Enterprise retail defense validation platform. 48,000+ lines of authorized penetration testing infrastructure.
Scalpy is a comprehensive security testing platform built for authorized penetration testing of e-commerce defense systems. With over 48,000 lines of Python spread across 30+ specialized modules, it provides the tools security teams need to validate bot defenses, stress-test checkout pipelines, and identify vulnerabilities in retail infrastructure before malicious actors do.
The platform is organized around a five-tab Tkinter desktop GUI covering task management, profile configuration, proxy and fingerprint tooling, and settings. The task system uses a ThreadPoolExecutor to run concurrent test sessions, each with isolated browser fingerprints, proxy connections, and session cookies. Ten retailer-specific API modules cover major platforms including Nike, Footlocker, Adidas, Shopify stores, Supreme, JD Sports, and Finish Line, with each module implementing the full authentication, monitoring, and checkout flow for its target site.
Scalpy's evasion layer is where the real engineering lives. The fingerprint spoofing system randomizes Canvas, WebGL, and AudioContext signatures. The browser profile manager ages persistent Chrome sessions with realistic browsing history. The defense analyzer performs 15-layer scans that identify which commercial bot detection services a site deploys, including DataDome, PerimeterX, Akamai, Cloudflare, and Kasada. This intelligence drives the checkout engine's five operational modes, from high-speed API-direct requests to human-mimicking "cyborg" sessions with Gaussian-distributed typing delays and curved mouse movements.
Validate your e-commerce site's bot defenses against real-world attack patterns. Test checkout flows, queue systems, and account creation pipelines to identify weaknesses before they're exploited during high-demand product drops.
Simulate sophisticated automated attacks against client retail infrastructure. Scalpy's five checkout modes (FAST, SAFE, CYBORG, PRELOAD, REQUEST) let you test across the full spectrum from brute-force speed to undetectable human mimicry.
Benchmark your detection algorithms against a comprehensive evasion toolkit. Test Canvas/WebGL/Audio fingerprint spoofing, residential proxy rotation, browser profile aging, and behavioral simulation to find gaps in your coverage.
Study the arms race between automated tools and commercial bot detection services. The defense analyzer provides detailed reports on what detection layers a site employs and how each evasion technique performs against them.
Full checkout automation for Nike SNKRS, Footlocker, Adidas, Shopify, Supreme, JD Sports, Finish Line, and more. Each module implements auth, monitoring, cart, and purchase flows.
FAST (speed priority), SAFE (human-like delays), CYBORG (typing/mouse simulation), PRELOAD (pre-cart), and REQUEST (direct API). Test the full spectrum of attack sophistication.
Canvas noise injection, WebGL renderer/vendor masking, AudioContext fingerprint randomization, navigator property spoofing, and persistent profile aging with realistic browsing history.
Scan targets for WebDriver detection, fingerprinting, behavioral analysis, rate limiting, CAPTCHA challenges, and commercial bot detection signatures with threat-level scoring.
Multi-service CAPTCHA solving with 2Captcha, Anti-Captcha, and CapMonster. Token harvesting and pooling for reCAPTCHA v2/v3, hCaptcha, and FunCaptcha challenges.
Concurrent task execution via ThreadPoolExecutor with real-time status tracking, grouping, bulk operations, scheduling, and webhook notifications for successes and failures.