Chimera — Intentionally vulnerable monorepo for WAF testing and security education

An intentionally vulnerable monorepo for WAF testing and security education. 456+ vulnerable endpoints across 25+ industry domains, bundled with an interactive React portal.

Get Started Install from PyPI View on GitHub

456+ Vulnerable Endpoints

Banking, healthcare, e-commerce, telecom, energy/SCADA, government, and more — spanning 25+ industry verticals.

Full OWASP Top 10

200+ intentional vulnerabilities: injection, broken auth, IDOR, SSRF, business logic flaws, and beyond.

Interactive React Portal

Industry-themed dashboards, red team console, attack visualizations, and guided exploit walkthroughs.

Single pip install

The React SPA is bundled into the Python wheel. One command gets you a fully functional target environment.

Security Testing Tools

Includes k6 load testing scenarios, Nuclei vulnerability templates, and pre-built Grafana dashboards.

Apparatus Integration

Pairs with Apparatus for defense validation — test WAF rules, honeypots, and deception against real attack surfaces.

Quick Start

PyPI

pip install chimera-api
chimera-api --port 8880 --demo-mode full

Docker

docker run -p 8880:8880 -e DEMO_MODE=full nickcrew/chimera

From Source

git clone https://github.com/NickCrew/Chimera.git
cd Chimera && pnpm install
just dev

Explore

Architecture

System design, request flow, and monorepo structure

Endpoint Catalog

Complete listing of all 456+ vulnerable endpoints

Vulnerability Matrix

200+ intentional flaws cataloged by type and severity

Portal Features

AI Assistant, X-Ray Inspector, Kill Chain Tracker