Redhunter
Private beta · Invite only

An autonomous pentest engine
that keeps up with daily deploys.

Redhunter runs continuously against your authorized scope. Every finding ships with a working exploit and a report your engineers can act on. Powered by the latest Claude model.

No installation. No agents in your network. Runs in our cloud against your authorized scope.

redhunter.ai/dashboard
Redhunter Console dashboard

Track record

We ran it on live programs before selling it.

A sample of what the engine found on real bug-bounty programs. Every one validated with a working exploit and reported privately.

9.8Top CVSS
5Critical
100+Validated findings
15+Programs

Unauthenticated admin API bypass

Critical

CVSS 9.8

A Spring Security gap exposed 779 customer organizations and 1,462 partner IoT apps.

HPE Aruba · reported privately

OAuth open redirect → account takeover

Critical

CVSS 9.3

Any employee account was takeable through a single crafted link.

Playtika · reported privately

One-click mobile account takeover

Critical

Chain

A wallet deeplink reached native bridges for OAuth tokens and device data.

OPPO · reported privately

Subdomain takeover → data theft

High

CVSS 8.1

A dangling CNAME plus wildcard CORS trust exposed authenticated user data.

Whatnot · reported privately

GraphQL account-takeover chain

High

Chain

Alias brute-forcing plus a misconfigured mutation chained into full account takeover.

NBA · reported privately

Unauthenticated OTP brute-force → account takeover

High

CVSS 8.1

The login flow triggered and validated OTPs with no auth and no lockout.

ScoreBreak · reported privately

Unauthenticated IDOR on subscription API

Medium

CVSS 6.5

A base64-email object reference gave read/write over any user's notification subscriptions.

PayPal · reported privately

CORS credential exfiltration

Medium

CVSS 6.5

Admin session data was readable from any attacker-controlled page.

23andMe · reported privately

Plus 14+ vulnerabilities across OPPO's device ecosystem, and findings on Anduril, Circle, Braze, and Coinmate, including high-severity bugs on programs still under embargo.

The problem

Quarterly pentests. Monthly breaches.

Attackers don't wait for your annual engagement. They find the bug in last night's deploy.

Stale pentests

Your last pentest covered code that shipped 11 months ago. Everything since is untested.

Deployment velocity

You ship daily. Human pentesters review quarterly. That gap is a quarter of unreviewed code sitting in production.

Surface sprawl

Every new endpoint, subdomain, and API key widens what's exposed. You can't audit what you don't know exists.

The brain

Claude hunts your stack
like a human attacker.

Most scanners run signatures. Redhunter runs a reasoning loop: Claude reads your responses, forms a hypothesis, refines its payloads, chains findings together, and writes the report in plain English.

It finds bugs signature scanners miss, and every report ships with repro steps and a working proof of concept, not a CVSS number and a shrug.

claude · reasoning loop · hunt #2847LIVE
Current action

Capabilities

The work of a senior offensive engineer.

Running against your scope every day, not once a quarter.

Continuous attack surface mapping

Subdomain enumeration, endpoint discovery, JS analysis, and tech fingerprinting. Re-mapped on every deploy, so new endpoints get hunted the day they ship.

26 vulnerability classes

XSS, SQLi, SSRF, IDOR, auth bypass, SSTI, race conditions, HTTP smuggling, cache poisoning, prototype pollution, and more.

5-gate validation

No noisy scanner output. Every finding passes detect, verify, exploit, impact, and report stages with a working proof of concept. Duplicates and known issues are suppressed automatically.

Attack chains

The brain links low-severity findings into real exploit chains. A reflected XSS plus a permissive cookie becomes an account takeover.

Engineering-ready reports

Markdown reports with reproduction steps, impact analysis, and remediation guidance. Paste straight into a Jira ticket, repro steps and fix included.

Scoped to what you authorize

DNS-verified ownership, per-asset scope rules, rate limits, and a kill switch. Your security team stays in control.

How it works

From signup to first finding in a day.

01

Prove ownership

Verify your scope via DNS TXT record or a file at /.well-known/redhunter-verify.txt. Or connect a read-only cloud role for AWS, GCP, or Azure.

02

Pick your cadence

Daily for production, weekly for staging, on-deploy for CI. The brain respects per-asset rate limits and backoff rules.

03

Review the findings

Validated vulnerabilities arrive in the Console within 24 hours. Weekly digest to Slack or email. Monthly report for the board.

The Console

One place to watch every hunt.

  • Live hunt feed showing the brain's reasoning in real time
  • Global findings inbox with severity dedupe and chaining
  • One-click export to Jira, GitHub Issues, Linear, or your own SIEM
redhunter.ai/dashboard/target/1
Redhunter Console hunt map view

Scope

Where Redhunter excels.

From web apps to mobile binaries to cloud infrastructure. Validated findings, not scanner noise.

Web & API

IDOR, auth bypass, CORS misconfig, OAuth redirects, and GraphQL account-takeover chains.

Mobile & device

Android deeplink and native-bridge chains, exported component abuse, and token theft.

Cloud & infrastructure

Misconfigured API keys, subdomain takeover, S3 exposure, and internal DNS disclosure.

Dev tooling & CI/CD

Trust-boundary bypasses in build pipelines, agent and MCP security, and supply-chain paths.

Pricing scopes to your attack surface.

Tell us what's in scope and we'll run a free first scan on one asset, then talk pricing.

FAQ

Common questions.

A human pentest is a point-in-time snapshot, and a single engagement runs well into five figures. Redhunter tests continuously for a fraction of that. Every new endpoint, every deploy, and every subdomain change gets hunted within 24 hours.

Most automated scanners run rule-based signature checks. Redhunter runs a reasoning loop: Claude decides what to hunt next, refines its strategy based on what it finds, and chains findings together the way a human attacker would. It finds bugs signature scanners miss.

You have two options. Hosted: we run the engine in our cloud against your authorized scope. Self-hosted: we give you a container to run in your own VPC, and your traffic never touches our network. The Console is a thin web interface that reads from your engine state.

Today we sign DPAs, BAAs, and custom MSAs, and the self-hosted option keeps all traffic and data inside your own VPC. SOC 2 is on the roadmap.

DNS TXT record, a file at /.well-known/redhunter-verify.txt, or a read-only cloud IAM role for AWS, GCP, or Azure. We never run a hunt against a target you haven't proven you own.

Every hunt runs under hard per-asset rate limits, an iteration cap on the reasoning loop, and a kill switch you can hit in one click. Scope guards refuse any target you haven't verified, and an append-only log records every request the agent sends.

DPAs & BAAs available·Self-hosted option·DNS ownership verification·Hard rate limits per asset

See a scan of your stack in 24 hours.

Send us your scope and we'll run a free first scan on one asset, then walk you through what we found.