BOTWAVE — Infrastructure

90K+ rotating proxies.
Every one receipt-tested.

WAVESOX is the proxy infrastructure BOTWAVE built for its own bounty hunting operations — then opened to external operators. Every proxy earns an immutable test receipt before entering rotation: latency, external IP, anonymity class, use-case score. No proxy ships untested. Inquiry-based pricing. Enterprise egress, pentester-grade validation.


── By the numbers

90K+
rotating residential proxies in the scraped pool
100%
receipt-tested before entering active rotation
5
use-case tiers — scraping to bounty_hunt

── What it does

The infrastructure BOTWAVE hunts on.

Built from the ground up for recon work where a burned IP costs a finding. Every component answers four questions: how does it write to substrate, how does it learn, how does it extend without code changes, how does it feed the other arms.

Validation

Receipt-First Testing

Every proxy runs connectivity, anonymity, and use-case scoring before it enters the export pool. Receipts are immutable JSONL — timestamped, versioned, auditable.

  • Connectivity: latency, external IP, TLS fingerprint
  • Anonymity classification: elite / anonymous / transparent
  • Use-case score per tier: scraping, streaming, tunneling, bounty_hunt
  • Dead proxies quarantined automatically — not silently dropped

Access Control

IAM-Style Zones

Each zone gets an API key and a filtered proxy set. A bounty hunter gets a different pool than an e-commerce scraper. Zones are created via POST — no code change required.

  • Zone config: protocol, min health score, geo filter, use-case
  • Export formats: JSON / CSV / plain text / PAC file
  • Code snippet generation: Python, NodeJS, Go, curl
  • Per-key rate limits configurable from registry

Pool Management

Continuous Validation Loop

The scraper, validator, and exporter run on independent timers. A proxy that passes at 06:00 may fail by 14:00 — the sweep catches it before it gets used on a live target.

  • Scraper: pulls from 12+ public and semi-public sources
  • Validator: parallel health checks, configurable concurrency
  • Exporter: pushes to FastAPI pool server on every successful sweep

Observability

Real-Time Stats API

FastAPI server on :8081. Pool health, live/dead counts, zone breakdowns, WebSocket stream of validation logs. Know the state of the pool before you run a hunt.

  • GET /stats — full pool breakdown in JSON
  • GET /proxies — filtered query by protocol, use-case, health score
  • GET /export — production-ready pool download
  • WS /ws/logs — live validation stream
API — what the pool looks like right now Shell
# Pool health — what's live right now
curl http://localhost:8081/stats | jq .

# Get proxies filtered by use case and minimum health score
curl "http://localhost:8081/proxies?protocol=socks5&use_case=bounty_hunt&min_health_score=0.85"

# Export production-ready pool
curl "http://localhost:8081/export?format=json&use_case=bounty_hunt" > proxies.json

# Create a zone with its own API key and filtered pool
curl -X POST http://localhost:8081/zones \
  -H "Content-Type: application/json" \
  -d '{"name":"recon_ops","use_case":"bounty_hunt","min_health_score":0.85}'

# Real-time validation stream
wscat -c ws://localhost:8081/ws/logs

── Who it's for

Operators who can't afford a burned IP.

Bug bounty hunters

Recon without residential exposure

Subfinder, httpx, nuclei routed through a validated SOCKS5 pool. The pool that powers BOTWAVE's own hunts.

Pentesters

Clean egress per engagement

IAM zones let you isolate each client engagement to a dedicated proxy set. No cross-contamination. Every request logged to your own substrate partition.

OSINT operators

Research that doesn't fingerprint back

Residential rotation means your research pass looks like organic traffic, not a datacenter sweep. Elite-classified proxies only for sensitive collection.

Enterprises

Managed egress for high-volume scraping

90K+ pool with geographic distribution across US residential, EU datacenter, and APAC mobile. Rate limits and geo filters configurable per zone.

Red teams

Infrastructure that matches the threat model

Proxies scored per use-case — the same pool record that shows a proxy is clean for scraping also shows whether it passes TLS fingerprint scrutiny for stealth work.

Not for

Out-of-scope targets

WAVESOX access requires acknowledgment of the acceptable use policy. Traffic through the pool is logged per zone. Abuse triggers immediate zone suspension.

Inquiry-based access.

Pricing is not self-serve yet. Send the email below with your use case — bounty hunting, pentesting, OSINT, or enterprise egress. Include target volume if you know it. Response within 48 hours.