Source-guided vulnerability research increasingly leans on coding harnesses such as Claude Code, Codex, and Cursor to drive agent-based reviews of application code. A new MIT-licensed project from the Dutch security firm Hadrian, called OpenHack, packages that approach into a file-based workspace that any of those harnesses can run.
OpenHack is a set of agents and tools that mimics how Hadrian’s research team performs automated vulnerability research. The workflow runs inside a coding harness or a custom runner, with durable state kept in plain files such as cloned source, recon items, scenario prompts, scenario results, finding candidates, triage decisions, findings, and logs. The harness supplies model execution, terminal access, repository access, and human-in-the-loop approval.
“We’ve been working on this for some time, but our discovery of critical vulnerabilities made it concrete. OpenHack’s effectiveness proves that security teams don’t need Mythos to find critical vulnerabilities,” said Rogier Fischer, CEO of Hadrian.
Checkpointed, scenario-first review
The operating model is built around a state machine over files. A command advances the run to the next durable state, an agent answers the prompt for that state, and a recorder command validates the answer before materializing new work. A human operator approves every phase transition, including expert scope before reconnaissance, scenario routing after recon, the scenario backlog after the router answers, and the finding-triage backlog after candidate creation.
The durable chain runs from recon item to routing unit, scenario, scenario result, finding candidate, and triage decision. Recon agents discover review surfaces such as routes, sinks, auth boundaries, upload paths, parser entrypoints, manifests, and admin areas. A scenario-router agent turns those surfaces into scoped scenarios. Expert agents then prove or reject each scenario, and an independent triage agent decides which verified candidates become final findings.
Twelve expert families aligned to OWASP and MITRE
The current registry defines 12 expert families as Markdown manifests, each declaring its id, category, ownership, standards, and routing signals. The set covers OWASP Top 10:2025 categories including Broken Access Control, Security Misconfiguration, Software Supply Chain Failures, Cryptographic Failures, Injection, Insecure Design, Authentication Failures, and Software or Data Integrity Failures. Additional families cover CWE-119 memory buffer errors, CWE-200 sensitive information exposure, CWE-22 and CWE-434 path traversal and unrestricted upload, and API4:2023 unrestricted resource consumption. SSRF is folded into Broken Access Control, matching the OWASP 2025 mapping of CWE-918 to A01:2025.
Optional enrichment with bundled Semgrep rules is available during the recon phase. Semgrep hits are treated as hints, with verified vulnerabilities required to come through the recorded scenario and triage chain.
OpenHack is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
