Security-test localhost, staging, and intranet applications through an encrypted reverse tunnel. HTTP request relay, TCP port scanning, and binary WebSocket protocol — built for DAST, not just proxying.
Most tunneling tools are built for development convenience. ArmoTunnel is built for security testing — binary protocol, TCP relay, and zero-overhead integration with ArmoScan's 474+ plugin DAST engine.
Not a generic HTTP proxy — ArmoTunnel is purpose-built for dynamic application security testing. The scanner talks directly to your local app through the tunnel with zero configuration.
Your application stays behind the firewall. Only ArmoScan's scanner engine can reach it through the encrypted tunnel. No DNS changes, no firewall rules, no port forwarding.
Custom binary framing with 21-byte headers — no JSON serialization overhead, no Base64 encoding for binary payloads. Request multiplexing via GUID-based request IDs.
Not just HTTP — ArmoTunnel supports TCP relay for infrastructure-level port scanning. Test open ports, grab service banners, and detect exposed services on internal networks.
Tunnel targets skip domain verification entirely — you own the tunnel, so you own the target. No DNS TXT records, no HTML file uploads, no meta tags. Just start scanning.
Exponential backoff with up to 10 reconnection attempts. Survives network interruptions, laptop sleep/wake cycles, and VPN reconnects during long-running scans.
ArmoTunnel establishes a persistent WebSocket connection to ArmoScan's infrastructure. Incoming scan requests are relayed through the tunnel and forwarded to your local application.
a7f3bc91.armoscan.com
localhost:3000, captures response
From download to first scan in under 2 minutes
Point it at your local app and authenticate with your API key.
$ armotunnel \
--target http://localhost:3000 \
--api-key ask_xxxxxxxxxxxx
ArmoTunnel assigns a unique 8-hex subdomain for your session.
Forwarding: https://a7f3bc91.armoscan.com
→ http://localhost:3000
Add the tunnel URL as a target — auto-verified, no domain ownership proof needed.
Target: https://a7f3bc91.armoscan.com
Status: Verified (Tunnel)
ArmoTunnel uses a custom binary framing protocol optimized for security scanning workloads. No JSON overhead, no Base64 encoding — raw binary payloads with multiplexed request IDs.
21-byte fixed header. Request IDs enable parallel HTTP request multiplexing over a single WebSocket connection.
0x01 AUTH_REQUEST
0x02 AUTH_OK
0x10 HTTP_REQUEST
0x11 HTTP_RESPONSE
0x20 PING / PONG
0x40 TCP_CONNECT
0x42 TCP_DATA
0x43 TCP_CLOSE
ArmoTunnel supports both Layer 7 (HTTP) request proxying and Layer 4 (TCP) port scanning through the same tunnel connection.
ArmoTunnel is the only tunneling solution built specifically for DAST scanning. Here's how it stacks up against general-purpose tunneling tools.
| Capability | ArmoTunnel | ngrok | Cloudflare Tunnel | localtunnel |
|---|---|---|---|---|
| Primary Use Case | DAST Scanning | Development | Production | Development |
| DAST Integration | ||||
| TCP Port Scanning | TCP tunnels (paid) | |||
| Binary Protocol | QUIC | HTTP | ||
| Auto Target Verification | N/A | N/A | N/A | |
| Security Plugin Coverage | 474+ plugins | N/A | N/A | N/A |
| Request Multiplexing | ||||
| Self-Contained Binary | Requires Node.js | |||
| Price (Tunnel Only) | Included in plan | $8-25/mo | Free (limited) | Free (unstable) |
| Price (Tunnel + DAST) | From £19/mo | $8/mo + separate DAST | Free + separate DAST | Free + separate DAST |
Other tools require you to buy a tunnel + a separate DAST scanner + configure integration between them. ArmoTunnel is built into the ArmoScan platform — zero integration effort.
ArmoTunnel is a single binary with no external dependencies. Run it from anywhere.
armotunnel [options]
Options:
-t, --target <url> Local application URL (required)
e.g., http://localhost:3000
-k, --api-key <key> ArmoScan API key (required)
Get yours: Settings → API Keys
-s, --server <host> ArmoScan server address
Default: app.armoscan.com
--version Show version information
--help Show help
Scan a local React app:
$ armotunnel --target http://localhost:3000 --api-key ask_xxx
Scan an intranet application:
$ armotunnel --target https://192.168.1.50:8443 --api-key ask_xxx
Use a custom ArmoScan server:
$ armotunnel -t http://localhost:8080 -k ask_xxx -s mycompany.armoscan.com
ArmoTunnel v1.0.0 Status: Connected Forwarding: https://a7f3bc91.armoscan.com → http://localhost:3000 Use this URL as your scan target in ArmoScan. Press Ctrl+C to disconnect. [14:32:01] GET / → 200 (45ms, 12.3KB) [14:32:01] GET /css/style.css → 200 (12ms, 2.1KB) [14:32:02] POST /api/login → 200 (120ms, 0.4KB) [14:32:03] GET /api/users → 200 (85ms, 8.7KB) [14:32:04] PUT /api/users/1 → 403 (32ms, 0.1KB) [14:32:05] GET /admin → 404 (15ms, 0.2KB) [14:32:06] POST /api/search → 200 (210ms, 15.4KB)
ArmoTunnel is included in all Developer plans. Choose the plan that fits your team.
Individual developer — scan local apps only
£19/mo
billed monthly
Team — scan local + external domains
£49/mo
billed monthly
ISV / Enterprise — full platform access
£149/mo
multi-tenant, billed monthly
Single binary, zero dependencies. Download, authenticate, and start scanning.
Ubuntu 20.04+, Debian 11+, Fedora 36+, RHEL 8+
Download .deb Package or download standalone binary (.tar.gz)$ sudo dpkg -i armotunnel_1.0.0_amd64.deb
$ armotunnel --help
Windows 10 (1607+), Windows 11, Windows Server 2016+
Download .msi Installer or download standalone binary (.zip)> armotunnel.exe --help
ArmoTunnel is designed with defense-in-depth. Your local application is never directly exposed to the internet.
Every tunnel requires a valid API key. Anonymous tunnels cannot be created. Keys are scoped to specific tenants.
All tunnel traffic is encrypted via WebSocket Secure (WSS) over TLS 1.3. Traffic inspection at intermediate hops is impossible.
Tunnels automatically expire after 24 hours. Heartbeat monitoring disconnects idle tunnels after 90 seconds of silence.
Each tunnel is bound to a specific tenant. Other tenants cannot access or even discover your tunnel subdomain.
8-character hex subdomains provide 4.3 billion combinations. Brute-force subdomain discovery is infeasible.
100 requests/second per tunnel subdomain. 10MB max request/response body size. Plan-based tunnel count limits.