Roughly once a quarter some repo gets crowned "the open-source Burp killer," it lands in my feed, I clone it out of morbid curiosity, and it dies on my disk within a week next to the other six Burp killers. So my expectations for Hetty started somewhere around the floor.
It cleared the floor. It does not reach Burp. Both true, and the gap between those two is the only part of this post worth your time.
what it actually is
Hetty's an HTTP toolkit for security research. Go on the back, TypeScript on the front, MIT licensed, and it openly says it wants to be an open-source Burp Pro for the bug bounty crowd. At least it's honest about the target it's missing.
The feature list is short on purpose:
- MITM proxy with logging and search that doesn't make you want to lie down
- a client to craft, edit, and replay requests
- intercept: edit, forward, drop
- scope, so you're not staring at every analytics beacon on the internet
- a web UI that isn't from 2009
- project-based storage, one DB per engagement If you've touched Burp, that's the proxy → inspect → replay loop you spend your actual life inside. Hetty does that and then more or less taps out.
install (this is where it quietly wins)
No installer wizard, no JVM, no watching 1.5 GB of RAM evaporate before your first request.
# macOS
brew install hettysoft/tap/hetty
# Linux
sudo snap install hetty
# Docker
docker run -v $HOME/.hetty:/root/.hetty -p 8080:8080 \
ghcr.io/dstotijn/hetty:latest
Then:
hetty
One process: proxy, a GraphQL service, and the admin UI. Trust the generated CA, point your browser at it, start capturing.
And if you can't be bothered wrestling browser proxy settings (relatable):
hetty --chrome
Launches Chrome already proxied with cert errors ignored. Tiny feature. Saves you the exact same five minutes every single time, which is the kind of thing you only appreciate after a tool has wasted those five minutes on you a hundred times.
Everything lands in ~/.hetty/, one SQLite file per project. Want a clean slate? New --db path. That's the entire project model. After Burp, where everything is a modal inside a modal, it's weirdly pleasant.
where it falls apart
Now the bit the "Burp killer" headlines leave out, because including it would ruin the headline.
No scanner. No Intruder. No Collaborator, so blind/OOB is entirely your problem. No extensions. If any of those are load-bearing in your workflow, and for real web testing they usually are, Hetty taps out and Burp doesn't.
For the people who skipped to the table:
| Hetty | Burp Suite Pro | |
|---|---|---|
| Price | Free (MIT) | $475 / user / year |
| Intercepting proxy | yes | yes |
| Replay / editor | yes | yes (Repeater) |
| Search + logging | yes | yes |
| Scope | yes | yes |
| Scanner | no | yes |
| Attack automation | no | yes (Intruder, not throttled) |
| Out-of-band | no | yes (Collaborator) |
| Extensions | no | yes (500+ BApp Store) |
| Runtime | one Go binary | Java / JVM |
| License server | none | per-user, annual |
That $475 buys the full scanner, an Intruder that isn't artificially throttled to punish you for not paying, Collaborator, 500+ extensions, and a tool half the industry already runs on muscle memory. None of that disappears because a Go binary turned up. Anyone telling you a year-old open-source proxy "replaces Burp" has either never run a real engagement or is farming GitHub stars. Possibly both.
So no, it's not a swap. Moving on.
who it's genuinely for
Drop the Burp comparison and it gets obvious fast.
Learning? Best thing on this list, full stop. Far too many people mash buttons in Burp with zero idea what the proxy underneath is even doing. Run your traffic through Hetty for two weeks, watch the raw requests, tamper by hand. You'll pick up more HTTP than any course is selling you for $300.
Bounty hunter or red teamer whose laptop sounds like a jet on takeoff? It's a genuinely nice lightweight daily driver for the recon-and-replay phase. Keep Burp around for the heavy lifting, use Hetty for the quick pokes.
The type who patches a tool instead of filing a feature request and waiting 18 months for a "thanks, we'll consider it"? It's small, readable Go + TS with GraphQL in the middle. You can read the whole thing and bend it to your will. Try that with a closed binary you rent by the year.
verdict
Hetty isn't trying to kill Burp. The people marketing it that way are signing it up for a fight it never entered, then acting disappointed when it loses.
What it's actually doing is making the proxy core (the part every web tester leans on) open, lightweight, and readable. Less sexy than "Burp killer." Also more honest, and more useful.
It's staying on my disk. Not as a Burp replacement, but as the thing I hand anyone who's learning, and the thing I open when I just want to look at some traffic without booting a Java app that's convinced it's an IDE.
If you've run it on real targets, tell me where it broke before I trust it any further. Comments are open.
Repo: github.com/keirsalterego/hetty, a fork of dstotijn/hetty. Docs at hetty.xyz.
Top comments (0)