The Keploy alternative — serve-the-mock infrastructure, not CI fixtures
Keploy is a genuinely open (Apache-2.0) eBPF recorder whose core job is generating CI test cases and mocks from traffic — fixtures scoped to a test run. Gostly is a self-hosted platform in your own perimeter — a Rust proxy plus control plane and dashboard — that records your real upstream and serves it byte-for-byte as durable, standing infrastructure. No eBPF, no kernel privileges, no host PID — a userspace proxy that runs on macOS, Windows, and Linux, with your recorded traffic and source code never leaving your host.
Keploy is one of the better stories in this category, and it deserves the credit. Its core is genuinely Apache-2.0 and free — not an open-core teaser — and it does something the snapshot tools do not: it captures real traffic with eBPF and auto-generates CI test cases and mocks, including for databases and message queues, not just HTTP. If what you want is a test suite that materializes from production traffic and runs in your pipeline, Keploy is built for exactly that, and Gostly does not auto-generate test suites at all.
Gostly is built around a different job. It is not a CI test-generator; it is a place you put a Rust proxy in front of your upstream, run LEARN to record an hour of real traffic, then flip to MOCK and serve that traffic back byte-for-byte — as long-running infrastructure your whole team and CI fleet point at, not a fixture file that exists for the duration of one run. The deployment is a containerized stack you bring up with Docker Compose in your own perimeter. There is no Kubernetes to operate.
The biggest architectural difference is how each one gets the traffic. Keploy reads it off the kernel with eBPF, which means running the capture container with elevated privileges, the host’s process namespace, and the host docker socket, on a Linux kernel of 5.15 or newer — on macOS or Windows you do it inside a VM or Docker, and there is no userspace fallback. Gostly sits in the request path as an ordinary userspace proxy. No kernel modules, no elevated privileges, no host PID — it runs the same way on a developer’s Mac, a Windows box, and a Linux CI runner.
Data locality is the other place the two diverge, and it is worth being precise. Keploy’s OSS telemetry is on by default and reports your OS, CI provider, git-repo slug, and the hostnames of the upstreams you recorded to its telemetry endpoint — disableable with a config flag, but on until you flip it. Its AI test-generation sends your source code to a hosted third-party model unless you self-host one. Gostly inverts both: your recorded traffic and PII never leave your host, inference is self-hosted in the container, and credential headers are redacted before anything touches disk. The licensed build makes only opt-out license-validation and counters-only calls — no payloads.
And because Gostly runs as your own single-tenant deployment, the controls a security review asks for are built in: SSO via SAML or OIDC, role-based access control, and an append-only audit log on Team — self-hosted in the container, not gated behind a cloud account. Each deployment is single-tenant, so your data is isolated by running in your own perimeter, never shared with another customer’s. The trade-offs are real, too: Keploy markets SCIM and SOC 2 / HIPAA readiness that Gostly does not yet, and Keploy auto-mocks databases and queues where Gostly is HTTP/HTTPS only.
Keploy generates a test suite from traffic the kernel hands it, then phones the upstream hostnames it saw home by default. Gostly serves the recording itself — the same bytes your real upstream sent, replayed byte-for-byte from a userspace proxy, with the traffic and your source code never leaving your host.
payments-api · upstream OFFLINE
UPSTREAM OFFLINE✓ 29 / 29 GREEN
$ docker stop upstream-api # kill the real API
upstream-api stopped
$ pytest tests/ -v # replayed from Gostly
tests/payments::test_list_customers PASSED
tests/payments::test_get_customer PASSED
· · · · · · · · · · · · · · · · · · · ·
========= 29 passed in 0.85s =========
↳ 0 live calls — served byte-for-byte
take the upstream offline — the recorded library still serves, 0 live calls
SAML + OIDC SSO, 4-role RBAC, append-only audit log on Team — in the container
Library on day one (no recordings yet)
Record first to get tests/mocks
Seed from a HAR / Postman / OpenAPI file before you record
gRPC / async messaging
Auto-mocked
roadmap
Roadmap items are labelled explicitly. Statecharts (stateful flows), live drift detection, Markov chaos, and SSO / RBAC / audit log run today on Gostly; gRPC and async messaging stay 2026 roadmap. Keploy’s auto-generated CI test suites and DB/queue auto-mocking are real strengths Gostly does not match — see the panels below.
Choose Keploy when
→You want a genuinely free, Apache-2.0 tool that auto-generates a CI test suite from real traffic — that is its core job, and Gostly does not do it.
→You need databases and message queues auto-mocked alongside HTTP — Keploy captures all of them.
→You run on Linux and are comfortable granting the capture container kernel privileges and host PID for eBPF.
→You need SCIM provisioning or are buying against a SOC 2 / HIPAA checklist Keploy markets and Gostly does not yet.
→A $19-per-seat Pro plan (cheaper per seat than Gostly Team) with metered usage on top fits your budget shape — Keploy publishes its pricing openly.
Choose Gostly when
→You want the mock to be durable, standing infrastructure your team and CI point at — not fixtures that live only for the length of a test run.
→You can’t grant kernel privileges or run eBPF — a userspace proxy with no host PID that runs the same on macOS, Windows, and Linux is the only thing that fits.
→Your recorded traffic and source code must stay on your host — no telemetry reporting your upstream hostnames, no source sent to a third-party model.
→You need a declared statechart so POST-then-GET-by-id just works, plus live drift detection and learned Markov chaos — and AI only to fill recorded gaps at the edge, never in the request hot path.
→You need SSO (SAML/OIDC), role-based access, and an append-only audit log on Team — self-hosted in the container, single-tenant, with data that never leaves your perimeter.
Be clear-eyed here: Keploy publishes its pricing, its OSS core is free, and its Pro seat is cheaper than Gostly Team. Gostly’s pricing edge is not “cheaper” — it is flat and predictable. Keploy’s paid tiers add metered usage on top of the per-seat price, so the bill moves with how hard you use it; Gostly is a flat seat price with no metering, and the SSO, RBAC, and audit log a security review asks for are included in the seat rather than gated behind a usage-priced cloud tier.
No empty library on day one
The objection that stalls most evaluations is “I’d be starting from zero until I’ve recorded enough traffic.” You aren’t. Drop a HAR capture, a Postman collection, or an OpenAPI spec into the dashboard and Gostly seeds a working mock library before you proxy a single request — the same library your recorded traffic lands in. Then real traffic, captured in userspace with no eBPF and no kernel privileges, sharpens it to ground truth.
gostly.internal / cold-start seeding
cold-start seeding 47 MOCKS · SERVING
⤓
drop a HAR · Postman · OpenAPI file
payments.har — 47 entries · 312 KiB
HARPostmanOpenAPI
✓ GET /customers/:id — seeded
✓ POST /charges — seeded
✓ GET /invoices — seeded
· flip to MOCK — a full library on day one
no empty library — seeded before you record a single call
In the dashboard, open Cold-start seeding, drag in the file, pick the service, and commit. The mocks land in the same library your recorded traffic does — flip the proxy to MOCK and they serve immediately. Then run your real test suite through the containerized proxy in LEARN mode to sharpen it to ground truth. No eBPF, no kernel privileges, no host PID — the whole flow lives in the dashboard and a userspace proxy, the same on every OS.
Try Gostly without the eBPF
Self-hosted, cross-platform, recording-first. Run it against your staging upstream for an hour — no kernel privileges, no host PID — and see whether it serves a mock you trust.