10,000 requests in scope. Forty matter.
HTTPQL filters live traffic and your whole project history down to the requests worth testing. One query, no endless scrolling.
One query, live or historical
Filter incoming requests in real time, or query your entire project history. Same syntax either way.
Speaks how you hunt
req.raw.cont:"eyJ" surfaces every JWT in the traffic. Stack conditions on method, host, status, path, and length.
Save it, reuse it
Turn a working filter into a preset and build a library you reach for on every engagement.
Edit requests at speed
Reformat, fix, and generate payloads with AI in the request editor. Fire them at the injection points that matter.
Drive it in plain English
Tell Caido what to do in plain English. Shift already sees your sitemap, scope, and findings, so there's no syntax to memorize and nothing to copy-paste.
Tuned to how you work
Custom memory, instructions, and tab-naming. Shift works your way, not off a default.
62 plugins · 29 authors
Built in HTML, CSS, and JS, not Java extensions, so plugins look and feel like polished web apps. Write your own or grab one.
Hand a teammate the real request. Not a Slack paste.
Drop sends Replay sessions, Match & Replace rules, and presets to a teammate, end-to-end encrypted.
Send what they actually need
Replay sessions, Match & Replace rules, Scope and Filter presets. The real artifacts, straight into their Caido.
End-to-end encrypted
Every message is encrypted with the recipient's PGP key before it reaches the server. Use the default broker or self-host your own.
Ephemeral by default
Drop isn't storage. Messages live on the server for 7 days max, then they're gone.
We value your privacy
We use cookies to enhance your browsing experience, serve personalized content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Click "Essential Only" to only allow cookies necessary for the website to function.