Define scope
Lock boundaries before execution starts
You import your program scope directly from HackerOne or Bugcrowd JSON, or paste it manually as a list of domains and wildcard patterns. The scope policy is locked when the session starts and cannot be modified mid-hunt by the agent or by any control-plane instruction. This is not a UI permission — it is enforced at the transport layer.
- Import scope JSON from HackerOne or Bugcrowd directly
- Wildcard patterns, subdomain rules, and URL prefix matching supported
- Scope rules are version-locked per session with a hash fingerprint
- Localhost, internal IP ranges, and cloud metadata endpoints blocked by default
- Scope violations logged as first-class audit events, not silently skipped
Execute mission
Agentic hunting with full operator visibility
The Coordinator Agent runs your hunt using a ReAct loop (Reason, Act, Observe) in a background worker that survives browser close. Every step — recon, attack dispatch, tool call, and validation attempt — is streamed to your Mission Control dashboard via Server-Sent Events. You can pause, resume, or inject a steering instruction at any point without interrupting the session.
- ReAct loop: Reason → Act → Observe, repeated until mission complete
- Background execution via Upstash QStash: hunt continues after you close the browser
- SSE stream: every tool call, decision, and finding streamed live to your dashboard
- Specialist agents: ReconAgent, HeadersAgent, JWTAgent, LogicAgent, DASTAgent
- Pause / resume / steer controls always available mid-hunt
Validate findings
No promotion without deterministic reproduction
Every potential HIGH or CRITICAL finding is routed through the ValidationAgent before it appears on your board. The agent attempts deterministic reproduction up to three passes, compares request/response diffs, and assigns a CONFIRMED or REJECTED state. A finding stays in PENDING until reproduction either succeeds or runs out of attempts. There is no optimistic promotion.
- ValidationAgent: up to 3 deterministic reproduction attempts per finding
- HTTP request, response, and diff saved as immutable evidence
- CONFIRMED, PENDING, and REJECTED states tracked explicitly
- Failed reproductions logged with explanation — not silently dropped
- CVSS severity assigned only after CONFIRMED state reached
Deliver PoC report
Copy. Paste. Submit.
The PoCAgent generates a platform-specific report from the confirmed finding evidence chain. The report includes a vulnerability summary, CVSS score, step-by-step reproduction instructions, a ready-to-run curl command, the HTTP evidence diff, and an impact analysis written for the bounty triage team. Output templates are available for HackerOne, Bugcrowd, Intigriti, and custom markdown.
- Platform templates: HackerOne, Bugcrowd, Intigriti, custom markdown
- Reproduction steps generated from the live agent trace — not written by hand
- Curl command included and verified against the confirmed response
- Evidence diff: before/after HTTP baseline comparison for full context
- Export as markdown for copy-paste or PDF for internal review handoffs
