Spectator – A programming language for Cybersecurity and Hacking

Name: Spectator – A programming language for Cybersecurity and Hacking
Availability: InStock
Author: CzaxTanmay

by CzaxTanmay·Mar 26, 2026·2 points·0 comments

Visit Project View on HN

AI Analysis

●MidBold BetShip It

New DSL for pentesting, but Python libraries already do this without learning new syntax.

Strengths

•Single binary compilation avoids dependency hell during remote engagements.
•Built-in security primitives like PortScan and SQLiTest reduce boilerplate.
•Native GUI framework allows quick tooling without Electron overhead.

Weaknesses

•GUI framework currently Windows-only, limiting utility on standard Kali Linux setups.
•Reinventing syntax instead of wrapping existing Python libraries adds adoption friction.

Post Description

Hey HN,

I've been building Spectator for the past year — a purpose-built scripting language for pentesters, red teamers, and security researchers.

Why another language? Most security work is a mix of Bash, Python, and random tools glued together. Spectator unifies that: one language with built-in security modules, a native GUI framework, and a package manager — all compiled into a single binary.

What makes it different:

High-level syntax — Python-like, f-strings, closures, goroutines (spawn). Recon scripts in 5 lines.

Built-in hacking modules — PortScan, SubdomainEnum, SQLiTest, PayloadGen, CORS/SSRF, HTTP fuzzing, crypto, encoding. No pip installs.

Native GUI framework (#Import Spec.GUI) — Desktop tools without Electron. Inputs, tables, tabs, output. Windows (WebView2), Linux (WebKitGTK), macOS (WKWebView).

Space package manager — Libraries like coffee (recon) and ghost (OSINT) are SHA-256 verified. Blocks supply-chain attacks.

Mission engine — Pentest workflow with HTML report generation.

Cross-compilation — spectator build script.str to app.exe for windows = standalone binaries.

Example — GUI port scanner (complete tool):

spectator #Import Spec.GUI open.window({"title": "Port Scanner", "bg": "#070b14", "accent": "#00d4aa"}) GUI.input("target", "Enter target...") GUI.button("Scan", "run_scan") GUI.progress("bar") GUI.output("out", {"height": 380})

GUI.on("run_scan", func() { target = GUI.get("target") GUI.print("out", "Scanning " + target) ports = [21,22,23,80,443,3306,8080] each p : ports { if hasPort(target, p) { GUI.print("out", "OPEN " + str(p)) } } }) end() Current state:

v2.0.0 — stable CLI/TUI across Windows, Linux, macOS

GUI fully functional on Windows; Linux/macOS GUI works (WebKit vs WebView2 differences)

~177 built-in functions, written in Go

Space registry live, anyone can publish

What I'd love feedback on:

Does the syntax feel intuitive? (string concat --> is unusual but I like it)

GUI approach — native desktop vs web-based?

Package manager security — SHA-256 verification enough?

What modules would make you actually use this?

I know the security tooling space is crowded, but there's room for a language built for this domain rather than adapted.

GitHub: https://github.com/CzaxStudio/Spectator Docs: https://github.com/CzaxStudio/SpectatorDocs/

Appreciate any thoughts, criticism, or wild ideas.