CLI
The OpenHack CLI runs a four-stage pipeline: reconnaissance, hunting, validation, and verification. Every finding is confirmed with a working exploit before it reaches you.
Reconnaissance
Before hunting for anything, OpenHack builds a complete map of your application. It discovers every route, endpoint, middleware chain, authentication boundary, and data flow. It understands how your components connect, where trust boundaries exist, and which surfaces are exposed.
Every API endpoint, page route, middleware chain, and webhook handler mapped automatically.
Identifies authentication mechanisms, role hierarchies, session management, and authorization logic.
Traces how data moves through your system: databases, caches, external services, file storage.
Vulnerability Hunting
Using the full context from reconnaissance, OpenHack's hunting agents generate and test exploit hypotheses. They reason about your code semantically, finding logic-based vulnerabilities that pattern-matching tools can never catch: IDORs, auth bypasses, race conditions, and business logic flaws.
Detects missing or incorrect authorization checks on object-level access. Understands your role hierarchy to test every privilege boundary.
Finds missing auth checks, improper session handling, race conditions in login flows, and logic errors in multi-step authentication.
Identifies vulnerabilities in payment flows, state machines, approval chains, and domain-specific logic that no generic rule can define.
Discovers TOCTOU bugs, double-spend vulnerabilities, and concurrent access issues that only surface under specific timing conditions.
Validation
Before any vulnerability reaches you, it goes through a dedicated validation stage. A separate reasoning model independently analyzes the finding, the code path, and the exploit hypothesis. It confirms whether the vulnerability is real, assesses its actual severity, and eliminates false positives at the source.
A separate model reviews each finding with no bias from the hunting stage. Fresh eyes on every vulnerability.
Traces the full exploit path through your code to confirm the vulnerability is reachable and exploitable.
Hypotheses that can't be confirmed are rejected. Only validated findings survive to the next stage.
Verification
The final stage goes beyond code analysis. OpenHack spins up your application in a private sandboxed environment and runs the exploit end-to-end. For web applications, it launches a real browser session and executes the attack through the actual UI, proving the vulnerability is exploitable in practice, not just in theory.
For web applications, OpenHack launches a headless browser in a sandboxed environment and executes the full exploit through the UI. It clicks through flows, submits forms, manipulates requests, and captures the result as proof.
OpenHack deploys your application in an isolated private environment: your infrastructure, your config, your data fixtures. The exploit runs against a real instance, proving it works in your actual deployment context.
The Full Pipeline
Every stage narrows the funnel. Recon maps everything. Hunting generates hypotheses. Validation confirms them with reasoning. Verification proves them with a real exploit. What reaches you is real, prioritized, and actionable.
attack surfaces
mapped
hypotheses
generated
confirmed
by reasoning model
exploited
end-to-end in sandbox
One command to install. One command to scan. Every finding verified with a working exploit.