Launch HN: Kampala (YC W26) – Reverse-Engineer Apps into APIs

Posted by alexblackwell_ 7 hours ago

Launch HN: Kampala (YC W26) – Reverse-Engineer Apps into APIs(www.zatanna.ai)

Hey! I am Alex and together with my co-founder Tarun built Kampala (https://www.zatanna.ai/kampala). It’s a man-in-the-middle (MITM) style proxy that allows you to agentically reverse engineer existing workflows without brittle browser automation or computer use agents. It works for websites, mobile apps, desktop apps.

Demo: https://www.youtube.com/watch?v=z_PeostC-b4. Many people spend hours per day in legacy dashboards and on-prem solutions reconciling data across platforms. Current attempts at automation use browser automations or computer use agents which are brittle, slow, and nondeterministic. I come from a web reverse engineering background and spent the last 7-8 years building integrations by hand for sneaker/ticket releases, sportsbooks logins, and everything in\ between. During that time I consulted for several companies and brought them off of browser based infrastructure into the requests layer.

When we started Zatanna (that’s our company name) we worked in dental tech, which meant we had to deal with tons of insurance payer dashboards and legacy dental-practice solutions. Our superpower (as a fairly undifferentiated voice agent/front desk assistant company) was that we could integrate with nearly any system requested. During this time we built extensive tooling (including what we’re now calling Kampala) to allow us to spin up these integrations quickly. Existing MITM proxies and tooling didn’t work for a few reasons: (1) They manipulated the TLS and HTTP2 fingerprint over the wire which was detected by strict anti-bots. (2) They had bad MCPs which did not adequately expose necessary features like scripts/replay. (3) They did not allow for building workflows or actions given a sample or sequence of requests.

As the tools we built got more powerful, we began to use them internally to scrape conference attendees, connect to external PMS systems, and interact with slack apps. I even sent it to my property manager mom, who (with a lot of help from me lol), automated 2-3 hours of billing information entry in Yardi. At that point we realized that this wasn’t really about dentistry :)

Because Kampala is a MITM, it is able to leverage existing session tokens/anti-bot cookies and automate things deterministically in seconds. You can either use our agent harness that directly creates scripts/apis by prompting you with what actions to make, or our MCP by manually doing a workflow once, and asking your preferred coding agent to use Kampala to make a script/API to replicate it. Once you have an API/script, you can export, run, or even have us host it for you.

We think the future of automation does not consist of sending screenshots of webpages to LLMs, but instead using the layer below that computers actually understand. Excited to hear your thoughts/questions/feedback!

51 points | 50 commentspage 2

mkirsten 6 hours ago|

Cool! Links on the page doesn't work, at least not for me, e.g., https://www.zatanna.ai/kampala#how-it-works

Also not clear on the page if it is apps from the local machine or on the network. Maybe some clearer examples and use cases would help?

alexblackwell_ 6 hours ago|

Oops now realizing that pattern where we send you to bottom latest download link is definitely confusing. Fixed so that the top button sends you straight to Download now.

Sytten 6 hours ago||

Interesting product (Caido co-founder here). It is very hard to nail auth, probably the most underlooked aspect by end users. We are working on something similar for PoC reproduction of vulnerabilities.

Fingerprinting is also a hard thing to match perfectly, I would be curious to know what your strategy is on that. My experience has been that unless you bundle multiple TLS lib it is almost impossible to do at 100% because none of the lib cover all the TLS extensions.

alexblackwell_ 6 hours ago|

We’re currently running a variety of stuff for TLS/HTTP2. If you download you can see the full trace of the connection. We dump the TLS connection byte for byte with the different structured subsections. With tls.peet.ws and bogdann finn’s tls-client (which we use parts of with some modifications) I would say that http3/tcp fingerprinting is probably the remaining issue. We currently don’t support http3 connections (they’re niche + apple system proxy doesn’t support them well), and TCP fingerprinting is a bit too low level to build out tooling in GO currently. Possibly for a later release. Curious if you’ve tried bogdann finn/the existing tooling?

Sytten 3 minutes ago||

We are in Rust so our options are more limited. Make sense the golang ecosystem is pretty good for that.

Barbing 6 hours ago||

Zatanna

Kampala (had to double check it wasn’t Harris)

Just mulling these names over, how’d you come up with them?

PS: clear value prop!

alexblackwell_ 6 hours ago|

Zatanna is a DC comic book character. I’m not sure if either of us have even read comics, so not sure where that came from. For Kampala, when I started this I was trying Conductor for the first time. The generated workspace name was Kampala (the capital of Uganda). We even have a 3rd name. We actually incorporated as NoPoll. That one’s a bit less inspiring though lol.

kay_o 1 hour ago||

Gotta ask, did you talk to legal in any way before naming your company after someone's IP

ghoshbishakh 3 hours ago||

Wireshark + some post processing?

alexblackwell_ 3 hours ago||

Yep essentially. I would argue that we're probably closer to a MITM proxy like Proxyman than Wireshark. We don't do general packet sniffing (yet), although internally we use our own packet sniffing tools for reverse engineering on-prem installations.

5701652400 3 hours ago||

guess they are automating this with AI clearly with intent to reproduce websites on their own. clone-every app pretty much.

(every app that is not hidden their networking)

kang 3 hours ago||

how does this work? for eg, how is it possible to even deduce bitcoin structure from rpc list?

alexblackwell_ 2 hours ago|

sorry a bit confused on your question here. If you're asking about JSON RPC we handle this via parsing. The AI can then handle deducing structure most of the time given enough context

benagents 6 hours ago||

Great job Alex!

Think this is really interesting especially for creating datasets. Proxyman was always hard to use for me, so connecting it to a MCP was something I have been waiting for.

Quick question: How do you handle session re-auth mid-script?

Congrats on the launch.. I need that conference script!

alexblackwell_ 5 hours ago|

Thanks Ben! For session re-auth we attempt to agentically find the session refresh/login endpoints and make those part of the flow as an auth provider. This can be a bit sketchy though and is the main bottleneck right now. Currently working on some cool workarounds for this that allow us to piggy back on browser that should land by next week :)

benagents 4 hours ago||

Thank you! Looking forward to it.

lyime 5 hours ago||

How is this different/better than charles proxy/proxyman or similar apps?

alexblackwell_ 5 hours ago|

I’ve probably spent on the order of months of my life in proxyman/charles/burp/powhttp. All are great, but I’ve never been completely satisfied with the UX/features for building automations. As far as differences; we don’t modify TLS/HTTP2 connections, have a fully featured MCP (each UI action is an api action by definition), and have built more robust automation tooling in the app itself. The goal is to be an AI-native burp suite/powhttp with Proxyman-like UI.

5701652400 3 hours ago||

guess time to move to gRPC and private encryption.

huflungdung 3 hours ago||

[dead]

asxndu 3 hours ago|

[dead]