explaingit

hadriansecurity/openhack

Analysis updated 2026-06-24

39PythonAudience · developerComplexity · 4/5LicenseSetup · moderate

TLDR

Open-source toolkit from Hadrian for AI-driven whitebox source code reviews, with a checkpointed pipeline of recon, scenario, expert proof, and triage steps gated by human approval.

Mindmap

mindmap
  root((OpenHack))
    Inputs
      Cloned source
      Recon prompts
      Human approvals
    Outputs
      Scenario results
      Finding candidates
      Triage decisions
    Use Cases
      Whitebox pentest
      AI-assisted code review
      Security audit logs
    Tech Stack
      Python
      Claude Code
      Codex
      Cursor
      Semgrep
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Run a whitebox pentest on a GitHub repository from inside Claude Code or Cursor using the scenario-first pipeline.

USE CASE 2

Drive the CLI by hand through init-run, run-recon, create-scenarios, and triage to produce a security report.

USE CASE 3

Use the optional Semgrep integration to add source-pattern hints during recon.

USE CASE 4

Audit AI-assisted security reviews by replaying the durable on-disk state of scenarios, candidates, and triage decisions.

What is it built with?

PythonClaude CodeCodexCursorSemgrep

How does it compare?

hadriansecurity/openhackjhammant/aiondemandclusterkrishnaik06/image-webscrapper
Stars393939
LanguagePythonPythonPython
Last pushed2022-12-08
MaintenanceDormant
Setup difficultymoderatemoderatemoderate
Complexity4/53/52/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 1h+

Needs Python 3.9+, pip editable install, and an AI assistant such as Claude Code, Codex, or Cursor to drive the scenario pipeline.

MIT lets you use, modify, and ship this for any purpose, commercial or not, as long as you keep the copyright notice.

In plain English

OpenHack is an open-source toolkit from Hadrian, a security company, for doing whitebox source code reviews in a structured way. It is meant to be driven from inside an AI coding assistant such as Claude Code, Codex, or Cursor, although it also ships a regular command-line tool you can run by hand. The job of the AI assistant is to read code, run commands, and ask you for approval. The job of OpenHack is to keep durable state on disk: the cloned source, recon notes, scenario prompts, scenario results, candidate findings, triage decisions, final findings, and logs. The big idea is a checkpointed pipeline that the README calls scenario-first review. A recon step looks at the source and lists the surfaces worth checking, such as routes, inputs, sinks, and boundaries. A router agent groups those surfaces into scoped scenarios. Expert agents then either prove or reject each scenario one at a time. Finally an independent triage agent decides which proven items become real findings. A human approves every transition between phases, so the tool does not run end to end on its own. The quick start has two paths. The easy path is to open the repo in an AI assistant and type a prompt like "Initiate a whitebox pentest on this GitHub URL", and the assistant follows the steps written in AGENTS.md. The manual path is to install the CLI with pip in editable mode from a clone, then run the openhack commands in order: init-run, run-recon, create-scenarios, record-scenario-backlog, render-scenario-prompt, record-scenario-result, render-finding-triage-prompt, record-finding-triage, and summarize-run. The repo lists a small set of expert types it ships with, such as injection and broken-access-control, and an optional Semgrep integration that adds source-pattern hints to recon. The state machine is intentionally narrow: recon item, routing unit, scenario, scenario result, finding candidate, triage decision, finding. The project is MIT licensed and needs Python 3.9 or newer.

Copy-paste prompts

Prompt 1
Initiate a whitebox pentest on this GitHub URL using OpenHack from inside Claude Code and follow AGENTS.md.
Prompt 2
Install OpenHack with pip editable mode and walk me through init-run, run-recon, and create-scenarios on a small Flask app.
Prompt 3
Enable the Semgrep integration in OpenHack and rerun recon to see which new patterns show up.
Prompt 4
Use OpenHack's triage agent on the candidate findings from the last run and produce a summary.

Frequently asked questions

What is openhack?

Open-source toolkit from Hadrian for AI-driven whitebox source code reviews, with a checkpointed pipeline of recon, scenario, expert proof, and triage steps gated by human approval.

What language is openhack written in?

Mainly Python. The stack also includes Python, Claude Code, Codex.

What license does openhack use?

MIT lets you use, modify, and ship this for any purpose, commercial or not, as long as you keep the copyright notice.

How hard is openhack to set up?

Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.

Who is openhack for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.