Matthew Richards

Burp Suite Professional costs 475 dollars a year per seat. A senior software engineer in Amsterdam built the open source replacement as a side project. He put it on GitHub for free. It has 10,569 stars. His name is David Stotijn. The software is Hetty. Here is what Hetty is. An HTTP toolkit for security research. A machine-in-the-middle proxy that sits between your browser and the target. Every request and every response flows through Hetty. You can read them, search them, intercept them, edit them, replay them, and send them again. This is the core loop of every web application security test ever performed. Burp Suite charges 475 dollars a year for it. Hetty does the same job for zero. Here is the feature set. A machine-in-the-middle HTTP proxy with full logs and advanced search. An HTTP client for manually creating and editing requests, and replaying any request you already proxied. Request and response interception for manual review, with full edit, send, receive, and cancel control. Scope support to keep your work organized to a single target. A web-based admin interface that runs in your browser. Project-based database storage so multiple engagements stay separate. A GraphQL service for programmatic access. The installer is a single Go binary. Works on macOS, Linux, and Windows. No Java runtime, no enterprise license server, no machine fingerprinting, no telemetry. Here is the price ladder. Burp Suite Professional: 475 dollars a year per seat. Burp Suite Enterprise: thousands per year, contact sales for a quote. Burp Suite Community Edition: free, but throttled, no scanner, no project save, no intruder rate. OWASP ZAP: free and open source, now owned by Checkmarx after a 2024 acquisition. Hetty: zero. Forever. One binary. No account. A pentester working full time pays Burp 475 dollars a year. A team of 10 pentesters pays 4,750 dollars a year. A bug bounty hunter who finds one vulnerability has already paid for Burp twice over. Or they download a 30 MB Go binary written by a freelancer in Amsterdam and keep every dollar they earn. David has not pushed a new commit in 16 months. The last commit was January 13, 2025. That is normal for a tool that is feature-complete. HTTP has not changed. The proxy still proxies. The intercept still intercepts. MIT licensed code does not expire when the maintainer takes a break. Buy a domain. Find a bug. Cash a bounty. PortSwigger took a free industry tool and put it behind a 475 dollar paywall. A freelancer in Amsterdam gave it back. On every platform. For zero dollars. Your proxy. Your binary. Your bounties. (Link in the comments)

A 25 year old just turned $225 million into $5.5 billion in 12 months. Here’s exactly what he bought. Leopold Aschenbrenner got fired from OpenAI in April 2024. He spent the next few months writing a 165-page thesis predicting AGI by 2027. Then he launched a fund and put his money where his thesis was. He bought zero Nvidia. Zero Microsoft. Zero Google. Zero Amazon. He bought what AI actually runs on. Bloom Energy (BE), power infrastructure for data centers. Up 1,422% in one year. Lumentum (LITE), optical components that move data between chips. Up 1,331%. Sandisk (SNDK), storage. Up 3,130%. CoreWeave (CRWV), GPU cloud infrastructure. Up 166%. Iris Energy (IREN), AI computing and data centers. Up 583%. The thesis was simple: every AI company needs energy, bandwidth, storage, and compute. Nobody was buying those. Everyone was buying the AI companies themselves. He was right. His fund now manages $6 billion. Backed by Patrick and John Collison of Stripe and former GitHub CEO Nat Friedman. I’m adding this to my watchlist. Every time he files a new 13F, we will break it down here. Turn on notifications so you don’t miss the alert, this is VERY important. Many people will wish they followed us sooner.

One of the most frequent questions I'm asked is "how do you stay up to date on malware stuff?" Okay, here is a pro tip: 1. Google OTX AlienVault 2. Make account 3. Look at latest 4. Scroll until you find posts from a guy named Petr something-something (has numbers in his name). 4. Follow his account He monitors all the big malware places and shares the URL, hashes, etc. from malware vendors. I've been following this random ass dude for years and getting updates on everything. I have no idea who he is. I don't know where he's from. All I know is his setup is absolute fire and he keeps you up to date on literally everything malware related 24/7 365. He also has stuff from vendors in China, Russia, Japan, etc. Every morning I log into OTX and check up on my boy Petr to see what fire he's bringing me. I love him.

If you’re an IT admin and you’ve never had your internal environment pentested and can’t afford one right now, do this instead: 1. Run Locksmith - fix anything that’s a High risk 2. Run ADeleginator - make sure everyone, authenticated users, domain users and domain computers doesn’t have any unsafe permissions 3. Run ScriptSentry - check for credentials in logon scripts 4. Run PingCastle - check the control paths section. It’s like bloodhound. Look for non-admins that have control paths If you do this, your environment will be much better when you’re done fixing everything.

A Microsoft engineer made $10M abusing a GLITCH in their own system They hired 21 year old Volodymyr Kvashuk to test the Microsoft Store by making fake purchases with dummy credit cards to see if the payment system worked properly During those tests he discovered the sandbox was still handing out real XBOX gift card codes and spent the next two years abusing it Around 152,000 codes were generated and sold online for cash, making him over $10 million Prosecutors said the scale was so large it even caused price swings in XBOX gift card markets worldwide The money moved through Bitcoin, then into a $1.6 million lakefront house and a Tesla while fake tax returns claimed it all came from a family gift Microsoft thought they hired someone to test the system Instead they funded one of the most expensive bug reports in company history Kvashuk was later convicted on multiple federal charges and sentenced to 9 years in prison

A guy I used to work with hit me up last night. Dude was making $260k in tech. Nice house, $4,700/month mortgage, two cars, vacations every few months. Got laid off 7 months ago. Still nothing. Said he’s down to $22k and burning $5,500 a month. Wife at home, one kid. He told me he checks his bank app before he even gets out of bed now. This is someone I saw winning in real life. Save your money. Because when it flips, it flips fast.

NASA pays $100M for Microsoft 365 licensing across the agency. They standardized every system on Microsoft. They put Microsoft Surfaces on the Orion spacecraft as the crew's personal computing devices. And the first technical crisis of humanity's return to the Moon was Reid Wiseman radioing Houston to say he has two Microsoft Outlooks and neither one works. Mission Control's response? "With your go, we can remote in and take a look." The same exact workflow your company's IT helpdesk uses when you submit a ticket on a Monday morning. Except the user is traveling at 4,275 mph, 30,000 miles from Earth, and the Wi-Fi situation is considerably worse. This spacecraft survived hydrogen leaks, helium leaks, a faulty heat shield, and a broken toilet. Outlook broke anyway. The toilet actually got fixed faster. The real story here is that Microsoft has achieved something no other software company in history can claim: a support ticket from lunar transit. Their enterprise sales team should frame this. "Battle-tested in space" is a positioning statement most B2B companies would mass murder for, and Microsoft accidentally earned it because Outlook crashes everywhere, including orbit. Outlook remains the only software in human history that performs identically whether you're in a cubicle in Redmond or aboard a spacecraft bound for the Moon. Universally, reliably broken. And we keep buying it anyway.