The workshop

What we're building.

We build in the open bench, not the marketing deck. This is a live snapshot of the tools coming out of the workshop — some shipping, some still in development. Several are security and remote-access tools, built for lawful, authorised work only. Read the note below before you read the list.

Authorised use only

Authorised use only. Many of these tools — network scanning and auditing, remote access and management, and red-team automation — are built for security work on systems you own or have explicit, written permission to test or manage. Using them against systems you do not control may be a criminal offence. We build them for lawful engagements, and they are to be used that way.

Secure networking & remote access

LanLink

Flagship

Our flagship mesh VPN — friendlier than WireGuard. A small relay on a VPS plus lightweight clients join a private, encrypted network with a shared name and password; pure-Rust crypto, NAT hole-punching, and a TLS-protected admin dashboard. For privately connecting infrastructure you own or manage.

  • Rust
  • Wintun
  • pure-Rust crypto

LanLink Simple

Beta

A pared-down name-and-password mesh VPN: VPS relay plus tun/Wintun clients, forward-secret per-peer crypto, NAT traversal and TCP port-forwarding. Simpler to configure than WireGuard, still secure. Runs on Windows (x64 and ARM64) and macOS.

  • Rust
  • Windows
  • macOS

Pirate VNC

In development Authorised use

Single-binary remote desktop over an encrypted relay — connect by ID, no exposed ports, end-to-end encrypted screen, input and file transfer. For remote support and administration of machines you own or are authorised to access.

  • Rust
  • Noise E2E
  • relay

Duck DNS Manager

Released

Points several dynamic-DNS subdomains at one server with automatic TLS and clean host routing (DuckDNS + Caddy), all from a single config file. Boring, reliable self-hosted infrastructure — exactly as it should be.

  • Rust
  • Caddy
  • DuckDNS

Audiocast

Stable

Low-latency microphone and system-audio streaming between machines — a Rust relay, transmitter and web dashboard, with optional server-side recording and TLS. For your own audio, on your own links.

  • Rust
  • DuckDNS
  • TLS

Security & red team

Red-Team Agent

In development Authorised use

An offensive-security AI agent: it drives local models (via Ollama) with a sandboxed filesystem, a browser console and a CVE/exploit knowledge base to assist a human tester during an engagement. Runs entirely on hardware you control, and is used only under explicit written client authorization.

  • Rust
  • Ollama
  • local LLM
  • RAG

LAN Auditor

v0.6 Authorised use

A passive network sniffer that flags cleartext credentials and exposed RTSP cameras by device, so insecure kit gets found and fixed. Listen-only. For networks you own or are contracted to audit.

  • Rust
  • AF_PACKET / Npcap

Scan-Lan

Stable Authorised use

A detection-only network and camera auditor: device and RTSP discovery plus non-intrusive CVE and exposure checks, with full logging. It reports; it does not attack. Run it only on networks you are authorised to assess.

  • Rust
  • PowerShell
  • detection-only

Capture-Guard

In development Authorised use

A Windows session-integrity guard: watchdog, remote-session tripwire and process self-hardening, to protect sensitive sessions on endpoints you administer against tampering and unwanted capture.

  • Rust
  • Windows

SFM — Simple Firewall Manager

Stable

A right-click Windows Firewall manager — block, allow, remove or check any app, and open or close ports — driven straight through the Windows COM API, self-elevating, no netsh. Small, fast, and it just works.

  • Rust
  • Windows COM

TCPView-rs

Stable

A fast console TCP/UDP connection viewer with port filtering and one-key kill — quick triage of exactly what a Windows box is talking to, and the power to stop it.

  • Rust
  • static-CRT

Systems & developer tooling

ArmorForge

Stable

A build-hardening pipeline: it obfuscates, signs and hardware-locks your own release binaries into versioned, never-overwritten folders. Protects the software you ship from tampering and casual reverse-engineering.

  • Rust
  • Ed25519
  • OLLVM

Reset-Survivor

Stable

A Windows tool that survives “Reset this PC (remove everything)”, restores a protected folder in place, and re-runs your setup as SYSTEM on first boot — for fleet re-imaging, kiosks and recovery.

  • Windows
  • SYSTEM

VPS Migration Tool

Stable

Backs up a Windows Server web stack — nginx/Apache/IIS install, config, content, certificates, scripts and NTFS ACLs — into one manifested archive, then recreates it all on a new provider. Lift-and-shift without the tears.

  • PowerShell
  • Windows Server

ServeFile

Utility

A tiny, hardened HTTP one-file server: any path serves a single file, behind random-password Basic Auth. For handing one file to one person, quickly and safely.

  • Rust
  • tiny_http

These projects are in active development and listed for information only. Kaperbrief's security, networking and remote-access tools are intended solely for lawful use by their owner, or by parties acting with the explicit, written authorization of the system owner. Unauthorised access to, interception of, or interference with computer systems or data is a criminal offence in most jurisdictions — including under the Dutch Wet computercriminaliteit, the US Computer Fraud and Abuse Act, and the UK Computer Misuse Act. You are solely responsible for ensuring you have the necessary authorization before use. All software is provided “as is”, without warranty of any kind, and Kaperbrief accepts no liability for misuse. This notice is provided for information and is not legal advice.

Need one of these built, hardened, or run for you?

Most of what's here started as a client problem. If one of them sounds like yours, let's talk about doing it properly — under a clear, written scope.

Start a conversation