DEV.co
Open-Source Testing · Endava

cats

CATS is a Java-based REST API fuzzer and negative testing tool for OpenAPI specifications. It automatically generates, executes, and reports thousands of API tests with minimal configuration and no manual coding required.

Source: GitHub — github.com/Endava/cats
1.4k
GitHub stars
89
Forks
Java
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryEndava/cats
OwnerEndava
Primary languageJava
LicenseApache-2.0 — OSI-approved
Stars1.4k
Forks89
Open issues2
Latest releasecats-13.8.0 (2026-04-01)
Last updated2026-07-03
Sourcehttps://github.com/Endava/cats

What cats is

CATS leverages 100+ Fuzzers to generate context-aware test payloads based on OpenAPI schemas, data types, and constraints. Tests are self-healing and adapt automatically to schema changes; the tool supports both JVM execution (Java 25+) and GraalVM native compilation.

Quickstart

Get the cats source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/Endava/cats.gitcd cats# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

OpenAPI Contract Testing at Scale

Rapidly generate and execute thousands of negative and boundary tests against REST endpoints without manual test code. Ideal for teams maintaining large API portfolios requiring continuous contract validation.

Security-Focused API Regression Testing

Uncover input validation gaps, boundary condition handling, and constraint violations automatically. Fuzzers target field-level attacks and malformed payloads across all endpoints without custom script development.

Self-Healing API Test Suites

Reduce test maintenance overhead as OpenAPI schema changes are automatically incorporated into test generation. Particularly valuable for APIs under active development or frequent specification updates.

Implementation considerations

  • Requires Java 25+ or a GraalVM native build; verify target environment JVM version before deployment.
  • OpenAPI specification must be valid and reasonably complete; missing or incorrect field constraints reduce Fuzzer effectiveness.
  • Configuration is declarative (flat learning curve) but advanced scenarios (custom Fuzzers, response validation rules) may require deeper documentation review.
  • HTML and CLI reporting are built-in; integration with CI/CD pipelines requires shell scripting or wrapper automation.
  • Test execution time scales with API size and Fuzzer count; large APIs with 100+ Fuzzers may take minutes to hours to complete.

When to avoid it — and what to weigh

  • Non-OpenAPI APIs — CATS requires a valid OpenAPI specification to function. Undocumented, GraphQL, or gRPC endpoints cannot be tested without adapting your API documentation first.
  • Complex Functional/Business Logic Testing — CATS excels at negative and boundary testing but is not designed for detailed functional workflows. Multi-step scenarios requiring state management and business logic validation are better handled by dedicated integration test frameworks.
  • Legacy APIs Without OpenAPI Docs — Reverse-engineering or auto-generating OpenAPI specs for undocumented legacy systems adds significant upfront overhead; consider Swagger Parser tools first.
  • Performance and Load Testing — CATS is a functional fuzzer, not a load or performance testing tool. Use dedicated tools (JMeter, Gatling) for throughput, latency, and stress scenarios.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license. Grants rights to use, modify, and distribute for commercial and private purposes, subject to license attribution and liability disclaimers.

Apache-2.0 permits commercial use without restriction. Attribution required in derived works. No vendor lock-in or proprietary components evident from the data; however, deployment and support arrangements are not addressed in the provided materials.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

CATS is a testing/fuzzing tool designed to discover API vulnerabilities (input validation gaps, constraint violations, malformed payload handling). The tool itself does not implement security guardrails; users control what endpoints are tested and what payloads are sent. Ensure API endpoints under test are in a safe, non-production environment or behind proper access controls. No encryption, auth, or data sanitization claims are made; review the tool's network behavior for sensitive data leakage (logs, reports) if testing authenticated APIs.

Alternatives to consider

Swagger/OpenAPI Code Generator + Custom Test Framework

Offers greater control over test logic and assertions but requires significant manual coding effort. Better for complex business logic testing.

Soapster / REST-Assured (JUnit) + Hypothesis / Faker

Lightweight library-based approach for Java projects. Requires more hand-written test code but integrates directly into Maven/Gradle builds without CLI overhead.

Burp Suite / OWASP ZAP

Multi-purpose web security testing tools with fuzzing capabilities. Broader scope (web app scanning, proxy interception) but steeper learning curve and not API-contract-focused.

Software development agency

Build on cats with DEV.co software developers

Download CATS and run thousands of security-focused API tests automatically. Start with the 1-minute Quick Start Guide and detect API vulnerabilities in minutes, not weeks.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

cats FAQ

Does CATS support authentication (API keys, OAuth)?
Not explicitly detailed in the provided data. Documentation likely covers header/query parameter injection for credentials. Requires review of full docs or source code for OAuth2 or token-refresh workflows.
Can CATS test APIs behind a firewall or without internet access?
Yes; CATS is a standalone CLI tool that issues HTTP requests to a provided endpoint URL. No cloud/SaaS requirement. Works in air-gapped networks if the API is locally accessible.
How long does a typical test run take?
Execution time depends on API complexity, number of Fuzzers enabled, and endpoint response latency. README indicates 'thousands of scenarios within minutes' but exact benchmarks are not provided. Larger APIs may take longer.
Does CATS replace manual security testing or penetration testing?
No. CATS automates input validation and constraint testing for documented endpoints. It does not replicate expert penetration testing, business logic exploitation, or undocumented endpoint discovery. Use as a complementary layer in a comprehensive security testing strategy.

Software developers & web developers for hire

DEV.co helps companies turn open-source tools like cats into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source testing stack.

Test Your REST APIs Smarter

Download CATS and run thousands of security-focused API tests automatically. Start with the 1-minute Quick Start Guide and detect API vulnerabilities in minutes, not weeks.