Privacy-first web security scanner for bug bounty hunters, pentesters, and red teams.
Navigating the Digital Seas of Cybersecurity ⚓
PILGRIMS is a self-hosted, modular web application security scanner built as a single coherent workflow. It chains reconnaissance, fingerprinting, vulnerability detection, and reporting into one CLI tool with 60+ plugins covering the OWASP Top 10 and beyond.
Built with one principle: all data stays local. No telemetry, no required API keys, no cloud uploads. You own every byte of your engagement data.
| Pain point | How PILGRIMS answers |
|---|---|
| Tools scattered across 10 different CLIs | One unified entrypoint, one report tree |
| Cloud scanners leak target info to vendor | 100% local, offline-capable |
| Scan profiles are too rigid | 4 stealth profiles (Ghost → Wraith) × 6 templates (quick-audit → red-team) |
| Reports are noisy JSON dumps | HTML + JSON + CSV + Markdown + QR + encrypted outputs |
| Manual payload generation is slow | Smart payload generator per vuln class & target tech |
- 66 plugins — recon, subdomain enum, port scan, fuzzing, SQLi, XSS, SSRF, XXE, IDOR, SSTI, NoSQLi, CMDi, CORS, open redirect, JWT, API, GraphQL, OAuth, cloud misconfig, subdomain takeover, OSINT, WAF detect, compliance, secrets, email, SMTP, DNS, Kubernetes, Docker, CI/CD, smart fuzz, attack path viz, payload gen, and more.
- 4 stealth profiles —
ghost(5–15s delay, max evasion) →wraith(no delay, max speed). Pick the right tradeoff per engagement. - 6 scan templates —
quick-audit,full-pentest,bug-bounty,compliance,red-team,recon-only. - Encrypted reports — AES-256 with passphrase, scp-friendly.
- Distributed scanning — fan out across multiple servers via SSH.
- Attack path visualization — chains findings into exploit narratives.
- Live TUI — terminal UI with progress, themes, session recording.
# 1. Clone
git clone https://github.com/afiqandico13/pilgrims.git
cd pilgrims
# 2. Make scripts executable + health check
chmod +x *.sh plugins/*.sh
./check.sh
# 3. First scan (replace example.com with your authorized target)
./pilgrims.sh example.com --quickReports land in reports/scan_TIMESTAMP/ with HTML, JSON, CSV, Markdown, and
attack-path visualizations.
# Bug bounty hunt on example.com, stealth mode, encrypted report
./pilgrims.sh example.com \
--template=bug-bounty \
--ghost \
--encrypt=MySecret \
--json --markdown \
--notes="Engagement #2026-Q2 — authorized scope"Other common combinations:
./pilgrims.sh target.com --deep --stealth # thorough but quiet
./pilgrims.sh target.com --template=red-team # all plugins, max coverage
./pilgrims.sh target.com --profile # auto-detect target type
./pilgrims.sh --batch=targets.txt --quick # sweep many targets
./pilgrims.sh target.com --compare # diff against last scanFull reference: see MANUAL.md (60+ commands, all flags, examples, troubleshooting, best practices).
┌─────────────────────────────────────────────────────────────┐
│ pilgrims.sh — main entrypoint (CLI parser, dispatcher) │
└────────────────────────┬────────────────────────────────────┘
│
┌────────────────┼────────────────┐
▼ ▼ ▼
┌─────────┐ ┌──────────┐ ┌────────────┐
│ core.sh │ │ stealth │ │ distributed│
│ (utils) │ │ profiles │ │ (SSH fan) │
└────┬────┘ └────┬─────┘ └─────┬──────┘
│ │ │
└───────────────┼────────────────┘
▼
┌──────────────────┐
│ plugins/*.sh │ ← 60+ self-contained scanners
└────────┬─────────┘
▼
┌──────────────────┐
│ reports/scan_*/ │ ← HTML + JSON + CSV + MD + QR
└──────────────────┘
Every plugin is a standalone shell script that writes findings into a predictable folder structure — easy to extend, easy to debug.
- OS: Linux (Ubuntu 20.04+ recommended), WSL2, Kali
- Bash 5+
- Tools:
nmap,curl,jq,openssl,whois,dnsutils,assetfinder,ffuf,sqlmap,whatweb,hashcat,parallel - RAM: 2 GB minimum, 4 GB recommended for
--deep - Storage: 500 MB + ~50 MB per scan report
Auto-installer: sudo bash install_missing.sh resolves most dependencies.
- MANUAL.md — Complete reference: 60+ commands, stealth profiles, scan templates, common use cases, troubleshooting, best practices.
- DISCLAIMER.md — Authorized-use policy. Read before running any scan.
- LICENSE — MIT terms.
- Async plugin execution (parity with GNU
parallel, lower wall-clock) - Native Web UI (browser-based dashboard for live results)
- Cloud profile sync (sync your plugin configs across machines — opt-in, end-to-end encrypted)
- More bug-bounty platform integrations (HackerOne auto-report via API)
PRs welcome — especially:
- New vulnerability plugins (one self-contained
.shfile per vuln class) - Bug fixes in existing plugins (verify against intentionally vulnerable targets like DVWA / Juice Shop first)
- Documentation improvements
- Translations (MANUAL.md is currently English + Indonesian)
Before opening a PR, please run:
./check.sh # verify no syntax / config regressions
./pilgrims.sh --versionPILGRIMS is a defensive and offensive security tool intended for:
- Authorized penetration testing engagements (with written scope)
- Bug bounty programs (within program rules)
- Your own infrastructure and applications
- Educational / lab environments (DVWA, Juice Shop, HackTheBox, etc.)
It is NOT a license to scan the open internet. Scanning systems without explicit written authorization is illegal in most jurisdictions (Computer Fraud and Abuse Act in the US, UU ITE in Indonesia, similar laws elsewhere).
See DISCLAIMER.md for the full statement.
Afiq Andico Pangimpian — IT professional & security researcher, Bali, Indonesia.
- GitHub: @afiqandico13
- Contact: afiqandico13@gmail.com
Built as a portfolio project demonstrating end-to-end shell automation, plugin architecture, security domain knowledge, and CI-friendly code organization.
MIT — use it, fork it, learn from it. Just don't scan things you don't own.
⚓