Find security bugs
before attackers do.
The leading open-source agentic hacking engine.
PwnKit finds bugs in software
millions depend on.
millions depend on.
weekly downloads across affected packages
paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical jsPDF · 13M weekly · CVE-2026-31938 critical node-forge · 34M weekly · CVE-2026-33896 high mysql2 · 9.5M weekly high LiquidJS · 1.6M weekly · CVE-2026-30952 high Uptime Kuma · 152M pulls · CVE-2026-33130 medium paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical jsPDF · 13M weekly · CVE-2026-31938 critical node-forge · 34M weekly · CVE-2026-33896 high mysql2 · 9.5M weekly high LiquidJS · 1.6M weekly · CVE-2026-30952 high Uptime Kuma · 152M pulls · CVE-2026-33130 medium paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical jsPDF · 13M weekly · CVE-2026-31938 critical node-forge · 34M weekly · CVE-2026-33896 high mysql2 · 9.5M weekly high LiquidJS · 1.6M weekly · CVE-2026-30952 high Uptime Kuma · 152M pulls · CVE-2026-33130 medium paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical jsPDF · 13M weekly · CVE-2026-31938 critical node-forge · 34M weekly · CVE-2026-33896 high mysql2 · 9.5M weekly high LiquidJS · 1.6M weekly · CVE-2026-30952 high Uptime Kuma · 152M pulls · CVE-2026-33130 medium
Uptime Kuma · 152M pulls · CVE-2026-33130 medium LiquidJS · 1.6M weekly · CVE-2026-30952 high mysql2 · 9.5M weekly high node-forge · 34M weekly · CVE-2026-33896 high jsPDF · 13M weekly · CVE-2026-31938 critical paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical Uptime Kuma · 152M pulls · CVE-2026-33130 medium LiquidJS · 1.6M weekly · CVE-2026-30952 high mysql2 · 9.5M weekly high node-forge · 34M weekly · CVE-2026-33896 high jsPDF · 13M weekly · CVE-2026-31938 critical paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical Uptime Kuma · 152M pulls · CVE-2026-33130 medium LiquidJS · 1.6M weekly · CVE-2026-30952 high mysql2 · 9.5M weekly high node-forge · 34M weekly · CVE-2026-33896 high jsPDF · 13M weekly · CVE-2026-31938 critical paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical Uptime Kuma · 152M pulls · CVE-2026-33130 medium LiquidJS · 1.6M weekly · CVE-2026-30952 high mysql2 · 9.5M weekly high node-forge · 34M weekly · CVE-2026-33896 high jsPDF · 13M weekly · CVE-2026-31938 critical paperclip · 60k ★ · GHSA-47wq-cj9q-wpmp critical
Open-source hacking agents,
proven in public.
proven in public.
Open-source core
Inspect the engine.
Run the CLI locally, read the tool loop, and inspect what the managed layer wraps.
Apache 2.0public repoCLI-first
Point it at what you ship.
Web, AI, packages, and source use the same agent loop.
Run the same loop a human pentester runs.
1.0
Aim
URL, package, or repo.
2.0
Scan
Shell-first agent loop.
3.0
Triage
Layered checks reduce false positives.
4.0
Verify
A second agent re-exploits, blind.
5.0
Ship
SARIF, JSON, GitHub Security.
Start locally.
Scale when it matters.
Scale when it matters.