greyhatcc

Run dedicated API security testing - REST, GraphQL, gRPC, JWT, authentication bypass

Test OAuth, JWT, OIDC, SAML, and authentication flows for token manipulation and bypass

Start a bug bounty workflow for a target program

Hunt for cloud infrastructure misconfigurations - S3 buckets, Firebase, Cognito, CDN origins

Search and analyze CVE vulnerabilities by ID, product, or keyword

Check if a bug has been previously found, reported, or submitted before writing a report

Check finding against database of commonly rejected bug types

Capture and organize evidence for vulnerability findings

Research and develop exploit code for a vulnerability (CVE or description)

Document or review security findings for the current engagement

Detect technology stack, frameworks, and versions on a target

Manage vulnerability gadget inventory and analyze chaining opportunities

Diagnose and fix greyhatcc plugin installation and configuration issues

Show bug bounty reference guides, cheatsheets, and methodology resources for vulnerability research

Generate a HackerOne-ready vulnerability report with CVSS, steps to reproduce, and business impact

Search HackerOne hacktivity for disclosed reports matching your finding

Autonomous bug bounty hunting with event-driven priority-queue hunt loop

Analyze JavaScript bundles for API endpoints, secrets, source maps, and client-side vulnerabilities

Gather open source intelligence on a target domain or organization

Run intelligent port scanning with service detection

Research a bug bounty program - extract scope, bounties, exclusions, rules, and program intel

Verify PoC reproducibility - re-run commands and confirm findings still work

Run multi-phase reconnaissance on a target domain, IP, or URL

Generate a professional penetration testing report from collected findings

Define or validate target scope for the current engagement

Run Shodan reconnaissance on a target IP or domain

Enumerate subdomains for a target domain using multiple sources

Hunt for subdomain takeover vulnerabilities - dangling CNAMEs, NS/MX takeover, second-order

Track and query what endpoints and vuln classes have been tested

Multi-gate report quality validation before HackerOne submission

Detect WAF/CDN protection and suggest bypass techniques

Run OWASP web application security tests against a URL

Quick API endpoint enumeration, schema fetch, and basic response analysis (Haiku)

REST/GraphQL/gRPC deep endpoint testing with BOLA, mass assignment, and schema exploitation (Opus)

Quick JWT decode, header auth checks, and basic token inspection (Haiku)

OAuth/OIDC/JWT/SAML/Cognito/Auth0 deep business logic auth testing with session and token exploitation (Opus)

Ultra-autonomous bug bounty orchestrator - manages the full hunt lifecycle with persistent loops, self-correction, parallel Task() dispatch, smart model routing, 5-gate validation, and triple-verification (Opus)

Quick cloud bucket enumeration, public blob checks, and basic metadata queries (Haiku)

S3/GCS/Azure Blob/Firebase/Cognito misconfiguration hunting and cloud attack surface mapping (Sonnet)

Quick PoC adaptation and existing exploit modification (Haiku)

Expert exploit researcher and PoC developer for identified vulnerabilities with deep CVE knowledge and custom payload crafting (Opus)

Hunt mode orchestrator - manages the persistent 5-phase hunt lifecycle with state tracking, self-correction, parallel Task() dispatch, multi-wave attack, signal amplification, and triple-verification. The hunter doesn't sleep (Opus)

Quick JS endpoint extraction, basic secret grep, and surface-level bundle analysis (Haiku)

JavaScript bundle analysis for endpoint extraction, source map reconstruction, secret discovery, and client-side vulnerability identification (Sonnet)

Quick port/service lookups, basic nmap output parsing, and single-host analysis (Haiku)

Network infrastructure analyst for port scan interpretation, service enumeration, and network topology mapping (Sonnet)

Deep OSINT analyst for breach correlation, identity mapping, organizational intelligence, and supply chain analysis (Opus)

Quick OSINT lookups for single-source queries (Haiku)

Open source intelligence specialist for target profiling and attack surface mapping from public sources (Sonnet)

PoC verification agent - re-runs exploit commands, validates responses match claims, ensures deterministic proof before report submission (Opus)

Deep reconnaissance analyst for complex target environments with evasion-aware techniques and multi-source correlation (Opus)

Fast passive reconnaissance for quick lookups and single-source enumeration (Haiku)

Multi-phase reconnaissance specialist combining passive and active techniques for target enumeration and attack surface mapping (Sonnet)

Report quality gate - validates asset accuracy, scope, exclusions, CVSS, and completeness before submission (Opus)

Executive-level penetration testing reports with business impact analysis and compliance mapping (Opus)

Quick finding notes and evidence documentation (Haiku)

Professional penetration testing report writer following PTES/OWASP methodology with HackerOne report expertise (Sonnet)

Dangling CNAME/NS/MX detection and subdomain takeover verification with service-specific fingerprinting (Sonnet)

Develops exploits and PoC code for confirmed vulnerabilities

Main hunt loop orchestrator — event-driven priority-queue hunt engine

Continuous intelligence analysis — signal amplification, chain detection, coverage gaps

Executes reconnaissance work items for the hunt loop

Generates HackerOne-ready vulnerability reports

Executes vulnerability testing work items for the hunt loop

Validates findings through 5-gate quality pipeline before reporting

Quick CVE lookups and basic vulnerability assessment (Haiku)

Deep vulnerability analysis specialist for CVE research, exploit correlation, and attack chain mapping (Opus)

Quick web security checks for common misconfigurations and header issues (Haiku)

OWASP Top 10 web application security tester with injection, XSS, auth bypass, IDOR, and business logic expertise (Opus)

API security testing — BOLA, mass assignment, schema abuse

Deep auth testing — JWT, OAuth, sessions, privilege escalation

Test web cache poisoning and cache deception

Enumerate cloud assets — S3, GCS, Azure, Firebase, Cognito

Test CORS configuration for credential-inclusive access

Check finding for duplicate risk (gate 3)

Thin hunt dispatcher — loads state, selects work, dispatches workers, persists results

Organize and index evidence files

Identify technology stack, WAF, and CDN for a host

Test GraphQL for introspection, batching, auth gaps

Research HackerOne program — scope, bounties, disclosed reports

Test for HTTP header injection and response splitting

Test for Insecure Direct Object References (BOLA)

Analyze JavaScript bundles for endpoints, secrets, and source maps

Business logic testing — race conditions, workflow bypass, price manipulation

Gather open source intelligence on target organization

Discover open ports and running services on target hosts

Reproduce PoC and verify report quality (gates 4-5)

OWASP Top 10 quick sweep of a target

Find open redirects for chaining with OAuth

Generate HackerOne-ready vulnerability reports

Validate finding scope and exclusion status (gates 1-2)

Target scope validator and engagement rules enforcer — READ ONLY

Query Shodan for host infrastructure intelligence

Test for SQL injection — error-based, blind, time-based

Test for Server-Side Request Forgery

Enumerate subdomains for a target domain

Check subdomains for dangling DNS records and takeover potential

Test file upload for code execution, XSS, path traversal

Test WordPress for known vulnerabilities

Test for reflected, stored, and DOM-based XSS

Dedicated API security testing - REST, GraphQL, gRPC endpoint discovery, schema extraction, authentication bypass, parameter fuzzing, and business logic testing

End-to-end bug bounty workflow from program research through HackerOne-ready report submission

Cloud infrastructure misconfiguration hunting - S3/GCS/Azure bucket takeover, cloud metadata SSRF, IAM policy analysis, serverless exposure, and CDN origin discovery

Database of commonly rejected finding types across bug bounty programs - check before wasting time on a finding that will be marked N/A

Shared context injection pattern - loads scope, findings, program guidelines, recon artifacts, and engagement state for any skill invocation

Search, analyze, and correlate CVEs against target technology stacks with exploit availability assessment

Check if a discovered bug has been previously found, reported, or submitted — prevents duplicate submissions and wasted effort

Capture and organize evidence for vulnerability findings including HTTP request/response logs, screenshots, and tool outputs

Research, adapt, and develop proof-of-concept exploit code for identified vulnerabilities

Document and track security findings with structured severity ratings, evidence references, dedup checking, and chaining metadata

Build and maintain a vulnerability gadget inventory for chaining — catalog every finding with its chaining potential and map bug-to-bug relationships

Diagnose and fix greyhatcc plugin installation, configuration, dependency, and MCP server health issues

Format security findings into HackerOne-ready vulnerability reports with automatic scope/asset/evidence injection, CVSS rationale, vulnerability chaining, and program-specific context

Scrape HackerOne hacktivity and disclosed reports to detect duplicate patterns before submitting - prevents wasted submissions and reputation damage

Event-driven priority-queue hunt loop for autonomous bug bounty hunting. Iterative, adaptive, signal-driven. From zero to validated H1 reports with continuous intelligence feedback, gadget chaining, and coverage tracking. The hunter doesn't sleep.

Automated JavaScript bundle analysis pipeline - source map extraction, API endpoint discovery, secret detection, and client-side vulnerability hunting

Dedicated OAuth/OIDC/JWT/SAML authentication testing - token manipulation, flow bypass, scope escalation, provider-specific attacks

Open source intelligence gathering for targets including organizational profiling, infrastructure mapping, and attack surface discovery

Intelligent port scanning orchestration with nmap service detection and vulnerability scripting

Research bug bounty programs from HackerOne/Bugcrowd/Intigriti - extract scope, bounties, exclusions, rules, and program intel using Playwright browser automation, Perplexity AI search, and HackerOne API

Verify PoC reproducibility before submitting - re-runs curl commands, checks responses match claims, ensures deterministic proof exists

Multi-phase target reconnaissance combining passive and active techniques for comprehensive attack surface mapping

Curated reference library of bug bounty hunting guides, cheatsheets, methodology resources, and vulnerability-specific playbooks for use during engagements

Generate professional penetration testing reports following PTES/OWASP methodology from collected findings and evidence

Define, validate, and manage authorized target scope with asset tracking, vuln type exclusions, required headers, and testing constraints for penetration testing engagements

Deep Shodan-powered reconnaissance for target hosts including ports, services, vulnerabilities, SSL certificates, and honeypot detection

Multi-source subdomain enumeration using CT logs, DNS bruteforce, web scraping, and Shodan certificate search

Automated subdomain takeover detection - dangling CNAME/NS/MX identification, cloud service enumeration, second-order takeover assessment, and takeover impact analysis

Detect and document target technology stack including web frameworks, servers, CDNs, JavaScript libraries, and third-party services

Track what endpoints and vulnerability classes have been tested to prevent redundant work across agents and sessions

Multi-gate report quality validation - checks asset accuracy, scope compliance, dedup, proof, CVSS rationale, exclusion list, and submission readiness

Detect WAF/CDN protection on targets and suggest bypass techniques based on detected technology

OWASP-guided web application security testing covering injection, XSS, auth bypass, IDOR, SSRF, and beyond

16 hooks across 10 events