Security engagements often run into the same gaps.
Your scanners see what the network exposes from the outside. Your logs see most of what has already happened. But everything behind a firewall, on an unmanaged device, broadcasting over a rogue access point, or running on a service that never made it into your SIEM logs stays invisible.
The traditional answer is a bag of single-purpose tools: one for port scanning, another for WiFi discovery, another for packet capture, each with its own setup, its own output format, and its own failure modes on whatever hardware the engagement requires.
We just released something better. Strike48 Pick is now open source.
Pick is a lightweight reconnaissance agent that runs security assessments from inside the networks you're testing. Rather than replacing remote scanning, it fills the gap remote scanning fundamentally cannot reach.
From a single deployment, Pick handles:
Everything executes locally on the host and reports back through a unified interface. One agent, one output format, one deployment.
"Security teams shouldn't need a different tool for every type of network reconnaissance. Pick gives you one agent that handles the full recon workflow, runs on anything, and gets you from deployment to actionable data in minutes instead of hours."
- Tim Leehealey, VP of Corporate Strategy and Operations, Strike48
The core engineering decision behind Pick is its architecture. Built on a single Rust/Dioxus codebase, Pick compiles to five deployment targets:
You're not choosing between a good tool and a compatible tool. Pick runs on whatever hardware the engagement requires, with the same capabilities and the same interface everywhere.
Built for How Security Teams Actually Work
Pick is designed for four primary use cases:
Red Team Operations. Deploy Pick as a droppable agent for network reconnaissance and lateral movement during engagements. Drop it on an implant, run recon, pull the data.
Penetration Testing. Scan networks, discover devices, and enumerate services from inside the target environment — getting the ground-level picture that external scans miss.
Security Research. Pick's extensible Rust framework is built to be forked and built on. Add new reconnaissance capabilities, test new detection approaches, contribute back.
Training and Education. Run Pick in controlled lab environments to learn network scanning and discovery techniques hands-on.
If you're already on the Strike48 platform, Pick connects directly to Prospector Studio. Reconnaissance data flows from Pick into Strike48's autonomous investigation layer, where agents correlate it against your log data, run investigations, and surface findings.
The gap between "what exists on the network" and "what your agents know about" closes. Raw network discovery becomes actionable intelligence without manual stitching.
Pick also works as a fully standalone tool with no platform dependency. Start with it for an engagement this week and connect it to Strike48 when you're ready.
The full Pick codebase is available on GitHub under a permissive license. Inspect it, fork it, extend it, and contribute back. Security practitioners and researchers who want to build new reconnaissance capabilities on top of the framework are welcome.
Get started
Pick is available now. Open source and free to use.