I've been building Spectator for the past year — a purpose-built scripting language for pentesters, red teamers, and security researchers.
Why another language? Most security work is a mix of Bash, Python, and random tools glued together. Spectator unifies that: one language with built-in security modules, a native GUI framework, and a package manager — all compiled into a single binary.
What makes it different:
High-level syntax — Python-like, f-strings, closures, goroutines (spawn). Recon scripts in 5 lines.
Built-in hacking modules — PortScan, SubdomainEnum, SQLiTest, PayloadGen, CORS/SSRF, HTTP fuzzing, crypto, encoding. No pip installs.
Native GUI framework (#Import Spec.GUI) — Desktop tools without Electron. Inputs, tables, tabs, output. Windows (WebView2), Linux (WebKitGTK), macOS (WKWebView).
Space package manager — Libraries like coffee (recon) and ghost (OSINT) are SHA-256 verified. Blocks supply-chain attacks.
Mission engine — Pentest workflow with HTML report generation.
Cross-compilation — spectator build script.str to app.exe for windows = standalone binaries.
Example — GUI port scanner (complete tool):
spectator #Import Spec.GUI open.window({"title": "Port Scanner", "bg": "#070b14", "accent": "#00d4aa"}) GUI.input("target", "Enter target...") GUI.button("Scan", "run_scan") GUI.progress("bar") GUI.output("out", {"height": 380})
GUI.on("run_scan", func() { target = GUI.get("target") GUI.print("out", "Scanning " + target) ports = [21,22,23,80,443,3306,8080] each p : ports { if hasPort(target, p) { GUI.print("out", "OPEN " + str(p)) } } }) end() Current state:
v2.0.0 — stable CLI/TUI across Windows, Linux, macOS
GUI fully functional on Windows; Linux/macOS GUI works (WebKit vs WebView2 differences)
~177 built-in functions, written in Go
Space registry live, anyone can publish
What I'd love feedback on:
Does the syntax feel intuitive? (string concat --> is unusual but I like it)
GUI approach — native desktop vs web-based?
Package manager security — SHA-256 verification enough?
What modules would make you actually use this?
I know the security tooling space is crowded, but there's room for a language built for this domain rather than adapted.
GitHub: https://github.com/CzaxStudio/Spectator Docs: https://github.com/CzaxStudio/SpectatorDocs/
Appreciate any thoughts, criticism, or wild ideas.