowire jwt tamper with --alg-none, --set claim=value, --secret <key>); multi-protocol attack template library bootstrap in kuestenlogik/Bowire.VulnDb (initial 7 templates across gRPC / GraphQL / REST / OData, CI validation against the vulnerable-by-design sample).

Open: Multi-protocol attack template library expansion — see ROADMAP for the next batch (SignalR brute-force, OData IDOR, MQTT ACL bypass, WebSocket subprotocol confusion, …) plus the monthly NVD-sync workflow + bowire vulndb update plumbing.

Tier 3 — Pro-grade catch-up (parity with Burp / ZAP)

The features that turn Bowire into a "single tool" choice for a pen-tester instead of "use Bowire AND Burp".

Shipped:

Intercepting proxy (bowire proxy) — Kestrel-hosted forward proxy with capture store + SSE live feed, HTTPS MITM via auto-generated CA + on-the-fly leaf-cert minting, workbench Proxy view that streams captured flows and converts them into recordings.
Active fuzzer — CLI bowire fuzz ships with built-in wordlists per category (sqli / xss / pathtrav / cmdinj). Workbench right-click UI exposes the same engine.
CI/CD integration — reusable scan-template.yml workflow, first-class GitHub Action exit-code semantics (findings are output, not failure), SARIF + GitHub Code Scanning compatibility chain (severity-label → CVSS midpoint mapping, logicalLocations for non-https URIs, physicalLocation pointing at the scan workflow, partialFingerprints for cross-run alert tracking).

Open:

[ ] Curated payload library at scale — beyond the built-in seed wordlists, pull from FuzzDB / SecLists, statistical timing analysis (blind-SQL-injection oracle).
[ ] Sensitive-data scanner. Response-body regex sweep for PII (credit cards, SSN, EU phone formats), API keys (AWS / GCP / Stripe / GitHub formats), JWT / OAuth tokens, internal IP addresses, S3 / Azure / GCS bucket URLs.
[ ] BOLA / BFLA tests. Two auth tokens supplied — scanner attempts each tokenised request as the other user, flags 200-when-it-should-401 as Broken-Object-Level-Authorization.

Tier 4 — Differentiation

Features that distinguish Bowire from "just another DAST tool". All items open.

[ ] AI-assisted threat modeling via MCP. Bowire's MCP-server surface (already shipped) lets an LLM call into discovery / replay. New direction: Bowire's MCP adapter exposes a bowire.threat-model prompt that asks Claude (or any MCP-aware LLM) to look at the discovered service tree and propose the top-N riskiest endpoints + suggested attack templates. Operator confirms → templates run. The LLM is the smart-default-template-picker; Bowire is the execution engine.
[ ] Recording-driven security regression tests. Known-good attack as a recording, runs in CI after every deploy. Failure = "this vulnerability got fixed but is back". Reuses the Phase-5 replay-determinism machinery so the regression test stays valid across detector drift.
[ ] Multi-protocol attack chains. Sequence: record a gRPC discovery → mutate to extract the schema → replay schema fields as SQL-injection payloads against the same service's REST surface → assert no leak. The chain itself is a recording — versionable, reviewable, replayable.
[ ] Compliance mapping. Automatic OWASP API Top 10 / CWE / CVSS scoring per finding. The HTML report has a compliance-overview tab; the SARIF output carries the mapping in properties.security-severity so GitHub Code Scanning groups findings the same way.

Vulnerability template format

The shape every template in kuestenlogik/Bowire.VulnDb follows. YAML or JSON, three sections: identifying metadata, the probe request, the predicate that decides "is this target vulnerable".

id: BWR-GRPC-001
title: gRPC Server Reflection exposes internal services in production
cve: []                       # NVD entry, optional
cwe: CWE-540                  # Inclusion of Sensitive Information
owaspApi: API3-2023-BOPLA
severity: high                # low / medium / high / critical
cvss: 7.5                     # CVSS 3.1 base score, optional
protocols: [grpc, grpc-web]
authors: [thomas-stegemann]
introduced: 2026-05-15
references:
  - https://github.com/grpc/grpc/blob/master/doc/server-reflection.md

# What to send. Mirrors the existing BowireRecordingStep shape so the
# same replay engine that powers `bowire mock` also drives `bowire scan`.
probe:
  protocol: grpc
  service: grpc.reflection.v1alpha.ServerReflection
  method: ServerReflectionInfo
  body: |
    { "listServices": "" }

# When this matches, the target is vulnerable. Composite operators
# (allOf / anyOf / not) nest arbitrarily.
vulnerableWhen:
  allOf:
    - status: 200
    - bodyJsonPathExists: "$.listServicesResponse.service[*]"
    - bodyJsonPath: "$.listServicesResponse.service[*].name"
      anyValueMatches: ".*Admin.*|.*Internal.*"

remediation: |
  In ASP.NET Core, drop `app.MapGrpcReflectionService()` from the
  production build, OR gate it behind `.RequireAuthorization("Admin")`.
  Verify with: `grpcurl -plaintext <host> list` — should return
  `Failed to list services: ...`.

Predicate operators

Leaf operators:

status: <int> — HTTP status code equals
statusIn: [int, …] — HTTP status code is in the list
bodyContains: "<substr>" — response body contains literal substring
bodyMatches: "<regex>" — response body matches regex (RE2 syntax)
bodyJsonPath: "<path>" + equals: "<value>" — JSONPath result equals
bodyJsonPathExists: "<path>" — JSONPath has at least one match
bodyJsonPath: "<path>" + anyValueMatches: "<regex>" — at least one JSONPath result matches the regex
headerEquals: { Name: "<value>" } — header value equals
headerExists: ["Name", …] — header is present
headerMissing: ["Name", …] — header is absent
latencyMsAtLeast: <int> — response latency ≥ N ms (blind-SQL-injection / timing-oracle detection)

Composite operators:

allOf: [<predicate>, …] — all sub-predicates match (implicit when multiple leaves sit on one node)
anyOf: [<predicate>, …] — at least one sub-predicate matches
not: <predicate> — sub-predicate does NOT match

Why YAML + JSON both

YAML is human-friendly (multi-line strings, comments, indented hierarchy) — community-contributable templates ship as YAML. JSON is machine-friendly — the workbench's internal IR, the SARIF output, and the wire format between bowire scan instances ship as JSON. The CLI accepts both via file extension.

Pflegemodell — three concentric corpora

Core community template set — kuestenlogik/Bowire.VulnDb on GitHub, MIT-licensed. PR-driven contributions, CI validates each template against a per-template vulnerable-by-design container. Two CI passes per PR: positive (template fires against vulnerable container) and negative (template stays quiet against patched container).
Curated set — the Top-20 per protocol, reviewed by named maintainers, surfaced on the marketing site as a Trust-Signal page. Subset of the community template set.
Private add-ons — a future commercial differentiator. Proprietary 0-day templates a Bowire customer subscribes to; ships as encrypted bundles unlocked by license-key, separate from the public template set.

bowire vulndb update (planned) is the CLI plumbing — git pull against the public template set, ~/.bowire/vulndb-local/ for handwritten templates, license-gate against the private bundle when a subscription is active.

Differentiation vs incumbents

Tool	Wins on	Bowire's lane
Burp Suite Pro	HTTP intercepting proxy, scanner, extensibility (BApps), $499/user/year.	Bowire owns gRPC / SignalR / WebSocket / MQTT / OData natively. Bowire is free + self-hosted.
OWASP ZAP	Free, scriptable, similar HTTP feature set to Burp.	Same non-HTTP-protocol gap.
Nuclei	Massive template library (~10k), fast.	Bowire's templates are schema-aware (frame-semantics) and multi-protocol-first.
Postman	Auth flows, environments, collaboration.	No security testing surface. Bowire's workflow primitives (env + recording + replay) already match Postman's; the security layer is the addition.
42Crunch / Salt / Bright	SaaS API Security Posture Management.	Bowire is self-hostable, OSS, with on-prem replay determinism. Enterprise lane separate from Bowire's open core.

The positioning is clear: Bowire is not trying to be Burp + 1. It's the multi-protocol-native + schema-aware security tool the existing incumbents leave a gap for.

Branding consideration

For commercial positioning beyond the open core, a sub-brand may be warranted:

Bowire Scout — recon-fokussiert, fits the existing maritime brand vocabulary.
Bowire Probe — active-scanning-fokussiert.
Surgewave Sentinel — full sub-product in the Surgewave / Capespire / Sealbolt brand family the org already uses.

The free tier stays "Bowire Core + bowire scan subcommand + public vulndb". Paid tier adds Tier-3+ features (curated payload library at scale, private vulndb subscription, AI threat-modeling via hosted LLM). This keeps the OSS-friendly story while leaving room for a commercial product.

Pick a name later; the architecture in this ADR doesn't depend on it.

What this is NOT

To prevent scope creep:

NOT a network scanner. Bowire doesn't probe IP ranges, doesn't do port discovery, doesn't run nmap. Nmap exists. Bowire works once a target service is known.
NOT a host-based scanner. Bowire doesn't introspect the OS, doesn't read /etc/passwd, doesn't audit running processes. That's nessus-territory.
NOT a SAST tool. Bowire doesn't analyse source code. SonarQube, Snyk Code, GitHub CodeQL exist.
NOT a runtime defense product. Bowire is a testing tool, not an inline WAF / IDS / IPS. Bowire's findings inform what should be defended against; the defense itself is somebody else's product.

Bowire stays a multi-protocol API exercise tool. The security lane extends what kind of "exercise" — from "does this API still work" to "where does this API still leak".

Sections

On this page