What is Ghost?

Ghost is an AI-powered traffic intelligence tool. When any application on your computer or phone communicates with the internet — loading a webpage, sending login credentials, fetching product data — it sends and receives HTTP traffic. Ghost sits between your device and the internet, captures every one of those communications, and then uses artificial intelligence to help you understand, test, and secure them.

Think of it like a security camera for your network traffic, except this camera can also explain what it sees, generate test scripts from the recordings, and flag potential security problems automatically.

One-line pitch: The proxy that understands your traffic.

How Does It Work? (The Big Picture)

In simple terms, Ghost is a proxy — a middleman that sits between your app and the internet. Here’s what that means in practice:

1. You start Ghost on your Mac. It opens as a desktop application (no terminal or command-line needed).
2. You connect your device — this could be your web browser, an iOS Simulator, an Android emulator, or a physical phone.
3. You use your app normally — browse pages, tap buttons, submit forms.
4. Ghost captures everything — every API call, every image download, every WebSocket message flows through Ghost and gets recorded.
5. Ghost’s AI understands it — the built-in AI agent can analyze the traffic, generate test code, find security issues, or write bug reports for you.

You never need to write code, use a terminal, or understand networking protocols. Ghost handles the technical complexity behind a clean, visual interface.

Who is Ghost for?

Ghost was built for mobile QA engineers and security researchers at Hepsiburada, Turkey’s largest e-commerce company (15,000+ microservices, 800+ engineering teams, 2,000+ engineers). It’s designed as an internal tool — a real desktop application you install and run, not a cloud service or website.

QA Engineers

QA (Quality Assurance) engineers test mobile and web applications to find bugs before users do. Ghost gives them superpowers:

• Inspect traffic from any device — see exactly what API calls your iOS Simulator, physical iPhone, or Android emulator is making, including the full request and response data
• Generate test code automatically — select a series of captured API calls and Ghost’s AI writes test scripts in Playwright, Cypress, k6, pytest, REST Assured, Go httptest, or BDD (Gherkin) format. For mobile, Ghost generates Appium-format test scenarios and produces real device selectors (Appium, Espresso, XCUITest, Maestro) from the connected device’s UI tree
• Record user journeys — capture a sequence of actions (like “login → search → add to cart → checkout”) and replay them later to verify nothing broke between releases
• Create premium bug reports — Ghost auto-generates detailed bug reports that include device information, screenshots, the exact API calls that failed, timing data, and reproduction steps. No more “it doesn’t work” tickets.
• Compare sessions to detect regressions — capture traffic from version A and version B of your app, then compare them side-by-side to see exactly what changed in the API communication
• Run load tests — the AI agent can launch k6 load tests (up to 100 virtual users) or hey benchmarks (up to 1,000 requests) directly against captured endpoints

Security Researchers

Security researchers look for vulnerabilities in applications. Ghost provides both passive analysis and active testing tools:

• Passive traffic analysis — Ghost’s security interceptor automatically scans every captured request and response for common misconfigurations: missing security headers (like Content-Security-Policy or Strict-Transport-Security), insecure cookies (missing Secure or HttpOnly flags), information leakage (server version headers, stack traces in error responses), and more
• Active testing with the Request Attacker — similar to Burp Suite’s Intruder tool, the Request Attacker lets you take any captured request and systematically modify it (fuzzing parameters, trying different payloads) to test how the server responds. It supports 4 attack modes (sniper, battering ram, pitchfork, cluster bomb) and comes with 10 built-in payload wordlists covering SQL injection, XSS, command injection, SSRF, path traversal, template injection, NoSQL injection, open redirect, auth bypass headers, and HTTP method tampering
• External scanner integration — connect industry-standard security tools: Nuclei (vulnerability scanning), DalFox (XSS testing), ffuf (fuzzing), sqlmap (SQL injection), TruffleHog (secret detection), Katana (crawling), Semgrep (code analysis), Nmap (port scanning), SSLScan (TLS analysis), and Hydra (password testing)
• Frida integration — Frida is a tool that lets you modify how an app behaves at runtime. Ghost integrates with Frida so you can bypass SSL pinning (which apps use to prevent traffic interception), disable root/jailbreak detection, trace function calls, and inject custom scripts — all from Ghost’s UI
• AI-powered pentest agent — the AI agent in security mode operates as an autonomous penetration tester following the PTES methodology. It plans attack strategy across phases (traffic analysis → passive detection → active scanning → exploitation → reporting), executes tests, writes evidence files to a workspace, and compiles structured findings with severity ratings. Three scan modes control aggressiveness: passive (analyze captured traffic only), active-safe (read probes allowed, writes require approval), and active-full (full exploitation with approval only for data-modifying operations)

What Makes Ghost Different?

Ghost occupies a unique position by combining capabilities that normally require multiple separate tools:

Capability	Ghost	Charles Proxy	Proxyman	HTTP Toolkit	Burp Suite
AI agent with 76 tools — an intelligent assistant that can analyze traffic, generate code, find vulnerabilities, and write reports across QA and security modes	Yes	No	No	No	AI extension (limited)
Mobile native UI inspector — see the actual screen of a connected mobile device, tap elements, and correlate UI actions with network traffic	Yes	No	No	No	No
Traffic-UI correlation — see which button tap caused which API call	Yes	No	No	No	No
Browser extension with 3 modes — capture mode records browser interactions (clicks, form inputs, navigation), action mode executes DOM commands from Ghost, inject mode renders UI overlays via Shadow DOM	Yes	No	No	No	Yes (limited)
Request Attacker — systematically test API endpoints with payload variations across 4 attack modes (sniper, battering ram, pitchfork, cluster bomb) with 10 built-in payload wordlists and 2 fuzzing wordlists	Yes	No	No	No	Yes (Intruder)
Frida integration — bypass SSL pinning, disable root detection, trace functions, inject scripts on connected mobile devices — all from the Ghost UI	Yes	No	No	No	No
Dual mode (QA + Security) — one tool for both testing and security. Switching modes changes the AI persona, available tools, traffic analysis rules, and the entire system prompt	Yes	No	No	No	Security only
Script engine (goja) — write JavaScript addons that run inside Ghost’s proxy pipeline. Scripts execute in a sandboxed pure-Go JS engine with access to request/response modification, custom storage, and flow tagging	Yes	Rewrite rules	Scripting	No	Java extensions
Session comparison — compare two capture sessions side-by-side to find API regressions, new endpoints, or changed response structures	Yes	No	No	No	No
Free and internal — no license fees, no per-seat pricing, no vendor dependencies	Yes	Paid	Paid	Freemium	Paid
Single binary deployment — the entire backend (proxy, AI agent, script engine, database, API server) compiles to one Go binary with zero CGo dependencies. Frontend assets are embedded via go:embed.	Yes	Java runtime	Swift app	Node.js	Java runtime

Key Design Principles

These principles guide every design and implementation decision in Ghost:

1. macOS-first. All engineering at Hepsiburada runs on macOS. Ghost is built and optimized for Mac first. Windows is supported only as a development machine for building Ghost itself — the end users are all on Macs.

2. QA engineers are not developers. Ghost is a real desktop application built with Tauri v2 (a Rust shell wrapping a native WebView). It has a visual installer, a setup wizard that walks you through certificate installation and proxy configuration, and a graphical interface for everything. You should never need to open a terminal, edit a config file by hand, or read an error log. If something requires technical knowledge, Ghost has failed at its job.

3. No MVP. Ghost doesn’t ship half-finished features. The internal terminology for release stages is Launch (complete core experience), Growth (expanded capabilities), and Vision (long-term aspirational features). Every feature that ships must be polished and complete.

4. Traffic always visible. The main traffic list is always on screen. When you open a panel (like the AI chat, or settings, or the request editor), it slides over as an overlay — you never navigate away from your traffic. This means you can always see new requests arriving in real-time, no matter what else you’re doing in the app.

5. The AI agent is the differentiator. Ghost is not just another proxy tool. The AI agent is what makes it fundamentally different — it has separate QA and Security personas with distinct system prompts, tool registries, and engagement strategies. In QA mode, it focuses on test generation, bug reports, regression detection, and API documentation. In Security mode, it operates as an autonomous penetration tester following the PTES methodology with evidence collection, finding management, and structured reporting.

6. Single binary, pure Go. The entire backend compiles to one binary with zero CGo dependencies. This means clean cross-compilation to macOS (arm64/amd64) and Windows (amd64), simple deployment (copy one file), and no external runtime requirements. The proxy, AI agent, script engine, database, and API server are all in one process.