September 2023 · 6 min read

Why Another Language?

There are hundreds of programming languages. Did we really need another one? Yes. Here's why.

The gap

I wanted a language that was:

• Pipeline-native — not an afterthought or a proposal stuck in committee
• Statically typed — with inference, so you rarely write type annotations
• Compiled — fast enough for systems programming
• Simple — learnable in a weekend, not a year

No existing language hits all four. Rust is compiled and typed but complex. Go is simple but has no generics (until recently) and no pipelines. Elixir has pipes but is dynamically typed and runs on BEAM. F# has pipes and types but is tied to .NET.

The bet

Lateralus bets that |> isn't just nice syntax — it's a fundamentally better way to express data transformation. When every function, every library, every tool is designed around forward data flow, you get an ecosystem where composition is the default.

What makes it different

• Pipeline operator is first-class, not a TC39 stage-2 proposal
• Error handling without exceptions (try/recover/ensure)
• Compiles to readable C99 — debug with printf if you want to
• Zero dependencies — pip install lateralus-lang and you're done

Is it production-ready?

Not yet. We're at v0.5.0. But it's real enough to write an OS in, build security tools with, and run in your browser. If that interests you, try the playground.

The shell script problem

Every security tool outputs text. Every automation script parses text. This is the fundamental problem Lateralus solves. Consider a typical pentest workflow in Bash:

# Bash: fragile text parsing everywhere
nmap -sV 10.0.0.0/24 -oG - | grep "open" | awk '{print $2}' | sort -u > hosts.txt
for host in $(cat hosts.txt); do
    nikto -h $host -output nikto-$host.txt 2>/dev/null
    # Hope the output format hasn't changed between versions
done
cat nikto-*.txt | grep "+ " | sort | uniq -c | sort -rn > findings.txt

This works until it doesn't. Nmap changes its output format. Grep captures a false positive. Awk splits on the wrong field. And when it fails, the error is silent — you get wrong results, not an error message.

The same workflow in Lateralus

// Lateralus: structured data, no text parsing
let findings = "10.0.0.0/24"
    |> nmap_scan(flags: "-sV")
    |> filter(|h| h.ports |> any(|p| p.state == Open))
    |> flat_map(|h| nikto_scan(h.ip))
    |> sort_by(|f| f.severity, descending)
    |> deduplicate_by(|f| f.id)

findings |> to_report("pentest-findings.pdf")

Every intermediate value is typed. nmap_scan returns Vec<Host>, not a string. nikto_scan returns Vec<Finding>. If a tool's output format changes, the wrapper fails with a clear parse error, not a silent wrong result.

Why not Python?

Python is the most common automation language in security. We love Python. But for tool orchestration, it has real limitations:

• No pipeline syntax — method chaining in Python requires backslash line continuations or wrapping in parentheses. Lateralus pipelines are a first-class syntax feature.
• Dynamic typing — a typo in a variable name is a runtime error that might not surface until 30 minutes into a scan. Lateralus catches it at compile time.
• Deployment — Python scripts need a runtime, virtual environments, and dependency management. Lateralus compiles to a single static binary.
• Performance — for I/O-bound scripts, Python is fine. For CPU-bound tasks (hash cracking helpers, binary analysis, fuzzing), Lateralus compiles to native code via the C99 backend.

Why not Rust?

Rust is excellent for building security tools. But it's not ideal for scripting quick automation:

• Compile times — a medium Rust project takes 30-60 seconds to compile. Lateralus compiles in under 2 seconds.
• Verbosity — Rust's ownership system requires explicit lifetime annotations in complex scenarios. Lateralus uses reference counting with escape analysis to avoid most annotation burden.
• Learning curve — Rust takes months to become productive. Lateralus is designed to be productive on day one for anyone who knows Python or JavaScript.

Lateralus isn't replacing Rust. It's filling the gap between "bash script" and "compiled Rust binary" for the 80% of security automation that needs to be fast enough, safe enough, and written in 10 minutes.