Skip to content

Klyrek

Map first. Test smarter.

Klyrek is a modular Python ecosystem for authorized web-application security reconnaissance. Fourteen packages, one shared data model (klyrek_core.models.ScanResult), one authorization guarantee: every HTTP request any package makes is checked against a declared AuthorizationScope — including every redirect hop, not just the URL you typed.

Klyrek automates the repetitive part of a security assessment — crawling, fingerprinting, header checks, secret-scanning, form classification, sensitive-file probing — so a human tester spends their time on the part that actually needs judgment: validating findings, chasing business logic, and testing the things a machine can't.

Klyrek is not open source. The GitHub repo is private infrastructure.

Where to start

The sandbox: a safe, real, live target

Klyrek's own project maintains a deliberately vulnerable demo target so you never have to scan someone else's real site to test or demo Klyrek:

Subdomain Stack What it demonstrates
shop.sandbox.klyrek.com Express Auth forms, session cookies, missing headers, exposed files, crawlable structure
admin.sandbox.klyrek.com Express Hardcoded secrets and API endpoint references in client-side JS
api.sandbox.klyrek.com Python (stdlib) CORS misconfiguration, an auth-gated route, a real OpenAPI spec

Every example in these docs runs against this sandbox. See shop.sandbox.klyrek.com/about-this-site for the public disclosure — it's intentional, self-owned, and safe to point every package at.

Everything in these docs is real

Every command, function signature, and sample output across this site was actually run against the real sandbox or the real package source — nothing here is invented or illustrative-only.