CLI

Four stages. Zero false positives.

The OpenHack CLI runs a four-stage pipeline: reconnaissance, hunting, validation, and verification. Every finding is confirmed with a working exploit before it reaches you.

01
01

Recon

02
02

Hunt

03
03

Validate

04
04

Verify

01

Reconnaissance

Map the entire attack surface

Before hunting for anything, OpenHack builds a complete map of your application. It discovers every route, endpoint, middleware chain, authentication boundary, and data flow. It understands how your components connect, where trust boundaries exist, and which surfaces are exposed.

recon agent
# openhack scan . --stage recon
routes · 47 API endpoints, 12 page routes, 3 webhook handlers
auth · JWT + session cookies, 4 role levels, 2 OAuth providers
data · PostgreSQL, Redis cache, S3 uploads, Stripe billing
surfaces · 23 attack surfaces identified across 6 trust boundaries

Route Discovery

Every API endpoint, page route, middleware chain, and webhook handler mapped automatically.

Auth Mapping

Identifies authentication mechanisms, role hierarchies, session management, and authorization logic.

Data Flow Analysis

Traces how data moves through your system: databases, caches, external services, file storage.

02

Vulnerability Hunting

Hunt for what scanners miss

Using the full context from reconnaissance, OpenHack's hunting agents generate and test exploit hypotheses. They reason about your code semantically, finding logic-based vulnerabilities that pattern-matching tools can never catch: IDORs, auth bypasses, race conditions, and business logic flaws.

IDOR & Broken Access Control

Detects missing or incorrect authorization checks on object-level access. Understands your role hierarchy to test every privilege boundary.

Authentication Bypasses

Finds missing auth checks, improper session handling, race conditions in login flows, and logic errors in multi-step authentication.

Business Logic Flaws

Identifies vulnerabilities in payment flows, state machines, approval chains, and domain-specific logic that no generic rule can define.

Race Conditions & Timing

Discovers TOCTOU bugs, double-spend vulnerabilities, and concurrent access issues that only surface under specific timing conditions.

03

Validation

Every finding validated by reasoning models

Before any vulnerability reaches you, it goes through a dedicated validation stage. A separate reasoning model independently analyzes the finding, the code path, and the exploit hypothesis. It confirms whether the vulnerability is real, assesses its actual severity, and eliminates false positives at the source.

validation agent
# Validating: Auth bypass in /api/upload (CRITICAL)
analyzing · Code path through TUS upload handler
checking · getServerSession() call missing await keyword
reasoning · Promise resolves truthy, auth check always passes
verdict · CONFIRMED · Unauthenticated file upload, no conditions required
5 hypotheses tested · 2 confirmed · 3 rejected as false positives

Independent Review

A separate model reviews each finding with no bias from the hunting stage. Fresh eyes on every vulnerability.

Reasoning Chain

Traces the full exploit path through your code to confirm the vulnerability is reachable and exploitable.

False Positive Elimination

Hypotheses that can't be confirmed are rejected. Only validated findings survive to the next stage.

04

Verification

End-to-end sandbox verification

The final stage goes beyond code analysis. OpenHack spins up your application in a private sandboxed environment and runs the exploit end-to-end. For web applications, it launches a real browser session and executes the attack through the actual UI, proving the vulnerability is exploitable in practice, not just in theory.

Browser-Based Verification

For web applications, OpenHack launches a headless browser in a sandboxed environment and executes the full exploit through the UI. It clicks through flows, submits forms, manipulates requests, and captures the result as proof.

  • Full browser session with real DOM interaction
  • Captures screenshots and network traces as evidence
  • Tests authentication flows end-to-end
  • Excellent for Next.js, React, and SPA applications

Sandbox Verification

OpenHack deploys your application in an isolated private environment: your infrastructure, your config, your data fixtures. The exploit runs against a real instance, proving it works in your actual deployment context.

  • Private sandboxed environment, fully isolated
  • Uses your real infrastructure and config
  • Runs exploit end-to-end with working PoC
  • Captures full reproduction steps and evidence
verification agentSANDBOX
# End-to-end verification: OH-2026-001
sandbox · Deploying application to isolated environment
browser · Launching headless session against sandbox instance
exploit · Sending unauthenticated PUT to /api/upload/tus
result · EXPLOITED · 2GB file uploaded without authentication
Vulnerability verified end-to-end · PoC + screenshots captured

The Full Pipeline

From first scan to verified exploit

Every stage narrows the funnel. Recon maps everything. Hunting generates hypotheses. Validation confirms them with reasoning. Verification proves them with a real exploit. What reaches you is real, prioritized, and actionable.

01
01

Recon

23

attack surfaces

mapped

02
02

Hunt

5

hypotheses

generated

03
03

Validate

2

confirmed

by reasoning model

04
04

Verify

2

exploited

end-to-end in sandbox

Try it on your codebase. Right now.

One command to install. One command to scan. Every finding verified with a working exploit.