Hey everyone! 👋
If you're a developer or a security researcher, you know the feeling. You're hours into a problem, you've run through all your checklists, and you hit a wall. You lean back and have that all-too-familiar thought: "So, what now?"
For the past few months, I've been building a project called RAWPA (Rodney the Advanced Web Pentesting Assistant) to be the answer to that exact question. But before I show you what it is, I need to tell you what it isn't.
I need to state this with utmost importance: RAWPA is not a "get bugs quick scheme."
I strongly encourage the manual process of scouring through JS files, searching for business logic errors, finding exposed endpoints, and getting creative in Burp Suite. RAWPA is not an automation script to replace those skills. It's a companion to provide more ideas when your own list runs out.
The Shiny AI Feature (And Why I Benched It)
Naturally, I wanted to build a slick, AI-powered assistant. I dove in headfirst, building a RAG (Retrieval-Augmented Generation) model to act as a "Copilot" for each testing step. The initial results were amazing! The AI was parsing commands and providing genuinely helpful guidance. It felt like magic. ✨
But as I tried to make it more precise, the magic started to fade. The responses got noisy, the code started breaking, and I realized I was spending all my time debugging the AI instead of building the core of the app.
So I made a tough call: I put the entire feature on hold.
I built an admin panel for the project (a huge win in itself!) and added a simple toggle to turn the AI off. It felt like benching my star player, but it was the right strategic move. Perfecting that AI is a whole project on its own, and the core methodologies had to come first.
So, What Am I Doing Now? The Grind.
Right now, I'm in the deep-dive research phase. This is the less glamorous part of development that doesn't always make it into blog posts. I'm spending my days (and nights) scouring the web, watching technical talks, and digging through research papers to find, test, and validate every single methodology that goes into RAWPA.
This process was validated when I stumbled upon lostsec's site, which has a similar purpose. Instead of feeling discouraged, it gave me the will to continue, proving there's a real need for tools that augment, rather than automate, our thinking.
This project also thrives on community knowledge. A connection from LinkedIn gave me a fantastic list of future feature ideas, like gamification, tool integrations, and collaborative modes, which have really shaped the long-term vision.
What's Next & How You Can Help
My goal is to make RAWPA a reliable, community-informed resource.
- You can follow the nitty-gritty details of the development journey on my personal blog here: https://kuwguap.github.io/posts/series-2-implementing-wpa-in-rawpa-part-1/
- This is a community-driven effort. If you have methodologies, ideas, or suggestions, I would love to hear them. The best way to reach out is on LinkedIn At the end of the day, I believe RAWPA will help someone get unstuck and learn something new. And for me, that's good enough.
Thanks for reading!