cats
CATS is a Java-based REST API fuzzer and negative testing tool for OpenAPI specifications. It automatically generates, executes, and reports thousands of API tests with minimal configuration and no manual coding required.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | Endava/cats |
| Owner | Endava |
| Primary language | Java |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.4k |
| Forks | 89 |
| Open issues | 2 |
| Latest release | cats-13.8.0 (2026-04-01) |
| Last updated | 2026-07-03 |
| Source | https://github.com/Endava/cats |
What cats is
CATS leverages 100+ Fuzzers to generate context-aware test payloads based on OpenAPI schemas, data types, and constraints. Tests are self-healing and adapt automatically to schema changes; the tool supports both JVM execution (Java 25+) and GraalVM native compilation.
Get the cats source
Clone the repository and explore it locally.
git clone https://github.com/Endava/cats.gitcd cats# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Java 25+ or a GraalVM native build; verify target environment JVM version before deployment.
- OpenAPI specification must be valid and reasonably complete; missing or incorrect field constraints reduce Fuzzer effectiveness.
- Configuration is declarative (flat learning curve) but advanced scenarios (custom Fuzzers, response validation rules) may require deeper documentation review.
- HTML and CLI reporting are built-in; integration with CI/CD pipelines requires shell scripting or wrapper automation.
- Test execution time scales with API size and Fuzzer count; large APIs with 100+ Fuzzers may take minutes to hours to complete.
When to avoid it — and what to weigh
- Non-OpenAPI APIs — CATS requires a valid OpenAPI specification to function. Undocumented, GraphQL, or gRPC endpoints cannot be tested without adapting your API documentation first.
- Complex Functional/Business Logic Testing — CATS excels at negative and boundary testing but is not designed for detailed functional workflows. Multi-step scenarios requiring state management and business logic validation are better handled by dedicated integration test frameworks.
- Legacy APIs Without OpenAPI Docs — Reverse-engineering or auto-generating OpenAPI specs for undocumented legacy systems adds significant upfront overhead; consider Swagger Parser tools first.
- Performance and Load Testing — CATS is a functional fuzzer, not a load or performance testing tool. Use dedicated tools (JMeter, Gatling) for throughput, latency, and stress scenarios.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license. Grants rights to use, modify, and distribute for commercial and private purposes, subject to license attribution and liability disclaimers.
Apache-2.0 permits commercial use without restriction. Attribution required in derived works. No vendor lock-in or proprietary components evident from the data; however, deployment and support arrangements are not addressed in the provided materials.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
CATS is a testing/fuzzing tool designed to discover API vulnerabilities (input validation gaps, constraint violations, malformed payload handling). The tool itself does not implement security guardrails; users control what endpoints are tested and what payloads are sent. Ensure API endpoints under test are in a safe, non-production environment or behind proper access controls. No encryption, auth, or data sanitization claims are made; review the tool's network behavior for sensitive data leakage (logs, reports) if testing authenticated APIs.
Alternatives to consider
Swagger/OpenAPI Code Generator + Custom Test Framework
Offers greater control over test logic and assertions but requires significant manual coding effort. Better for complex business logic testing.
Soapster / REST-Assured (JUnit) + Hypothesis / Faker
Lightweight library-based approach for Java projects. Requires more hand-written test code but integrates directly into Maven/Gradle builds without CLI overhead.
Burp Suite / OWASP ZAP
Multi-purpose web security testing tools with fuzzing capabilities. Broader scope (web app scanning, proxy interception) but steeper learning curve and not API-contract-focused.
Build on cats with DEV.co software developers
Download CATS and run thousands of security-focused API tests automatically. Start with the 1-minute Quick Start Guide and detect API vulnerabilities in minutes, not weeks.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
cats FAQ
Does CATS support authentication (API keys, OAuth)?
Can CATS test APIs behind a firewall or without internet access?
How long does a typical test run take?
Does CATS replace manual security testing or penetration testing?
Software developers & web developers for hire
DEV.co helps companies turn open-source tools like cats into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source testing stack.
Test Your REST APIs Smarter
Download CATS and run thousands of security-focused API tests automatically. Start with the 1-minute Quick Start Guide and detect API vulnerabilities in minutes, not weeks.