Mountebank gives you protocol-flexible imposters you hand-author in JSON — stubs and predicates you write and maintain, on a Node service. Gostly is a self-hosted platform inside your own perimeter — a Rust proxy plus control plane and dashboard — that records your real upstream and replays it byte-for-byte. No predicate logic to maintain, every replay deterministic, and no empty start — seed the library day one from a HAR, Postman, or OpenAPI file.
Mountebank earns real respect. It is genuinely open source, it has been around for years, and its reach across protocols — http, https, tcp, and smtp — is wider than almost anything else in the category. Its predicate matching is mature, and it even ships a proxy response type that can record and replay. If you need to virtualize a non-HTTP dependency, Mountebank is a serious tool.
The trade-off is the authoring model. By default an imposter is a set of stubs and predicates you write and keep current — configuration that models what the API mightdo, on a Node runtime you operate. The proxy mode exists, but record-replay isn’t the default ergonomic, and the one path to dynamic or stateful behavior is --allowInjection plus hand-written JavaScript — exactly the kind of arbitrary code execution a security review flags.
There’s a continuity question, too. The original maintainer stepped away in 2024; the project is now a community fork in transition, its last release was April 2025, and merges are effectively paused — while most usage is still pinned to the original package that npm now flags as potentially discontinued. If your mocking layer’s upstream is fading, that is a real reason to look. Gostly keeps Mountebank’s self-hosted, over-the-wire values as an actively developed product.
Gostly inverts the default. You put its Rust proxy in front of your upstream and run the self-hosted stack in your perimeter (Docker Compose); in LEARN mode it records for an hour, then replays the recorded traffic byte-for-byte in MOCK mode — including HTTPS. Your recorded traffic stays on your own infrastructure; sensitive headers are redacted before anything is written to disk.
And because it runs as your own single-tenant deployment, the controls a security review asks for are built in: SSO via SAML or OIDC, role-based access control, and an append-only audit log on Team.
A Mountebank predicate is a model of what the API shoulddo — config you wrote. Gostly’s mock is the recording: the same bytes your real upstream actually sent, replayed byte-for-byte, inside your own perimeter.
take the upstream offline — the recorded library still serves, 0 live calls
| Feature | Mountebank | Gostly |
|---|---|---|
| License / runtime | MIT (Node.js service) | FSL · Rust proxy, self-hosted stack |
| Mock source | Hand-authored imposters, stubs, predicates | Recorded from real traffic |
| Records real upstream traffic | proxy response type (per-stub config) | Default workflow, byte-for-byte |
| Captures real HTTPS / TLS traffic | https imposters (you supply the cert) | records HTTPS; JA4-accurate outbound (Pro+) |
| Protocol breadth | http, https, tcp, smtp — the wedge | HTTP / HTTPS today (gRPC roadmap) |
| Deterministic byte-for-byte replay | No | Yes |
| Library on day one (no recordings yet) | Author imposters by hand first | Seed from a HAR / Postman / OpenAPI file |
| Stateful flows across requests | predicates + --allowInjection JavaScript you write | shipping (statecharts) |
| Live drift detection vs the real upstream | No | shipping — re-record + compare, emits drift events |
| Chaos / failure injection | behaviors you configure (latency, fault) | Markov chaos learned from your traffic |
| AI gap-fill grounded by your traffic (opt-in) | No | Yes |
| No model in the request path | n/a (config-driven) | Yes |
| SSO, RBAC, audit log | No | SAML + OIDC SSO, RBAC, audit log on Team |
| Self-host posture | Node service | Self-hosted stack (Docker Compose) |
| Maintenance | Community fork (mountebank-testing) · last release v2.9.4, Apr 2025 · merging paused | Actively developed |
Mountebank’s protocol breadth (TCP, SMTP) is real and Gostly is HTTP/HTTPS-focused — if you need to virtualize a non-HTTP dependency today, Mountebank is the better fit. AI gap-fill on Gostly is opt-in and grounded by your recordings, not a free-text prompt.
Choose Mountebank when
Choose Gostly when
| Tier | Mountebank | Gostly |
|---|---|---|
| Free | Fully free OSS (MIT) — self-hosted Node service | OSS proxy (FSL) · unlimited services, self-hosted |
| Pro | n/a — no paid tier | $10 / mo single user |
| Team | n/a | $79 / seat / mo |
| Self-host / Enterprise | Self-host the OSS service yourself | $499 / mo Self-host · $25K+ Enterprise |
Mountebank is free, which is the right answer when hand-authored imposters are what you want. Gostly’s paid tiers buy the AI gap-fill, the team controls (SSO, RBAC, audit), and the managed support around a recorded-traffic workflow — the comparison changes shape when “the mock has to match what the real API actually returned” becomes the requirement.
With Mountebank you start by writing imposters. With Gostly you don’t start from zero — drop a HAR capture, a Postman collection, or an OpenAPI spec into the dashboard and it seeds a working mock library before you proxy a single request. Then real traffic sharpens it to ground truth. A predicate is only ever as right as the logic you wrote; a recording is what the API actually sent.
In the dashboard, open Cold-start seeding, drag in the file, pick the service, and commit. The mocks land in the same library your recorded traffic does — flip the proxy to MOCK and they serve immediately. Then run your real test suite through the containerized proxy in LEARN mode to sharpen it to ground truth.
Self-hosted, recorded from real traffic, deterministic in CI — no imposters to author. Run it against your staging upstream for an hour and see whether it produces a mock you trust.
Evaluating for a team of 3+? We’d love to talk before you commit.