About
OpenHack is the open-source AI security agent at the heart of Titan Security Labs. We make security tools we'd actually use ourselves — practical, transparent, and grounded in real exploitation.
What we believe
These show up in everything we ship — from the harness, to the benchmarks page, to how we write up advisories.
Principle 01
Every finding we surface ships with a working proof-of-concept. We don't report `potential` vulnerabilities — only the ones we can actually exploit end-to-end in a sandbox or browser.
Principle 02
The harness is MIT-licensed. The models are open-source. The benchmarks are public. The advisories are public. If we won't publish how we work, we won't publish what we found.
Principle 03
Security scanning that only runs when there's budget is security scanning that misses the bugs that ship between scans. Building OpenHack around open-source models makes continuous scanning cheap enough to be a default instead of a debate.
Principle 04
Every vulnerability we publish is responsibly disclosed first, with a fix in place before the advisory goes live. We work with vendors, not around them.
The Lab
Titan Security Labs is an independent security research lab based in the United States. We exist to build agentic security tools that work on real codebases — and to publish the research and benchmarks that show how.
Build
OpenHack, our open-source security agent. Harness, models, harness tuning, the full CLI and the hosted platform.
Benchmark
Publish our results on public benchmarks like CVE-Bench. Every number, every run, every cost figure — verifiable.
Disclose
Responsibly disclose vulnerabilities discovered in the wild. See our public advisories for what we've found.
Founder

Founder, OpenHack
Ananay founded Titan Security Labs to build the security tools he wanted to see in the world — practical, open, and priced like infrastructure instead of consulting. He's been writing software for as long as he can remember, and breaking it for almost as long.
In production
We don't ship security claims without receipts. A sample of what OpenHack has found and we've published in coordination with the vendors:
CVE-2026-36755. A missing `await` on the session check let anyone upload files up to 2 GB without authentication.
Read advisoryUser-controlled redirect URLs from OAuth state parameters were passed directly to res.redirect() without validation.
Read advisoryGet in touch