OpenHack: Open-Source AI-Powered Vulnerability Research

The rise of large language models has reshaped how security researchers approach code analysis. Tools like Claude Code, Codex and Cursor can parse entire repositories, generate test cases, and flag suspicious patterns, but without a disciplined framework the output can be noisy and hard to audit. OpenHack addresses this gap by offering a structured, file‑centric workspace that captures every step—from cloned source to final finding—in immutable artifacts, enabling reproducibility and easier collaboration across teams.

At the heart of OpenHack is a state‑machine engine that advances through predefined phases: reconnaissance, scenario routing, expert evaluation, and triage. Each phase is driven by specialized agents that read prompts from markdown manifests and write results back to the file system. Human reviewers intervene at critical junctures, approving scope, confirming scenario relevance, and validating triage decisions, thereby blending AI speed with expert judgment. The project’s 12 expert families map directly to OWASP Top 10 2025 and MITRE ATT&CK categories, ensuring coverage of modern threat vectors such as supply‑chain attacks and cryptographic failures. Optional Semgrep rule integration further enriches the recon stage, turning static analysis hints into actionable findings.

OpenHack’s open‑source licensing and GitHub distribution lower the barrier to entry for organizations of any size, eliminating the need for expensive, closed‑source platforms like Mythos. By providing a transparent, extensible framework, it encourages community contributions and rapid iteration, fostering a shared knowledge base for AI‑augmented security. As more firms adopt AI‑first testing pipelines, OpenHack could become a de‑facto standard for orchestrating automated vulnerability research, driving both efficiency gains and higher assurance in software supply chains.