REED

Burp Suite Professional costs 475 dollars a year per seat. A senior software engineer in Amsterdam built the open source replacement as a side project. He put it on GitHub for free. It has 10,569 stars. His name is David Stotijn. The software is Hetty. Here is what Hetty is. An HTTP toolkit for security research. A machine-in-the-middle proxy that sits between your browser and the target. Every request and every response flows through Hetty. You can read them, search them, intercept them, edit them, replay them, and send them again. This is the core loop of every web application security test ever performed. Burp Suite charges 475 dollars a year for it. Hetty does the same job for zero. Here is the feature set. A machine-in-the-middle HTTP proxy with full logs and advanced search. An HTTP client for manually creating and editing requests, and replaying any request you already proxied. Request and response interception for manual review, with full edit, send, receive, and cancel control. Scope support to keep your work organized to a single target. A web-based admin interface that runs in your browser. Project-based database storage so multiple engagements stay separate. A GraphQL service for programmatic access. The installer is a single Go binary. Works on macOS, Linux, and Windows. No Java runtime, no enterprise license server, no machine fingerprinting, no telemetry. Here is the price ladder. Burp Suite Professional: 475 dollars a year per seat. Burp Suite Enterprise: thousands per year, contact sales for a quote. Burp Suite Community Edition: free, but throttled, no scanner, no project save, no intruder rate. OWASP ZAP: free and open source, now owned by Checkmarx after a 2024 acquisition. Hetty: zero. Forever. One binary. No account. A pentester working full time pays Burp 475 dollars a year. A team of 10 pentesters pays 4,750 dollars a year. A bug bounty hunter who finds one vulnerability has already paid for Burp twice over. Or they download a 30 MB Go binary written by a freelancer in Amsterdam and keep every dollar they earn. David has not pushed a new commit in 16 months. The last commit was January 13, 2025. That is normal for a tool that is feature-complete. HTTP has not changed. The proxy still proxies. The intercept still intercepts. MIT licensed code does not expire when the maintainer takes a break. Buy a domain. Find a bug. Cash a bounty. PortSwigger took a free industry tool and put it behind a 475 dollar paywall. A freelancer in Amsterdam gave it back. On every platform. For zero dollars. Your proxy. Your binary. Your bounties. (Link in the comments)